Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Adding Beanstalk roles with Terraform
resource "aws_iam_instance_profile" "beanstalk_service" {
name = "beanstalk-service-user"
roles = ["${aws_iam_role.beanstalk_service.name}"]
}
resource "aws_iam_instance_profile" "beanstalk_ec2" {
name = "beanstalk-ec2-user"
roles = ["${aws_iam_role.beanstalk_ec2.name}"]
}
resource "aws_iam_role" "beanstalk_service" {
name = "beanstalk-service-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role" "beanstalk_ec2" {
name = "beanstalk-ec2-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
resource "aws_iam_instance_profile" "beanstalk_service" {
name = "beanstalk-service-user"
roles = ["${aws_iam_role.beanstalk_service.name}"]
}
resource "aws_iam_instance_profile" "beanstalk_ec2" {
name = "beanstalk-ec2-user"
roles = ["${aws_iam_role.beanstalk_ec2.name}"]
}
resource "aws_iam_role" "beanstalk_service" {
name = "beanstalk-service-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "elasticbeanstalk.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "elasticbeanstalk"
}
}
}
]
}
EOF
}
resource "aws_iam_role" "beanstalk_ec2" {
name = "beanstalk-ec2-role"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "beanstalk_service" {
name = "elastic-beanstalk-service"
roles = ["${aws_iam_role.beanstalk_service.id}"]
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
}
resource "aws_iam_policy_attachment" "beanstalk_service_health" {
name = "elastic-beanstalk-service-health"
roles = ["${aws_iam_role.beanstalk_service.id}"]
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
}
resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" {
name = "elastic-beanstalk-ec2-worker"
roles = ["${aws_iam_role.beanstalk_ec2.id}"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
}
resource "aws_iam_policy_attachment" "beanstalk_ec2_web" {
name = "elastic-beanstalk-ec2-web"
roles = ["${aws_iam_role.beanstalk_ec2.id}"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
}
resource "aws_iam_policy_attachment" "beanstalk_ec2_container" {
name = "elastic-beanstalk-ec2-container"
roles = ["${aws_iam_role.beanstalk_ec2.id}"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
}
resource "aws_elastic_beanstalk_application" "api" {
name = "api-${var.tag_postfix}"
description = "REST api for ${var.tag_postfix} environment"
}
resource "aws_elastic_beanstalk_environment" "api" {
name = "api-${var.tag_postfix}"
application = "${aws_elastic_beanstalk_application.api.name}"
solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Java 8"
wait_for_ready_timeout = "20m"
setting {
namespace = "aws:ec2:vpc"
name = "VPCId"
value = "${var.vpc_id}"
}
setting {
namespace = "aws:ec2:vpc"
name = "Subnets"
value = "${var.private_subnet_one},${var.private_subnet_two}"
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBSubnets"
value = "${var.subnet_one},${var.subnet_two}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "InstanceType"
value = "${var.instance_type}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "SSHSourceRestriction"
value = "tcp, 22, 22, ${var.vpc_cidr}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "EC2KeyName"
value = "${var.ssh_key}"
}
setting {
namespace = "aws:elasticbeanstalk:environment"
name = "ServiceRole"
value = "${aws_iam_instance_profile.beanstalk_service.name}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "IamInstanceProfile"
value = "${aws_iam_instance_profile.beanstalk_ec2.name}"
}
}
Owner

tomfa commented Oct 16, 2016

Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform.

Article at

to get this to work I had to change the assume permissions when creating the role

resource "aws_iam_role" "beanstalk_service" {
    name = "beanstalk-service"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "elasticbeanstalk.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "elasticbeanstalk"
        }
      }
    }
  ]
}
EOF
}

resource "aws_iam_role" "beanstalk_ec2" {
  name = "beanstalk-ec2"
  assume_role_policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

I also ended up adding

resource "null_resource" "setup_roles"{
  depends_on = [
    "aws_iam_role.beanstalk_service",
    "aws_iam_instance_profile.beanstalk_service",
    "aws_iam_policy_attachment.beanstalk_service",
    "aws_iam_policy_attachment.beanstalk_service_health",
    "aws_iam_role.beanstalk_ec2",
    "aws_iam_instance_profile.beanstalk_ec2",
    "aws_iam_policy_attachment.beanstalk_ec2_container",
    "aws_iam_policy_attachment.beanstalk_ec2_web",
    "aws_iam_policy_attachment.beanstalk_ec2_worker"
  ]
}

because if you are working with targets the dependency graph does not fully populate from the beanstalk env.

mtoigo commented Jul 27, 2017

Thank you for taking the time to figure this out!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment