/BeanstalkViaTerraform
Last active Jul 4, 2018
Adding Beanstalk roles with Terraform
| resource "aws_iam_instance_profile" "beanstalk_service" { | |
| name = "beanstalk-service-user" | |
| roles = ["${aws_iam_role.beanstalk_service.name}"] | |
| } | |
| resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-user" | |
| roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
| } | |
| resource "aws_iam_role" "beanstalk_service" { | |
| name = "beanstalk-service-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "s3.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "s3.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| resource "aws_iam_instance_profile" "beanstalk_service" { | |
| name = "beanstalk-service-user" | |
| roles = ["${aws_iam_role.beanstalk_service.name}"] | |
| } | |
| resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-user" | |
| roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
| } | |
| resource "aws_iam_role" "beanstalk_service" { | |
| name = "beanstalk-service-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "elasticbeanstalk.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole", | |
| "Condition": { | |
| "StringEquals": { | |
| "sts:ExternalId": "elasticbeanstalk" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2008-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "ec2.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_service" { | |
| name = "elastic-beanstalk-service" | |
| roles = ["${aws_iam_role.beanstalk_service.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_service_health" { | |
| name = "elastic-beanstalk-service-health" | |
| roles = ["${aws_iam_role.beanstalk_service.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" { | |
| name = "elastic-beanstalk-ec2-worker" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_web" { | |
| name = "elastic-beanstalk-ec2-web" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_container" { | |
| name = "elastic-beanstalk-ec2-container" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker" | |
| } | |
| resource "aws_elastic_beanstalk_application" "api" { | |
| name = "api-${var.tag_postfix}" | |
| description = "REST api for ${var.tag_postfix} environment" | |
| } | |
| resource "aws_elastic_beanstalk_environment" "api" { | |
| name = "api-${var.tag_postfix}" | |
| application = "${aws_elastic_beanstalk_application.api.name}" | |
| solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Java 8" | |
| wait_for_ready_timeout = "20m" | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "VPCId" | |
| value = "${var.vpc_id}" | |
| } | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "Subnets" | |
| value = "${var.private_subnet_one},${var.private_subnet_two}" | |
| } | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "ELBSubnets" | |
| value = "${var.subnet_one},${var.subnet_two}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "InstanceType" | |
| value = "${var.instance_type}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "SSHSourceRestriction" | |
| value = "tcp, 22, 22, ${var.vpc_cidr}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "EC2KeyName" | |
| value = "${var.ssh_key}" | |
| } | |
| setting { | |
| namespace = "aws:elasticbeanstalk:environment" | |
| name = "ServiceRole" | |
| value = "${aws_iam_instance_profile.beanstalk_service.name}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "IamInstanceProfile" | |
| value = "${aws_iam_instance_profile.beanstalk_ec2.name}" | |
| } | |
| } |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
|
Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform. Article at
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
slatemine
Jun 14, 2017
to get this to work I had to change the assume permissions when creating the role
resource "aws_iam_role" "beanstalk_service" {
name = "beanstalk-service"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticbeanstalk.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "elasticbeanstalk"
}
}
}
]
}
EOF
}
resource "aws_iam_role" "beanstalk_ec2" {
name = "beanstalk-ec2"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
I also ended up adding
resource "null_resource" "setup_roles"{
depends_on = [
"aws_iam_role.beanstalk_service",
"aws_iam_instance_profile.beanstalk_service",
"aws_iam_policy_attachment.beanstalk_service",
"aws_iam_policy_attachment.beanstalk_service_health",
"aws_iam_role.beanstalk_ec2",
"aws_iam_instance_profile.beanstalk_ec2",
"aws_iam_policy_attachment.beanstalk_ec2_container",
"aws_iam_policy_attachment.beanstalk_ec2_web",
"aws_iam_policy_attachment.beanstalk_ec2_worker"
]
}
because if you are working with targets the dependency graph does not fully populate from the beanstalk env.
slatemine
commented
Jun 14, 2017
|
to get this to work I had to change the assume permissions when creating the role I also ended up adding because if you are working with targets the dependency graph does not fully populate from the beanstalk env. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
mtoigo
commented
Jul 27, 2017
|
Thank you for taking the time to figure this out! |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
mach-kernel
commented
May 21, 2018
|
@slatemine's null resource trick worked for me. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform.
Article at