Setting up an Alibaba Cloud Account

Step 1 - Set up an Object Storage Service to access Alibaba Cloud Bills

VMware Tanzu CloudHealth supports AWS S3 and Alibaba Object Storage Service (OSS) buckets to access the Alibaba cloud bills. You need to upload the bills in the AWS S3 bucket and grant the Tanzu CloudHealth platform access to the bucket.

How to Set Up AWS S3 Bucket

Configure AWS S3 bucket to upload files that represent your ongoing usage and spend.

Create an S3 Bucket to upload Alibaba Cloud Instance bill

1. Log in to the AWS Console and navigate to Services > S3. Click Create Bucket.
2. In the General configuration section, enter a Bucket name and click Create Bucket.
3. Choose the newly created bucket from the list of Buckets, and click the Properties tab.
4. From Bucket overview, copy the bucket Amazon Resource Name (ARN) for the IAM policy which you will need to provide in Step 2 while configuring Data Connect.

Create a Policy for S3 Read-only Access

1. Log in to the AWS Console for the targeted account as a user who has permission to create an IAM role.
2. Navigate to Services > IAM. From the left menu, select Policies and click Create Policy.
3. Click the JSON tab and paste the following policy in the text box.

   {
            "Version": "2012-10-17",
   "Statement": [
         {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                "s3:Get*",
                  "s3:List*"
                  ],
            "Resource": [
                  "arn:aws:s3:::alicloud-instance-bill-bucket/*",
                  "arn:aws:s3:::alicloud-instance-bill-bucket"
                         ]
                 }
            ]
        }
   

4. Click Next.
5. On the Create policy > Add Tags page, you can add tags to your AWS resources. This is an optional step.
6. Click Next.
7. Name the policy (e.g., CHTAlicloudAccessPolicy), provide a description, and click Create policy.

Create IAM Role with AssumeRoleAccess

To create a read-only IAM role within the AWS Console for the target account:

1. In the AWS Console, from the left menu, select Roles and click Create role.
2. On the Select trusted entity page, select AWS account.
3. Select Another AWS account as a trusted entity.
4. Enter the Account ID - 454464851268, which is the ID of the secure Tanzu CloudHealth-managed account.
5. Select Require an External ID option.
6. Open the Tanzu CloudHealth platform in your browser, go to Setup > Accounts > AWS and open the targeted account. Copy the uniquely generated External ID a 30-letter hexadecimal string (Ex: 0daebeb87fff778c384c31e40d797f) into a text document.
7. Return to the AWS console and paste the copied ID in the External ID field.
8. Leave the checkbox for Require MFA cleared because the IAM role will be used to provide programmatic access to the Tanzu CloudHealth platform. , and click Next.
9. On the Create Role > Permissions page, set the Filter policies field to Customer managed. Select the Tanzu CloudHealth policy you created in the above step, and click Next.
10. Enter a name and description for the role.
11. Optionally, you can add IAM Tags to your role.
12. Click Create role.
13. On the IAM > Roles page, click the Role name that you have created.
14. On the Roles > Summary page, copy the value of Role ARN to the clipboard.
15. Click the Trust relationships tab, verify the account ID in Trusted entities, and copy the External ID shown in Conditions > Value. You will need to register the External Id to Data Connect Config.

Note -

• The same S3 bucket and IAM role can be used to configure different Data Connect configs.

• After creating the Data Connect config, bills should be uploaded to s3 bucket folders in the following structure manner. Path: AliCloud/123455667/2021-10/Daily/123456667_BillingItemDetail_20210709.zip

  

• For Partner customers, it is recommended to set up one single storage location to add different folders per channel customer with one data connect config per channel customer.

How to Set Up Alibaba Cloud OSS

Configure Alibaba Cloud Object Storage Service to upload files that represent your ongoing usage and spend.

Create a RAM Role for a trusted Alibaba Cloud account

A RAM role is required for Tanzu CloudHealth to allow cross-account access. Use the Tanzu CloudHealth Alibaba Cloud account as the trusted account to create a RAM role for Tanzu CloudHealth.

1. Log in to the RAM console by using your Alibaba Cloud account credentials.
2. From the left menu, select Identities > Roles.
3. Click Create Role.
4. Select Alibaba Cloud Account as the Select Trusted Entity, and click Next.
5. Enter a RAM Role Name.
6. Select Other Alibaba Cloud Account, and enter 5494807867140617, which is the Tanzu CloudHealth Alibaba Cloud account ID.
7. Click OK.

Grant permissions to the RAM role created for CloudHealth

1. After creating a RAM role, from the left menu, select Identities > Roles.
2. On the Roles page, select the newly created RAM role.
3. In the Add Permissions section, select Alibaba Cloud Account as the authorization scope.
4. Ensure the Tanzu CloudHealth RAM role specified by default in the Principle field is accurate.
5. In the Policies field, select System Policy tab.
6. Select the ‘AliyunOSSReadOnlyAccess’ policy from the list of policies and click OK. NOTE: For other methods to grant permissions to a RAM role, see Grant permissions to a RAM role.

Step 2 - Create Alibaba Cloud Data Connect

Pre-requisite :
Establish a Trusteeship between your master account and linked account. For more information, see Usage notes on the trusteeship.

Download Alibaba Cloud Bills from the Alibaba Console

1. Log in to the Alibaba Cloud Console.
2. In the top navigation pane, select Expenses > User Center.
3. From the left navigation, select Bills > Bill Details.
4. In the Billing Details tab, select the Billing Item and Billing Period for the Statistic Item and Statistic Period fields, respectively.

5. Click Customize Column Options and select all the mandatory columns that Tanzu CloudHealth requires to process Alibaba Cloud bills.
   

   List of mandatory columns
   Billing Cycle	Payment Time	Deducted By Resource Package	Instance Config
   Cost Center	Usage Start Time	Pretax Gross Amount	Instance Spec
   Account ID	Usage End Time	Invoice Discount	Internet IP
   Account Name	Service Duration	Deducted By Coupons	Intranet IP
   Owner Account ID	Order No./Bill No.	Currency	Region
   Owner Account Name	Item	Duration Unit	Zone
   Product Code	Billing Type	Deducted By Reserved Instance	Billing Item
   Product Name	Instance ID	Discount Name	List Price
   Product Type	Instance Name	Item Discount	List Price Unit
   Product Detail	Resource Group	Portfolio Discount	Usage
   Subscription Type	Instance Tag	Billing ID	Usage Unit

6. After selecting the mandatory columns, click Export Billing Overview (csv) to generate bills. You will be redirected to the Bill Export record.

7. Refresh the page and click Download once the latest exported bills are available for download.

8. Rename the downloaded file before you upload it to the S3 bucket created for Tanzu CloudHealth.

   • Refer to the following format to rename the file containing Alibaba Cloud bill. accountId_BillingItemDetail_yyyymmdd.csv Where,

     • accountId is 16 digit account id of your Alibaba bill account. For example, 1234567890112233
     • yyyymmdd is billing date. For example, 20230404.
     • Sample name: 1234567890112233_BillingItemDetail_20230404.csv

   • If there are multiple bill files for a single day, then refer to the following format to rename the file containing Alibaba Cloud bills. account-id_BillingItemDetail_yyyymmdd_x.csv Where,

     • accountId is 6-digit account id of your Alibaba bill account. For example, 1234567890112233,
     • yyyymmdd is billing date. For example, 20230404,
     • X is a number given to the downloaded bill.
     • Sample name: 1234567890112233_BillingItemDetail_20230404_1.csv, 1234567890112233_BillingItemDetail_20230404_2.csv etc.

NOTE -

If multiple bills (.csv files) are available on the same day, you can compress them into a single .zip file and upload the zip file to the S3 bucket for Tanzu CloudHealth to consume.

Create Data Connect

Create a repository to post the Alibaba cloud bills. This step is required to pass on the necessary credentials to the Tanzu CloudHealth platform.

1. In the Tanzu CloudHealth platform, from the left menu, select Setup > Admin > Data Connect. Click New Data Connect.

2. In the Name and Dataset section, enter a name for your Data Connect and select the dataset you are looking for.

   

3. In the Dataset Location section, enter the following details:

   • Location of data- Name of the bucket where the data is stored. For example, AWS S3 bucket, Alibaba OSS.
   • Assume Role ARN – The ARN number of the trusted entity that has assumed the RAM role.
   • For AWS S3- Assume Role External ID (Tanzu CloudHealth external ID), Assume Role Account Name, S3 Bucket Name, S3 Bucket Report Path, and S3 Bucket Region.
   • For Alibaba OSS - Assume Role Account Alias, OSS Bucket Name, OSS Bucket Report Path,OSS Bucket Region

4. Click Submit.

The newly created Data Connect will appear in the Data Connect list.

Note

- The bucket name and the report path have a case-sensitive string.
- Any discrepancy in the S3 bucket report path will result in connection failure.
- Once you configure Alibaba cloud Data Connect, you should be able to see the data in FlexReport within 24hrs.
- For security reasons, Assume Role ARN and Assume Role External id fields appear blank while editing data connect config mode.

Step 3 - Alibaba Cloud Dataset in FlexReports

The FlexReport feature supports the Alibaba Cloud Bill dataset.
To access FlexReports, in the Tanzu CloudHealth platform, navigate to Reports > FlexReports. Click New Report to generate a new FlexReport.

To access the FlexReport Templates, click Reports > FlexReports > View Templates.