resource "aws_iam_instance_profile" "beanstalk_service" { | |
name = "beanstalk-service-user" | |
roles = ["${aws_iam_role.beanstalk_service.name}"] | |
} | |
resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
name = "beanstalk-ec2-user" | |
roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
} | |
resource "aws_iam_role" "beanstalk_service" { | |
name = "beanstalk-service-role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "s3.amazonaws.com" | |
}, | |
"Effect": "Allow", | |
"Sid": "" | |
} | |
] | |
} | |
EOF | |
} | |
resource "aws_iam_role" "beanstalk_ec2" { | |
name = "beanstalk-ec2-role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Action": "sts:AssumeRole", | |
"Principal": { | |
"Service": "s3.amazonaws.com" | |
}, | |
"Effect": "Allow", | |
"Sid": "" | |
} | |
] | |
} | |
EOF | |
resource "aws_iam_instance_profile" "beanstalk_service" { | |
name = "beanstalk-service-user" | |
roles = ["${aws_iam_role.beanstalk_service.name}"] | |
} | |
resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
name = "beanstalk-ec2-user" | |
roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
} | |
resource "aws_iam_role" "beanstalk_service" { | |
name = "beanstalk-service-role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "elasticbeanstalk.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole", | |
"Condition": { | |
"StringEquals": { | |
"sts:ExternalId": "elasticbeanstalk" | |
} | |
} | |
} | |
] | |
} | |
EOF | |
} | |
resource "aws_iam_role" "beanstalk_ec2" { | |
name = "beanstalk-ec2-role" | |
assume_role_policy = <<EOF | |
{ | |
"Version": "2008-10-17", | |
"Statement": [ | |
{ | |
"Sid": "", | |
"Effect": "Allow", | |
"Principal": { | |
"Service": "ec2.amazonaws.com" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
EOF | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_service" { | |
name = "elastic-beanstalk-service" | |
roles = ["${aws_iam_role.beanstalk_service.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService" | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_service_health" { | |
name = "elastic-beanstalk-service-health" | |
roles = ["${aws_iam_role.beanstalk_service.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth" | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" { | |
name = "elastic-beanstalk-ec2-worker" | |
roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier" | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_ec2_web" { | |
name = "elastic-beanstalk-ec2-web" | |
roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier" | |
} | |
resource "aws_iam_policy_attachment" "beanstalk_ec2_container" { | |
name = "elastic-beanstalk-ec2-container" | |
roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker" | |
} | |
resource "aws_elastic_beanstalk_application" "api" { | |
name = "api-${var.tag_postfix}" | |
description = "REST api for ${var.tag_postfix} environment" | |
} | |
resource "aws_elastic_beanstalk_environment" "api" { | |
name = "api-${var.tag_postfix}" | |
application = "${aws_elastic_beanstalk_application.api.name}" | |
solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Java 8" | |
wait_for_ready_timeout = "20m" | |
setting { | |
namespace = "aws:ec2:vpc" | |
name = "VPCId" | |
value = "${var.vpc_id}" | |
} | |
setting { | |
namespace = "aws:ec2:vpc" | |
name = "Subnets" | |
value = "${var.private_subnet_one},${var.private_subnet_two}" | |
} | |
setting { | |
namespace = "aws:ec2:vpc" | |
name = "ELBSubnets" | |
value = "${var.subnet_one},${var.subnet_two}" | |
} | |
setting { | |
namespace = "aws:autoscaling:launchconfiguration" | |
name = "InstanceType" | |
value = "${var.instance_type}" | |
} | |
setting { | |
namespace = "aws:autoscaling:launchconfiguration" | |
name = "SSHSourceRestriction" | |
value = "tcp, 22, 22, ${var.vpc_cidr}" | |
} | |
setting { | |
namespace = "aws:autoscaling:launchconfiguration" | |
name = "EC2KeyName" | |
value = "${var.ssh_key}" | |
} | |
setting { | |
namespace = "aws:elasticbeanstalk:environment" | |
name = "ServiceRole" | |
value = "${aws_iam_instance_profile.beanstalk_service.name}" | |
} | |
setting { | |
namespace = "aws:autoscaling:launchconfiguration" | |
name = "IamInstanceProfile" | |
value = "${aws_iam_instance_profile.beanstalk_ec2.name}" | |
} | |
} |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform. Article at
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
slatemine
Jun 14, 2017
to get this to work I had to change the assume permissions when creating the role
resource "aws_iam_role" "beanstalk_service" {
name = "beanstalk-service"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticbeanstalk.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "elasticbeanstalk"
}
}
}
]
}
EOF
}
resource "aws_iam_role" "beanstalk_ec2" {
name = "beanstalk-ec2"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
I also ended up adding
resource "null_resource" "setup_roles"{
depends_on = [
"aws_iam_role.beanstalk_service",
"aws_iam_instance_profile.beanstalk_service",
"aws_iam_policy_attachment.beanstalk_service",
"aws_iam_policy_attachment.beanstalk_service_health",
"aws_iam_role.beanstalk_ec2",
"aws_iam_instance_profile.beanstalk_ec2",
"aws_iam_policy_attachment.beanstalk_ec2_container",
"aws_iam_policy_attachment.beanstalk_ec2_web",
"aws_iam_policy_attachment.beanstalk_ec2_worker"
]
}
because if you are working with targets the dependency graph does not fully populate from the beanstalk env.
slatemine
commented
Jun 14, 2017
to get this to work I had to change the assume permissions when creating the role
I also ended up adding
because if you are working with targets the dependency graph does not fully populate from the beanstalk env. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
mtoigo
commented
Jul 27, 2017
Thank you for taking the time to figure this out! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform.
Article at