Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Adding Beanstalk roles with Terraform
resource "aws_iam_instance_profile" "beanstalk_service" {
name = "beanstalk-service-user"
roles = ["${aws_iam_role.beanstalk_service.name}"]
}
resource "aws_iam_instance_profile" "beanstalk_ec2" {
name = "beanstalk-ec2-user"
roles = ["${aws_iam_role.beanstalk_ec2.name}"]
}
resource "aws_iam_role" "beanstalk_service" {
name = "beanstalk-service-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role" "beanstalk_ec2" {
name = "beanstalk-ec2-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
resource "aws_iam_instance_profile" "beanstalk_service" {
name = "beanstalk-service-user"
roles = ["${aws_iam_role.beanstalk_service.name}"]
}
resource "aws_iam_instance_profile" "beanstalk_ec2" {
name = "beanstalk-ec2-user"
roles = ["${aws_iam_role.beanstalk_ec2.name}"]
}
resource "aws_iam_role" "beanstalk_service" {
name = "beanstalk-service-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "elasticbeanstalk.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "elasticbeanstalk"
}
}
}
]
}
EOF
}
resource "aws_iam_role" "beanstalk_ec2" {
name = "beanstalk-ec2-role"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "beanstalk_service" {
name = "elastic-beanstalk-service"
roles = ["${aws_iam_role.beanstalk_service.id}"]
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
}
resource "aws_iam_policy_attachment" "beanstalk_service_health" {
name = "elastic-beanstalk-service-health"
roles = ["${aws_iam_role.beanstalk_service.id}"]
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
}
resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" {
name = "elastic-beanstalk-ec2-worker"
roles = ["${aws_iam_role.beanstalk_ec2.id}"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
}
resource "aws_iam_policy_attachment" "beanstalk_ec2_web" {
name = "elastic-beanstalk-ec2-web"
roles = ["${aws_iam_role.beanstalk_ec2.id}"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
}
resource "aws_iam_policy_attachment" "beanstalk_ec2_container" {
name = "elastic-beanstalk-ec2-container"
roles = ["${aws_iam_role.beanstalk_ec2.id}"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
}
resource "aws_elastic_beanstalk_application" "api" {
name = "api-${var.tag_postfix}"
description = "REST api for ${var.tag_postfix} environment"
}
resource "aws_elastic_beanstalk_environment" "api" {
name = "api-${var.tag_postfix}"
application = "${aws_elastic_beanstalk_application.api.name}"
solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Java 8"
wait_for_ready_timeout = "20m"
setting {
namespace = "aws:ec2:vpc"
name = "VPCId"
value = "${var.vpc_id}"
}
setting {
namespace = "aws:ec2:vpc"
name = "Subnets"
value = "${var.private_subnet_one},${var.private_subnet_two}"
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBSubnets"
value = "${var.subnet_one},${var.subnet_two}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "InstanceType"
value = "${var.instance_type}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "SSHSourceRestriction"
value = "tcp, 22, 22, ${var.vpc_cidr}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "EC2KeyName"
value = "${var.ssh_key}"
}
setting {
namespace = "aws:elasticbeanstalk:environment"
name = "ServiceRole"
value = "${aws_iam_instance_profile.beanstalk_service.name}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "IamInstanceProfile"
value = "${aws_iam_instance_profile.beanstalk_ec2.name}"
}
}
@tomfa

This comment has been minimized.

Show comment
Hide comment
@tomfa

tomfa Oct 16, 2016

Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform.

Article at

Owner

tomfa commented Oct 16, 2016

Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform.

Article at

@slatemine

This comment has been minimized.

Show comment
Hide comment
@slatemine

slatemine Jun 14, 2017

to get this to work I had to change the assume permissions when creating the role

resource "aws_iam_role" "beanstalk_service" {
    name = "beanstalk-service"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "elasticbeanstalk.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "elasticbeanstalk"
        }
      }
    }
  ]
}
EOF
}

resource "aws_iam_role" "beanstalk_ec2" {
  name = "beanstalk-ec2"
  assume_role_policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

I also ended up adding

resource "null_resource" "setup_roles"{
  depends_on = [
    "aws_iam_role.beanstalk_service",
    "aws_iam_instance_profile.beanstalk_service",
    "aws_iam_policy_attachment.beanstalk_service",
    "aws_iam_policy_attachment.beanstalk_service_health",
    "aws_iam_role.beanstalk_ec2",
    "aws_iam_instance_profile.beanstalk_ec2",
    "aws_iam_policy_attachment.beanstalk_ec2_container",
    "aws_iam_policy_attachment.beanstalk_ec2_web",
    "aws_iam_policy_attachment.beanstalk_ec2_worker"
  ]
}

because if you are working with targets the dependency graph does not fully populate from the beanstalk env.

to get this to work I had to change the assume permissions when creating the role

resource "aws_iam_role" "beanstalk_service" {
    name = "beanstalk-service"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "elasticbeanstalk.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "elasticbeanstalk"
        }
      }
    }
  ]
}
EOF
}

resource "aws_iam_role" "beanstalk_ec2" {
  name = "beanstalk-ec2"
  assume_role_policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

I also ended up adding

resource "null_resource" "setup_roles"{
  depends_on = [
    "aws_iam_role.beanstalk_service",
    "aws_iam_instance_profile.beanstalk_service",
    "aws_iam_policy_attachment.beanstalk_service",
    "aws_iam_policy_attachment.beanstalk_service_health",
    "aws_iam_role.beanstalk_ec2",
    "aws_iam_instance_profile.beanstalk_ec2",
    "aws_iam_policy_attachment.beanstalk_ec2_container",
    "aws_iam_policy_attachment.beanstalk_ec2_web",
    "aws_iam_policy_attachment.beanstalk_ec2_worker"
  ]
}

because if you are working with targets the dependency graph does not fully populate from the beanstalk env.

@mtoigo

This comment has been minimized.

Show comment
Hide comment
@mtoigo

mtoigo Jul 27, 2017

Thank you for taking the time to figure this out!

mtoigo commented Jul 27, 2017

Thank you for taking the time to figure this out!

@mach-kernel

This comment has been minimized.

Show comment
Hide comment
@mach-kernel

mach-kernel May 21, 2018

@slatemine's null resource trick worked for me.

@slatemine's null resource trick worked for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment