Using the Partner Platform as AWS Service Provider

Setting up a New AWS Partner Account

You can configure VMware Tanzu CloudHealth to populate complete cost and usage information for your AWS account.

Enable Cost and Usage Report

An AWS payer account is a designated billing account to which one or more additional accounts can be linked. The billing contact for the account receives a statement that summarizes the charges for all its linked accounts. For more information, see Paying Bills for Multiple Accounts Using Consolidated Billing. Use the following steps to set up an AWS account in Tanzu CloudHealth:

Note: As of now, Tanzu CloudHealth does not support CUR 2.0, the new format of CUR export. On configuring new CURs, you must select the Legacy CUR Export option.

Create CUR in AWS Console

AWS Cost and Usage Reports (CUR) provide comprehensive data about your costs, including those related to product, pricing, and usage. For more information, see AWS Cost and Usage Reports.

Follow the steps below to configure AWS accounts to create a CUR that is usable by the Tanzu CloudHealth platform. If you have an existing CUR, verify the settings mentioned below:

1. In the AWS Console navigate to your profile name in the top right corner and click Account.
2. From the left menu, select Cost & Usage Reports and click Create Report.
3. Navigate the configuration wizard, ensuring that you make the following entries and selections.
   • Report Name: Use an easily identifiable name, for example, cloudhealth-hourly-cur.
   • Check the box next to Include Resource ID.
   • Check the box next to Automatically refresh your Cost & Usage Report when charges are detected for previous months with closed bills.
   • S3 Bucket: Under Configure S3 Bucket click Configure. You can either create a bucket or select an existing one. It must be a unique bucket name and region. Review the policy that is generated for the bucket, check the box to accept this as the default policy, and click Save.
   • S3 path prefix: Enter a unique prefix.
   • Time granularity: Select Hourly.
   • Report versioning: Select Create new report version.
   • Compression: Select GZIP.
4. Click Next. Review the settings and choose Create Report.

Enable Legacy Reports in AWS Console

The monthly statement from the legacy reports, is one way we can map your Tanzu CloudHealth account name to your AWS account name. If you skip this step, the Amazon name associated with your account will be set to your AWS account ID by default in Tanzu CloudHealth platform.

1. From the left menu, choose Preferences > Billing preferences.
2. For Detailed billing reports (legacy), click Edit.
3. Select Legacy reports delivered to S3.
4. Select Configure and S3 bucket to activate. In the pop-up from there, select Select an existing S3 bucket, and use the same bucket you configured in Step 1.
5. Click Next, review and confirm the policy, and click Save.
6. Select all reports under Report activation and click Activate.

Configure Cost Allocation Tags in AWS Console

Tanzu CloudHealth extracts the tags and resource IDs from your billing artifact and automatically allocates costs for your taggable AWS services. To support the derivation of asset and tag data from the CUR, you must configure the AWS Account to include Cost Allocation Tags in the CUR artifacts.

Note: Tanzu CloudHealth recommends adding each tag key you use for perspective grouping as a Cost Allocation Tag.

1. From the left menu, choose Cost Allocation Tags.
2. Select the tags that you want to activate.
3. Click Activate.

It can take up to 24 hours for activation of the selected tags.

Enable the CUR in Tanzu CloudHealth

1. In Tanzu CloudHealth, navigate to select Setup > Accounts > AWS and edit the AWS account for which the CUR should be enabled. Enable the CUR only for Consolidated or Standalone accounts. If you have already not created an AWS account in the Tanzu CloudHealth platform, navigate to Setup > Accounts > AWS and select Add Account. Enter an Account Name. This will be the name of the account in the Tanzu CloudHealth platform.
2. In the Detailed Billing Report section, enter the S3 bucket name you used for configuring Legacy reports in the AWS console above.
3. In the Cost and Usage Report section, enter the following information.
   • Bucket Name: Name of S3 bucket that stores the hourly CUR data.
   • Report Path: The path to the CUR, and the name of the CUR, separated by a slash. Tanzu CloudHealth uses the information you provide in these fields to access your CUR. Inaccuracies in these values can cause errors when Tanzu CloudHealth attempts to access the reports. To locate accurate values for these fields, navigate to the Billing & Cost Management Dashboard in the AWS Console. From the left menu, select Cost & Usage Reports. Click the name of the report to view the bucket name and report path and copy it to Tanzu CloudHealth.
4. In the Tanzu CloudHealth platform, return to the AWS account you were editing and click Save Account.

Setup Read-only IAM Role

Based on the number of accounts, you can choose one of the following options to set up a read-only IAM role:

(a) One or two accounts : Manually using IAM service.
(b) More than two accounts: Automate using CloudFormation templates.

Step 2 (a) - Using IAM Service

Create a read-only IAM role within the AWS Console for the target account. Then add these credentials to the platform. The default AWS Read-Only policy provides read access to data, such as S3 objects, and is therefore discouraged from being used.

1. Log in to the AWS Console for the targeted account as a user who has permission to create an IAM role.
2. Navigate to Services > Security, Identity, & Compliance > IAM. From the left menu, select Policies and click Create Policy.
3. Switch to the JSON tab.
4. In a separate browser window, log in to the Tanzu CloudHealth platform. From the menu, select Setup > Accounts > AWS and open the AWS account you created previously.
5. Enter the name of the billing bucket you created and click Generate Policy. The bucket name is included in the resulting policy.
6. The IAM Access Policy dialog box appears. Click Select All and copy the contents to the clipboard.
7. Return to the AWS Console and paste the policy into the JSON tab. Then click Review Policy.
8. Name the policy (e.g., CHTPolicy), provide a description, and click Create policy.
9. In the AWS Console, from the left menu, select Roles and click Create role.
10. On the Select trusted entity page, choose AWS account.
11. Select Another AWS account. In the Account ID field, enter 454464851268, which is the ID of the secure Tanzu CloudHealth-managed account.
12. Select the Require external ID Option. From the Tanzu CloudHealth platform, copy the Tanzu CloudHealth generated External ID from the account setup form. This ID is unique for each Tanzu CloudHealth customer so that you can reuse it across all your accounts.
13. Paste this copied ID in the External ID field in the AWS Console.
14. Leave the checkbox for Require MFA cleared because the IAM role will be used to provide programmatic access to the Tanzu CloudHealth platform. Click Next.
15. On the Add Permissions page, set the filter to customer managed and choose the Tanzu CloudHealth policy you created. Click Next.
16. Enter a name and description for the role and click Create Role.
17. From the IAM > Roles page, select the role you just created. Copy the value of RoleARN to the clipboard.
18. Return to the AWS Account Setup page in the Tanzu CloudHealth platform. In the API section, paste the Role ARN value.
19. By default, Tanzu CloudHealth validates the read-only IAM policy with the us-east-1 AWS region. If you do not have access to the us-east-1 region, you must select a different region for validation. Under Optional, select the desired region from the Primary AWS Region Override dropdown.
20. Click Save Account.

Tanzu CloudHealth validates your account and begins collecting data. If there are issues with any information you provided, an error message appears.

Using CloudFormation

Tanzu CloudHealth leverages AWS CloudFormation to deploy the necessary resources that provide Tanzu CloudHealth with the appropriate IAM permissions inside your AWS environment. Template and stack are two important components of CloudFormation. A template is a simple JSON text file where you describe all your AWS resources, and stacks are single units that manage resources defined within the template.

Follow these steps to create IAM role and permissions via CloudFormation:

Deploy CloudFormation Stacks in the AWS Payer Account

Prerequisites:

• AWS user needs sufficient privileges to deploy a CloudFormation template that creates IAM resources.
• Tanzu CloudHealth requires Cost and Usage setup inside your AWS console.
• Tanzu CloudHealth tenancy external ID. To get this ID, go to Tanzu CloudHealth > Setup > Accounts > AWS. Copy the external ID from the AWS account configuration page and paste it into a text document.
• Download the following CloudFormation templates to provide Tanzu CloudHealth access to your AWS account and billing bucket. Run the following templates in your AWS account via CloudFormation as either a Stack for your payer account and/or StackSet for your linked accounts.
  • Tanzu CloudHealth AWS Configuration Template - Required to create a role for Tanzu CloudHealth and provides read-only access to the AWS services that Tanzu CloudHealth supports.
  • Bucket Permission Policy Template – Required to get access to S3 buckets that contain your AWS Cost and Usage reports, and any optional bucket where you wish to upload the Tanzu CloudHealth reports.
  • Tanzu CloudHealth AWS Automated Actions Template (Optional) - Provides Tanzu CloudHealth with the necessary permissions to take action inside your AWS environment. Note that you can deploy this automated access template as a stack to targeted accounts as well.

Deploying CloudHealth-AWS Configuration Template

Creates a Tanzu CloudHealth role and read-only policy for AWS services that Tanzu CloudHealth supports.

1. Log into your AWS payer account.
2. Go to Services > Management & Governance > CloudFormation and select Create Stack - With new resources (standard).
3. In the Specify template section, select Upload a template file and click Choose file.

4. Upload the CloudHealth-AWS-Configuration-Template and click Next. Note: If you have added the template to the S3 bucket, you can provide the Object URL of the S3 bucket containing the template.

   

5. On the next page, enter a unique Stack Name.

6. In the Parameters section, enter the Tanzu CloudHealth External ID- the 30-digit number you copied into the text document. Click Next.
7. Configure stack options if required (e.g., apply Key Value pair). This is an optional step. Click Next.
8. Review the stack details, and in the Capabilities section, click I acknowledge that AWS CloudFormation might create IAM resources with custom names.
9. Click Submit.
10. Verify that the newly created stack reaches a Create_Complete status. This process should take a few minutes.
11. Open the newly created stack, and from the Outputs tab, copy the RoleARN number into the text document.

Deploying AWS Bucket Access Policy Template

Deploying the CloudHealth-AWS-Bucket-Access-Template as a stack attaches a supplemental policy to the IAM role that you created in the previous step by using the CloudHealth-AWS-Configuration-Template.

1. In the AWS Console, go to Services > Management & Governance > CloudFormation and select Create Stack - With new resources (standard).
2. In the Specify template section, select Upload a template file and click Choose file.

3. Upload the CloudHealth-AWS-Bucket-Access-Template and click Next.

   Note: If you have added the template to the S3 bucket, you can provide the Object URL of the S3 bucket containing the template.

4. On the next page, enter a unique Stack Name.

5. In the Parameters section, enter the CURBucketName - The S3 bucket name where you have saved the CUR files and CURBucket path. (Refer to Create S3 bucket)
6. Click Next.
7. Configure stack options if required (e.g., apply Key Value pair). This is an optional step. Click Next.
8. Review the stack details, and in the Capabilities section, click I acknowledge that AWS CloudFormation might create IAM resources with custom names.
9. Click Submit.
10. Verify that the newly created stack reaches a Create_Complete status. This process should take a few minutes.
11. Open the newly created stack, and from the Outputs tab, copy the S3 bucket name and path into the text document.

At this point, you have created two Stacks in your AWS account which created a Tanzu CloudHealth IAM role, permissions policy, and an additional policy to access your CUR data from the S3 bucket.

Create StackSet to Access All Your Organizational Accounts

To create the same resource set up in each linked account under your organization account, you need to run the template as a StackSet. You will use the same CloudHealth-AWS-Configuration-Template you used while creating the stack in the previous step. Using this template as StackSet deploys IAM resources that give the Tanzu CloudHealth platform read-only access to all the Tanzu CloudHealth supported services.

Note: The StackSet, by default, is configured to automatically deploy resources to all linked AWS accounts in your organization.

1. In the AWS CloudFormation console, select StackSets from the left navigation pane.
2. Click Create StackSet.
3. On the Choose a template page, continue with the pre-selected options in the Permissions and Prerequisite - Prepare template section.

4. Upload the CloudHealth-AWS-Bucket-Access-Template and click Next.

   Note: If you have added the template to the S3 bucket, you can provide the Object URL of the S3 bucket containing the template.

   

5. On the Specify StackSet details page, enter a StackSet name and description.
6. In the Parameters section, enter the CloudHealthExternalID - the 30-digit number you copied into the text document. Click Next.
7. Optionally, on the Configure StackSet options page, apply a Key-Value pair via Tags, and click Next.

8. On the Set deployment options page, specify only one region of your choice (for example, us-east-1).Note that in the future, if you add an account to your organization, the StackSet will automatically deploy the Tanzu CloudHealth permissions to the new account. Similarly, if you remove an account from your organization, the StackSet automatically deletes the Tanzu CloudHealth permissions from the account. However, you can change this default behavior using the Auto Deployment options.

   

9. In the Deployment options,

   • For Maximum concurrent accounts, specify the maximum number of accounts in which the AWS CloudFormation can deploy your stack simultaneously.
   • For Failure tolerance, specify the maximum number of stack deployment failures that can occur per region. Beyond the set threshold, CloudFormation automatically stops the stack deployment. Stack deployment to an account is deprecated or suspended.
10. Click Next.
11. Review your selection, click I acknowledge that AWS CloudFormation might create IAM resources with custom names, and click Submit.

On the StackSet details page, you can check the progress and status of the creation of the stacks in your StackSet.

Configure AWS IAM Roles in the Tanzu CloudHealth platform

Once you set all the required permissions in the AWS console, you need to configure the permissions in the Tanzu CloudHealth platform.

1. In the Tanzu CloudHealth platform, return to your AWS payer account you copied the external ID from (Navigate to Setup > Accounts > AWS).
2. Enter the Role ARN you copied from the CloudFormation stack created in your payer account by deploying CloudHealth-AWS Configuration template.
3. In the Cost and Usage Report section, add the S3 Bucket Name and Report path you copied after deploying the AWS Bucket Access Policy Template.
4. By default, Tanzu CloudHealth validates the read-only IAM policy with the us-east-1 AWS region. If you do not have access to the us-east-1 region, you must select a different region for validation. Under Optional, select the desired region from the Primary AWS Region Override dropdown.
5. If you are using the Automated CloudFormation template, select the Automation dropdown to open the list of automation permissions. For each service you included as automated in your saved copy of the template, switch the permission to On.
6. If you do not manually switch on a service’s permission, Tanzu CloudHealth will not be able to automate that service even if you included that service in the Automated CloudFormation template.
7. Click Save Account.

Note:

• After the payer account is configured, Tanzu CloudHealth processes the billing artifact with your AWS cost and usage data. This process usually takes a day. Once it’s complete, Tanzu CloudHealth derives all the linked accounts.
  
• You can manually add Role ARN for each linked account in the Tanzu CloudHealth platform or you can use the Enable AWS Account API to update all linked accounts.

Enable AWS Console Integration (Optional)

View asset details in the AWS Console through links from the Tanzu CloudHealth platform. Instances have links that allow you to view them in the AWS Console. These links are set up by enabling AWS Console integration from the Tanzu CloudHealth platform.

1. Navigate to select Setup > Accounts > AWS.
2. From the list of AWS accounts, edit the account for which you want to add AWS Console integration.
3. In a separate browser window, login to the AWS Console.
4. From the menu, select Security, Identity, & Compliance > IAM.
5. From IAM Dashboard > AWS Account, copy the IAM User Sign-In URL into the clipboard.
6. Back in the Tanzu CloudHealth platform, expand the Optional section of the account setup form. Paste the URL in the Signin URL field.
7. Click Save Account to enable AWS Console integration.

Enable CloudWatch (Optional)

Install and configure the AWS CloudWatch Agent in your EC2 Instances so that the agent can start collecting metrics from those instances. Repeat the following steps for each account you want to enable CloudWatch metrics for.

1. Follow the instructions in AWS documentation to install and configure the AWS CloudWatch Agent in your EC2 Instances so that the agent can start collecting metrics from those instances. This process comprises the following high-level steps.
   • Installing and configuring the CloudWatch Agent.
   • Creating IAM roles and users for use with the CloudWatch Agent.
   • Creating a CloudWatch Agent configuration file For detailed instructions, see AWS documentation on Collecting Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent.
2. Navigate to select Setup > AWS Accounts and edit each account for which you want to enable CloudWatch metrics collection.
3. Expand the Optional section of the account setup form and switch on the CloudWatch option.
4. Select the frequency at which the CloudWatch Runtime Cycle should run. Higher frequencies will incur greater cost due to increased API calls.
5. In order to enable Tanzu CloudHealth to collect CloudWatch metrics from additional namespaces, select one or more namespaces from the list. Namespaces allow you to organize your CloudWatch metrics, which you can utilize for rightsizing your EC2 Instances using the Tanzu CloudHealth Platform.
6. If not done already, update the policy associated with the IAM role for this account to grant Tanzu CloudHealth permission to read your CloudWatch metrics. Click Generate Policy to produce a new IAM policy.
7. In the IAM Access Policy dialog box, click Select All and copy the contents to the clipboard.
8. In a separate browser window, log in to the AWS Console as an administrator and navigate to Services > Security, Identity, & Compliance > IAM. From the left menu, select Policies and locate the IAM Access Policy you are using for the Tanzu CloudHealth Platform.
9. In the Permissions tab, click JSON and paste the policy you copied from the Tanzu CloudHealth platform into the editor. Then click Save.
10. In the Tanzu CloudHealth Platform, return to the AWS account you were editing and click Save Account. Tanzu CloudHealth validates the account and starts collecting data. If there are issues, a warning message appears. AWS CloudWatch metrics begin appearing in the Tanzu CloudHealth platform after about 24 hours.

The spend-based asset collection feature considerably changes the initial asset collection time for a newly added account and service. Once a new asset or service is billed, it could take a minimum of 24 hours to appear in the Tanzu CloudHealth reports. After the initial delay, the platform continues to update the asset or service details as per the standard collection frequency.

Enable CloudTrail (Optional)

CloudTrail is a service that provides an audit log for all API access to AWS. Tanzu CloudHealth can collect CloudTrail data to help you identify who launched or shut down infrastructure or made security changes across your infrastructure.

Typically, a single CloudTrail bucket collects logs for multiple accounts. Here are two scenarios to consider:

• If each of your accounts has its own bucket, enable CloudTrail for each account.
  
• If multiple accounts are feeding a single bucket, first enable CloudTrail for the account containing the bucket, and then enable CloudTrail for each account that feeds into the bucket.

Enable an AWS Account for a CloudTrail Bucket

1. In the AWS Console, navigate to the CloudTrail service. In Dashboard, click the trail name to find the Name and Prefix for the S3 bucket configured to store the CloudTrail logs.
2. In the General details section, click Edit. The dialog box shows the name of the S3 bucket and any custom Log file prefix that is configured.
3. In a separate browser window, log in to the Tanzu CloudHealth platform. From the menu, select Setup > AWS Accounts and edit each account that contains a CloudTrail bucket.
4. Expand the Optional section of the account setup form and switch on the CloudTrail option.
5. Enter the CloudTrail Bucket Name and CloudTrail Account Prefix (if you configured a custom prefix).
6. Update the policy associated with the IAM role for this account to grant permission to read from the CloudTrail bucket. Click Generate Policy to produce a new IAM policy that grants access to the bucket entered in the previous step.
7. In the IAM Access Policy dialog box, click Select All and copy the contents to the clipboard.
8. Switch to the AWS Console and paste the policy in the Policy Document field. Then click Apply Policy.
9. Switch back to the Tanzu CloudHealth platform and click Save Account.

Tanzu CloudHealth validates the account and starts collecting data. If there are issues, a warning message appears. CloudTrail events begin appearing in the Tanzu CloudHealth platform after about 15-30 minutes. More stable accounts tend to have few events.

Note:

• Tanzu CloudHealth collects all events from 12:00 GMT on the day when the account is configured.
  
• If each of your AWS accounts has its own CloudTrail bucket, repeat steps 1-9 for each AWS account. If each of your AWS accounts feeds into a single bucket, proceed to the next section.

Enable all AWS Accounts in your Organization for a CloudTrail Bucket (Optional)

1. In the AWS Console, navigate to the CloudTrail service. In Dashboard, click the trail name to find the Name and Prefix of the S3 bucket configured to store the CloudTrail logs.
2. In the General details section, click Edit.
3. Select Enable for all accounts in my organization to change the CloudTrail file path in your S3 bucket. An Organization ID gets added to the CloudTrail file path. For example, if the default CloudTrail bucket file path is AWSLogs/[AWS_ACCOUNT_ID]/CloudTrail/..., then it would change to AWSLogs/[ORGANIZATION_ID]/[OWNER_ID]/CloudTrail.
4. Click Save changes.

To enable trails for an organization, each AWS account must be configured individually with a CloudTrail Prefix set as AWSLogs/ORGANIZATION_ID. To do this,

1. Log in to the Tanzu CloudHealth platform in a separate browser window.
2. Navigate to Setup > Accounts > AWS and click the edit icon next to the Account Name.
3. In the Edit account page, expand the Optional section, and click the CloudTrail toggle switch on.
4. Add CloudTrail Bucket Name.
5. Set the CloudTrail Account Prefix field as AWSLogs/ORGANIZATION_ID.
6. Click Save Account.

Note: You must set the CloudTrail Bucket Name and Account Prefix fields for every account in your organization, without any leading or trailing characters. Failing to add a prefix to an account will result in the account showing a Warning status.

CloudTrail Setup for Additional AWS Accounts

Typically, CloudTrail is set up in AWS with multiple accounts feeding a single S3 CloudTrail bucket. You can think about the bucket as a file tree. Each account has a root location in the tree that is designated by the AWS Account ID. Beneath the root is the folder structure that contains the CloudTrail log files organized by date.

Tanzu CloudHealth uses the AWS Account ID to scan the known CloudTrail bucket for the events for each account.

1. In the Tanzu CloudHealth platform, from the menu, select Setup > Accounts > AWS and edit the additional AWS account for which CloudTrail logs are being collected.
2. Expand the Optional section of the account setup form and switch on the CloudTrail option. Enter the CloudTrail Bucket Name.
3. Click Save Account.

Tanzu CloudHealth validates the account and starts collecting data. If there are issues, a warning message appears. CloudTrail events begin appearing in the Tanzu CloudHealth platform after about 15-30 minutes. More stable accounts tend to have few events.

Note: Tanzu CloudHealth collects all events from 12:00 GMT on the day when the account is configured.

Setting up a new AWS Channel Customer

Understanding Partner Generated Billing

The Tanzu CloudHealth Partner Generated Billing Engine is a bill creation engine to facilitate partners billing their end customers. This usually involves collecting a bill, at the partner tenant level, with usage from one or more Channel Customers and creating individual bills (per Channel Customer) out of the original usage. In most cases, this includes common operations such as:

• Assigning Channel Customers to specific payer accounts within a partner bill.
• Providing discounts.
• Applying custom costs.
• Redistributing tiered, repricing or resetting reservation benefits.
• Creating billing artefacts such as billing statements.

The PGB engine generates data for the Channel Customer and the partner to view the Channel Customer’s usage and cost data in both the Channel Customer tenant and in the partner tenant. The PGB engine is also responsible for providing customized billing statements the partner can present to their Channel Customer for end-of-the-month billing.

Types of Statement

There are three statements that get generated per designated payer account by the Partner Generated Billing platform.

• Monthly Report Statement: This is a CSV file that mimics the Monthly Report which is part of AWS’s Legacy Detailed Billing Report offerings. This is mainly provided for historical reasons. It is also useful to reference the InvoiceId column in this statement. When there are no longer any values in this column set to Estimated, we consider the bill finalized for the month. This information is also available in the Reports > Costs > Statements page.
• Billing CSV Statement: This is a CSV statement containing monthly costs for a given designated payer account aggregated by AWS service types.
• Billing PDF Statement: This is the PDF version of the Billing CSV statement. It optionally will contain the Partner’s logo, if configured in the Partner tenant.

Assigning Channel Customers to Partner Payer Accounts

• Consolidated Account Assignment: The partner chooses one Billing Family (which is an AWS Consolidated or Standalone payer account in the Partner tenant) and chooses to generate the bill as a Consolidated Bill. The partner then chooses the linked accounts to be associated with the channel customer from the presented list of linked accounts. The selected accounts will be passed through to the Channel Customer tenant. The partner also selects the account which will be the Designated Payer Account at the Channel Customer tenant. This is a pseudo payer account at the Channel Customer tenant for which the PGB bill will be generated. This selected account will be assigned the account type - Consolidated.

  

• Standalone Account Assignment: The partner chooses one Billing Family from the partner tenant and chooses to generate the bill as a Standalone Bill. If the chosen payer account is a Standalone account, then that account generated in the Channel Customer tenant will also be Standalone. If the chosen payer account is a Consolidated account, the Partner can choose 0 or more of the presented linked accounts, where each account will be generated in the Channel Customer tenant as a Standalone account and each will have their own PGB generated bill.

  

• Full Family Account Assignment: The partner chooses one Billing Family from the partner tenant and chooses to generate the bill as a Full Account Family. All costs for that account and its available linked accounts, if any, are assigned to one Channel Customer. For a standalone account at the Partner tenant, a corresponding standalone account will be created at the Channel Customer tenant. For a consolidated account at the Partner tenant, a corresponding consolidated account will be created at the Channel Customer tenant and its linked accounts will be derived. In the Full Account Family configuration, all costs (and credits) are passed along to the Channel Customer accounts except for reseller credits, which are removed from the generated bill.

  

Careful consideration should be given while changing an account configuration from one type to another. Refer to AWS Account Movement Best Practices for more information.

Set up a Customer with Partner Generated Billing

Partner Generated Billing allows you to configure all your customer bills into billing blocks, allowing you to configure multiple bill generation types on one page. Partner Generated Billing also allows you to apply service charges, credits, and custom line items to a bill.

Channel customers can only be set up as a Full Account Family. This type of partner generated billing creates a single bill for all your customer accounts. All costs are charged to the customer accounts except for reseller credits, which are removed from the generated bill.

1. Login to the Tanzu CloudHealth platform as a partner. From the left menu, select Partner > Customers > List > New Customer.
2. In the Customer Information section, enter the customer name and address. If the customer is accessing the Tanzu CloudHealth platform on a trial basis, enter the trial expiration date.
3. In Partner tenant, navigate Partner > Customers List to the Edit page for new channel customer. Add customer information, such as the Customer ID.
4. In the AWS tab at the bottom of the page, slide the Partner Generated Billing toggle to On.
5. Select Add Bill to add a customer bill.
6. In the Billing Block, select a billing family from the Select Billing Family dropdown.

7. Select Full Account Family, which assigns the payer account and all linked accounts to the customer tenant. This option is disabled if the payer account already has linked accounts assigned to other Customer Tenants. Full Account Family can only be used if the chosen Payer Account or Billing Family has not already been assigned. Tanzu CloudHealth can support any number and combination of consolidated, standalone, and full account family assignments. If you want to configure additional billing blocks for other bill generation types or billing families, select Add Bill and repeat steps 4 and 5.

8. If your customer uses a different currency than select US dollars, under bill currency conversion:

   • Global Setting: Select if the customer uses the global bill currency configuration.
   • No Conversion: Select if the customer is billed with US dollars and does not require any currency conversion.
   • Standard Conversion Rate: Select if the customer is billed with a different currency than US dollars and you want to use standard currency conversion rates. Select the currency, the day of the month the currency conversion should begin on, and whether the currency conversion should begin for the current month or next month. We recommend you set the currency conversion for the day of the month closest to when you send the customer their bill.
   • Custom Conversion Rate: Select if the customer is billed with a different currency than US dollars and you want to specify a different conversion rate than the standard rate. Select the currency and the conversion rate. The custom currency conversion is used for the customer’s next billing statement. The selected bill currency conversion applies to all billing blocks configured above.

9. If you want to place the customer bills in a subfolder in the partner-accessible S3 bucket, under Bill Generation Settings, enter a folder name - Folder for Bill Generation (Optional).

Set up a Customer without Partner Generated Billing

1. Login to the Tanzu CloudHealth platform as a partner. From the left menu, select Partner > Customers > List > New Customer.
2. In the Customer Information section, enter the customer name and address. If the customer is accessing the Tanzu CloudHealth platform on a trial basis, enter the trial expiration date.
3. Check the status of the AWS accounts from the customer tenant. If the accounts are listed as Not Healthy, add the IAM roles to the account.

Add Custom Text to a Partner Generated Bill

You can add a custom description to the Partner Generated Bill PDF your customers receive. For example, you can use the custom description to include a project code or remittance address.

Note: The custom description can contain up to 8 lines of text.

1. In the Tanzu CloudHealth platform, go to Partner > Customer > List.
2. Edit the customer whose bill you want to add custom text to.
3. In the Custom Text Description field, enter the custom text.
4. Click Update.

Invite Channel Customers to Tanzu CloudHealth

Note: Wait at least 24 hours after all customer accounts have been added to the Tanzu CloudHealth partner Platform to invite customers to their account.

1. Log in to the Tanzu CloudHealth Partner platform. In the bottom-left corner, switch to the customer that you want to invite.
2. From the left menu, select Setup > Admin > Users. Click Invite User.
3. Enter the name, email address, and role of the user you want to invite. Then click Invite User.

Partner Tenant Configuration

Partner Tenant Configuration options are available in the Partner Tenant, at Setup > Admin > Settings.

Co-Brand the AWS Partner Platform

You can co-brand the Tanzu CloudHealth Partner platform so that your customers see your logo and branding when they log in to the Tanzu CloudHealth platform.

1. Log in to the Tanzu CloudHealth Partner Platform. From the left menu, select Setup > Admin > Settings.
2. Scroll to the Partner Settings section. In the Account Logo section, click Choose file to upload a logo. The logo must meet the following requirements:
   • Format: PNG
   • Dimensions: 150px x 130 px
3. Click Update Company Profile.

Results: When your customers log in, the logo appears in the top-left corner of the Tanzu CloudHealth platform.

Customer Tenant Support Link

The Tanzu CloudHealth platform includes a link for customers to submit a support task to the Tanzu CloudHealth support team. The partner can disable this by doing:

1. From the left menu, select Setup > Admin > Settings.
2. Scroll to the Partner Settings section and switch the Customer Tenant Support Link toggle to Off. By default this toggle is set to On.

Add Global Bill Currency Configuration

Create a global bill currency configuration to bill customers with the same currency conversion rate. If the majority of your customers are billed with the same currency conversion rate, configure a global bill currency conversion rate and assign the global setting to your customers. If the global bill currency configuration changes in the future, you can simply update the global bill currency conversion rate instead of manually updating the rate for each customer.

1. In Setup > Admin > Settings, select a global bill currency configuration:
   • No Conversion: Select if your customers are billed with US dollars and do not require any currency conversion.
   • Standard Conversion Rate: Select if your customers are billed with a different currency than US dollars and you want to use standard currency conversion rates. Select the currency, the day of the month the currency conversion should begin on, and whether the currency conversion should begin for the current month or next month.
   • Custom Conversion Rate: Select if your customers are billed with a different currency than US dollars and you want to specify a different conversion rate than the standard rate. Select the currency and the conversion rate.
2. Select the Single Sign-On tab and click Update Company Profile. When you add linked customer tenants, you can assign the customer to the global bill currency conversion.

Set up Billing Bucket to Receive Partner AWS Bills

The Tanzu CloudHealth Platform needs to access detailed cost and usage information from your AWS accounts. In this step, you

• Create an S3 bucket
• Direct your AWS billing information to that bucket
• Enter bucket information in the Tanzu CloudHealth Platform

Skip this step if there already exists an S3 billing bucket to receive the Partner’s AWS Detailed Billing Records.

1. Login to the AWS Console as an administrator. Select My Account from the dropdown in top-right corner.
2. From the left menu, click Billing Preferences. Expand the Detailed Billing Reports [Legacy] dropdown and check the option to Turn on the legacy Detailed Billing Reports feature to receive ongoing reports of your AWS charges. Instead of reusing an existing S3 bucket, create a new one for holding Amazon billing reports. The bucket must be unique within the region you select later, so choose a non-obvious name.
3. Click Configure to set up an S3 bucket to receive Detailed Billing Reports. In the S3 configuration dialog box that appears, either create a bucket or use an existing one. Then click Next.
4. Review the policy that is generated for the bucket and click Save.
5. In a separate browser tab, log in to the Tanzu CloudHealth Platform. From the menu, select Setup > Accounts > AWS. Then click New Account. The new account setup form appears.
6. Name the account and add a description so that you can identify the account later.
7. In the Detailed Billing Report field, enter the name of the S3 bucket you just created.

Set up Billing Bucket for Depositing Individual Customer Bills

All partners receive a consolidated billing statement of the costs that all their customers have accrued over the billing period. The Tanzu CloudHealth platform processes the consolidated bills through the Tanzu CloudHealth Partner Billing Engine, applies billing rules, and generates separate billing files for each customer. The bucket that you create in this step is the place where Tanzu CloudHealth deposits the generated billing files.

The Tanzu CloudHealth platform needs to access detailed cost and usage information from your AWS accounts. In this step, you create an S3 bucket and take note of the bucket name.

1. Switch to the AWS Console and select Services > S3. Then click Create Bucket.
2. Enter the Bucket Name and select a Region for your bucket. Edit any properties and permissions, review your changes, and click Create bucket.
3. Review the policy that is generated for the bucket and click Save.

Set up Cost and Usage Reports

You can enable cost and usage reporting, create an S3 bucket, direct your AWS cost and usage report that bucket, and then enter the bucket information in the Tanzu CloudHealth platform.

1. In the AWS Console, select My Account from the dropdown in top-right corner.
2. From the left menu, click Billing Preferences.
3. Scroll to the Detailed Billing Reports [Legacy] section.
4. Copy the name of the S3 billing bucket to the clipboard. In the Report table, select the checkboxes for all listed reports.
5. Scroll to the Receive Billing Reports section and enter the name of the S3 bucket.
6. In the Report table, select the checkboxes for all listed reports.
7. Click Save Preferences.
8. Navigate to the Billing & Cost Management Dashboard.
9. From the left menu, select Cost & Usage Reports and click Create report.
10. Fill out the configuration wizard:
    • Report Name: Use an easily identifiable name, for example, Tanzu CloudHealth-hourly-cur.
    • Check the box next to Include Resource ID. Click Next.
11. Select delivery options:
    • S3 Bucket: Enter the name of the S3 bucket that you just created.
    • Report path prefix: Enter a unique prefix, preferably different from the one used for your current DBR.
    • Time granularity: Select Hourly.
    • Compression: Select GZIP.
12. Click Next to review your configuration. Then click Review and Complete.
13. Switch to the Tanzu CloudHealth platform. In the new account form that you have open, navigate to the Cost and Usage Report section. Enter this information.
    • Bucket Name: Name of the S3 bucket that you just created to store hourly CUR data.
    • Report Path: The path to the CUR report, including the prefix. Tanzu CloudHealth uses the information you provide in these fields to access your Cost and Usage Report. Inaccuracies in these values can cause errors when Tanzu CloudHealth attempts to access the reports. To locate the accurate values for these fields, navigate to the Billing & Cost Management Dashboard in the AWS Console. From the left menu, select Cost & Usage Reports. Click the name of the report to view the bucket name and report path.
14. In Tanzu CloudHealth, enable any Optional and Automation settings.

Bill Customers Using AWS Partner Billing Rules

Adjust customer costs globally or for specific customers Partner Billing rules allow partners to adjust customer costs globally or for specific customers. You can use custom billing rules to charge for, or credit, additional line items not included in the original bill. You can set up a one-time billing rule, or create a recurring rule. Billing rules can be applied at a flat rate, or as a percentage of the customer’s spend.

There are two types of AWS partner billing rules:

• AWS Support: Creates a standard billing rule. You can assign only one AWS support rule per customer.
  
• Custom Line Item: Can be used to create a specialized billing rule, such as a credit or recurring charge. You can assign multiple custom line item rules to a customer.

Create an AWS Support Rule

1. Log in to the Tanzu CloudHealth platform as a partner. From the left menu, select Partner > Partner Billing > Billing Rules. Then click New Partner Billing Rule.

2. Configure the rule parameters:

   • Name the rule so that you can identify it later in the Tanzu CloudHealth platform.
   • Specify Cloud as AWS.

   • Select one or more Target Customers to which this rule applies.

     Note: Target customers must have accounts set up in them to set up billing rules. If the target customer has no accounts, the selected target customer will not be added to the billing rule.

   • Specify Rule Type as AWS Support.

   • Select a Rule Scope from the dropdown:

     • Per Account: Applies charges to each account on a billing statement. For example, a charge of $500 to a bill with three accounts results in a total charge of $1500.
     • Per Billing Family: Applies charges only to the first account on a billing statement. For example, a charge of $500 to a bill with three accounts results in a total charge of $500. Credits are always applied to the consolidated bill account only on a billing statement.

   • Specify your customer’s AWS support tier.

3. Select one of the following Actions and, if necessary, enter the pricing information.
4. Click Create.

Create a Custom Line Item Using Billing Rules

You can use custom billing rules to charge for, or credit, additional line items not included in the original bill. Billing rules can be applied globally across all accounts, or on a single customer. You can set up a one-time billing rule, or create a recurring rule. Billing rules can be applied at a flat rate, or as a percentage of the customer’s spend.

1. Log in to the Tanzu CloudHealth Platform as a partner. From the left menu, select Partner > Partner Billing > Billing Rules. Then click New Partner Billing Rule.

2. Configure the rule parameters.

   • Name the rule so that you can identify it later in the Tanzu CloudHealth Platform.
   • Specify Cloud as AWS.
   • Select one or more Target Customers to which this rule applies.
   • Specify Rule Type as Custom Line Item.
   • Select a Rule Scope from the dropdown:
     • Per Account: Applies charges to each account on a billing statement. For example, a charge of $500 to a bill with three accounts results in a total charge of $1500.
     • Per Billing Family: Applies charges only to the first account on a billing statement. For example, a charge of $500 to a bill with three accounts results in a total charge of $500. Credits are always applied to the consolidated bill account only on a billing statement.

3. Select a Start month when the rule goes into effect and specify the frequency of rule application. Partner billing is run for only the current month. To apply the new rule to a previous month, contact Support and request partner billing be rerun for that month.

4. Enter a Product Name and Description for the rule type.
5. Select Type to define how the cost adjustment appears in the customer’s statements (as a credit or as a charge).
6. Select an Amount. In the case of Flat Fee, the Product name, Description, and cost are entered as a line item in the bill. In the case of Percentage of spend, the specified percentage (markup or discount) is applied to each line item.
7. Click Create.

Cost Allocation Tags

By default, Cost Allocation Tags in the Partner CUR will be passed on to the PGB CUR at the Channel Customer. If the partner chooses to not pass on tags, they can switch this toggle to Off.

Set Up Tax Filtering

By default, all tax line items are passed from the Partner CUR to the PGB CUR at the Channel Customer. Tax filtering will strip all CUR line items with lineItem/LineItemType Tax during PGB. To enable tax filtering:

1. From the left menu, select Setup > Admin > Settings.
2. Scroll to the Partner Billing Filter Settings section and switch the AWS Tax toggle to On.