UPD: fine-grained billing access

modules/security_identity_compliance/roles_iam_resources/cloudhealth-role.tf

@@ -1,4 +1,4 @@
-resource aws_iam_role cloudhealth-role {
+resource "aws_iam_role" "cloudhealth-role" {
   count              = var.create-cloudhealth-resources ? 1 : 0
   name               = "CloudHealth-Role"
   tags               = var.default-tags
@@ -29,12 +29,13 @@ EOF
 resource "aws_iam_policy" "CloudHealth-Policy" {
   count = var.create-cloudhealth-resources ? 1 : 0
   name  = "CloudHealthPolicy"
-  policy = <<-EOF
+  policy = jsonencode(
-{
-    "Version": "2012-10-17",
-    "Statement": [
     {
-            "Action": [
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "CloudhealthAccess",
+          "Action" : [
             "autoscaling:Describe*",
             "cloudformation:ListStacks",
             "cloudformation:ListStackResources",
@@ -123,7 +124,14 @@ resource "aws_iam_policy" "CloudHealth-Policy" {
             "sqs:ListQueues",
             "storagegateway:List*",
             "storagegateway:Describe*",
-                "workspaces:Describe*",
+            "workspaces:Describe*"
+          ],
+          "Resource" : "*",
+          "Effect" : "Allow"
+        },
+        {
+          "Sid" : "FineGrainedBillingAccess",
+          "Action" : [
             "account:Get*",
             "billing:Get*",
             "billing:List*",
@@ -144,12 +152,12 @@ resource "aws_iam_policy" "CloudHealth-Policy" {
             "tax:Get*",
             "tax:List*"
           ],
-            "Resource": "*",
+          "Resource" : "*",
-            "Effect": "Allow"
+          "Effect" : "Allow"
         }
       ]
-}
+    }
-EOF
+  )
 }
 
 resource "aws_iam_role_policy_attachment" "cloudhealth-role-policy-attach" {