/BeanstalkViaTerraform
Last active Apr 24, 2019
Adding Beanstalk roles with Terraform
| resource "aws_iam_instance_profile" "beanstalk_service" { | |
| name = "beanstalk-service-user" | |
| roles = ["${aws_iam_role.beanstalk_service.name}"] | |
| } | |
| resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-user" | |
| roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
| } | |
| resource "aws_iam_role" "beanstalk_service" { | |
| name = "beanstalk-service-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "s3.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "s3.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| resource "aws_iam_instance_profile" "beanstalk_service" { | |
| name = "beanstalk-service-user" | |
| roles = ["${aws_iam_role.beanstalk_service.name}"] | |
| } | |
| resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-user" | |
| roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
| } | |
| resource "aws_iam_role" "beanstalk_service" { | |
| name = "beanstalk-service-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "elasticbeanstalk.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole", | |
| "Condition": { | |
| "StringEquals": { | |
| "sts:ExternalId": "elasticbeanstalk" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2008-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "ec2.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_service" { | |
| name = "elastic-beanstalk-service" | |
| roles = ["${aws_iam_role.beanstalk_service.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_service_health" { | |
| name = "elastic-beanstalk-service-health" | |
| roles = ["${aws_iam_role.beanstalk_service.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" { | |
| name = "elastic-beanstalk-ec2-worker" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_web" { | |
| name = "elastic-beanstalk-ec2-web" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_container" { | |
| name = "elastic-beanstalk-ec2-container" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker" | |
| } | |
| resource "aws_elastic_beanstalk_application" "api" { | |
| name = "api-${var.tag_postfix}" | |
| description = "REST api for ${var.tag_postfix} environment" | |
| } | |
| resource "aws_elastic_beanstalk_environment" "api" { | |
| name = "api-${var.tag_postfix}" | |
| application = "${aws_elastic_beanstalk_application.api.name}" | |
| solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Java 8" | |
| wait_for_ready_timeout = "20m" | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "VPCId" | |
| value = "${var.vpc_id}" | |
| } | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "Subnets" | |
| value = "${var.private_subnet_one},${var.private_subnet_two}" | |
| } | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "ELBSubnets" | |
| value = "${var.subnet_one},${var.subnet_two}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "InstanceType" | |
| value = "${var.instance_type}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "SSHSourceRestriction" | |
| value = "tcp, 22, 22, ${var.vpc_cidr}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "EC2KeyName" | |
| value = "${var.ssh_key}" | |
| } | |
| setting { | |
| namespace = "aws:elasticbeanstalk:environment" | |
| name = "ServiceRole" | |
| value = "${aws_iam_instance_profile.beanstalk_service.name}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "IamInstanceProfile" | |
| value = "${aws_iam_instance_profile.beanstalk_ec2.name}" | |
| } | |
| } |
This comment has been minimized.
This comment has been minimized.
slatemine
commented
Jun 14, 2017
|
to get this to work I had to change the assume permissions when creating the role I also ended up adding because if you are working with targets the dependency graph does not fully populate from the beanstalk env. |
This comment has been minimized.
This comment has been minimized.
mtoigo
commented
Jul 27, 2017
|
Thank you for taking the time to figure this out! |
This comment has been minimized.
This comment has been minimized.
mach-kernel
commented
May 21, 2018
|
@slatemine's null resource trick worked for me. |
This comment has been minimized.
This comment has been minimized.
sanhardik
commented
Feb 23, 2019
|
Thank you !! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
tomfa commentedOct 16, 2016
Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform.
Article at