Adding Beanstalk roles with Terraform
resource "aws_iam_instance_profile" "beanstalk_service" { | |
name = "beanstalk-service-user" | |
roles = ["${aws_iam_role.beanstalk_service.name}"] | |
} | |
resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
name = "beanstalk-ec2-user" | |
roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
} | |
resource "aws_iam_role" "beanstalk_service" { | |
name = "beanstalk-service-role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "s3.amazonaws.com" | |
}, | |
"Effect": "Allow", | |
"Sid": "" | |
} | |
] | |
} | |
EOF | |
} | |
resource "aws_iam_role" "beanstalk_ec2" { | |
name = "beanstalk-ec2-role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "s3.amazonaws.com" | |
}, | |
"Effect": "Allow", | |
"Sid": "" | |
} | |
] | |
} | |
EOF | |
resource "aws_iam_instance_profile" "beanstalk_service" { | |
name = "beanstalk-service-user" | |
roles = ["${aws_iam_role.beanstalk_service.name}"] | |
} | |
resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
name = "beanstalk-ec2-user" | |
roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
} | |
resource "aws_iam_role" "beanstalk_service" { | |
name = "beanstalk-service-role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "elasticbeanstalk.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole", | |
"Condition": { | |
"StringEquals": { | |
"sts:ExternalId": "elasticbeanstalk" | |
} | |
} | |
} | |
] | |
} | |
EOF | |
} | |
resource "aws_iam_role" "beanstalk_ec2" { | |
name = "beanstalk-ec2-role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2008-10-17", | |
"Statement": [ | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "ec2.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
EOF | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_service" { | |
name = "elastic-beanstalk-service" | |
roles = ["${aws_iam_role.beanstalk_service.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService" | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_service_health" { | |
name = "elastic-beanstalk-service-health" | |
roles = ["${aws_iam_role.beanstalk_service.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth" | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" { | |
name = "elastic-beanstalk-ec2-worker" | |
roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier" | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_ec2_web" { | |
name = "elastic-beanstalk-ec2-web" | |
roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier" | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_ec2_container" { | |
name = "elastic-beanstalk-ec2-container" | |
roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker" | |
} | |
resource "aws_elastic_beanstalk_application" "api" { | |
name = "api-${var.tag_postfix}" | |
description = "REST api for ${var.tag_postfix} environment" | |
} | |
resource "aws_elastic_beanstalk_environment" "api" { | |
name = "api-${var.tag_postfix}" | |
application = "${aws_elastic_beanstalk_application.api.name}" | |
solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Java 8" | |
wait_for_ready_timeout = "20m" | |
setting { | |
namespace = "aws:ec2:vpc" | |
name = "VPCId" | |
value = "${var.vpc_id}" | |
} | |
setting { | |
namespace = "aws:ec2:vpc" | |
name = "Subnets" | |
value = "${var.private_subnet_one},${var.private_subnet_two}" | |
} | |
setting { | |
namespace = "aws:ec2:vpc" | |
name = "ELBSubnets" | |
value = "${var.subnet_one},${var.subnet_two}" | |
} | |
setting { | |
namespace = "aws:autoscaling:launchconfiguration" | |
name = "InstanceType" | |
value = "${var.instance_type}" | |
} | |
setting { | |
namespace = "aws:autoscaling:launchconfiguration" | |
name = "SSHSourceRestriction" | |
value = "tcp, 22, 22, ${var.vpc_cidr}" | |
} | |
setting { | |
namespace = "aws:autoscaling:launchconfiguration" | |
name = "EC2KeyName" | |
value = "${var.ssh_key}" | |
} | |
setting { | |
namespace = "aws:elasticbeanstalk:environment" | |
name = "ServiceRole" | |
value = "${aws_iam_instance_profile.beanstalk_service.name}" | |
} | |
setting { | |
namespace = "aws:autoscaling:launchconfiguration" | |
name = "IamInstanceProfile" | |
value = "${aws_iam_instance_profile.beanstalk_ec2.name}" | |
} | |
} |
This comment has been minimized.
This comment has been minimized.
to get this to work I had to change the assume permissions when creating the role
I also ended up adding
because if you are working with targets the dependency graph does not fully populate from the beanstalk env. |
This comment has been minimized.
This comment has been minimized.
Thank you for taking the time to figure this out! |
This comment has been minimized.
This comment has been minimized.
@slatemine's null resource trick worked for me. |
This comment has been minimized.
This comment has been minimized.
Thank you !! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform.
Article at