Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Adding Beanstalk roles with Terraform
resource "aws_iam_instance_profile" "beanstalk_service" {
name = "beanstalk-service-user"
roles = ["${aws_iam_role.beanstalk_service.name}"]
}
resource "aws_iam_instance_profile" "beanstalk_ec2" {
name = "beanstalk-ec2-user"
roles = ["${aws_iam_role.beanstalk_ec2.name}"]
}
resource "aws_iam_role" "beanstalk_service" {
name = "beanstalk-service-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role" "beanstalk_ec2" {
name = "beanstalk-ec2-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
resource "aws_iam_instance_profile" "beanstalk_service" {
name = "beanstalk-service-user"
roles = ["${aws_iam_role.beanstalk_service.name}"]
}
resource "aws_iam_instance_profile" "beanstalk_ec2" {
name = "beanstalk-ec2-user"
roles = ["${aws_iam_role.beanstalk_ec2.name}"]
}
resource "aws_iam_role" "beanstalk_service" {
name = "beanstalk-service-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "elasticbeanstalk.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "elasticbeanstalk"
}
}
}
]
}
EOF
}
resource "aws_iam_role" "beanstalk_ec2" {
name = "beanstalk-ec2-role"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "beanstalk_service" {
name = "elastic-beanstalk-service"
roles = ["${aws_iam_role.beanstalk_service.id}"]
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
}
resource "aws_iam_policy_attachment" "beanstalk_service_health" {
name = "elastic-beanstalk-service-health"
roles = ["${aws_iam_role.beanstalk_service.id}"]
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
}
resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" {
name = "elastic-beanstalk-ec2-worker"
roles = ["${aws_iam_role.beanstalk_ec2.id}"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
}
resource "aws_iam_policy_attachment" "beanstalk_ec2_web" {
name = "elastic-beanstalk-ec2-web"
roles = ["${aws_iam_role.beanstalk_ec2.id}"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
}
resource "aws_iam_policy_attachment" "beanstalk_ec2_container" {
name = "elastic-beanstalk-ec2-container"
roles = ["${aws_iam_role.beanstalk_ec2.id}"]
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
}
resource "aws_elastic_beanstalk_application" "api" {
name = "api-${var.tag_postfix}"
description = "REST api for ${var.tag_postfix} environment"
}
resource "aws_elastic_beanstalk_environment" "api" {
name = "api-${var.tag_postfix}"
application = "${aws_elastic_beanstalk_application.api.name}"
solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Java 8"
wait_for_ready_timeout = "20m"
setting {
namespace = "aws:ec2:vpc"
name = "VPCId"
value = "${var.vpc_id}"
}
setting {
namespace = "aws:ec2:vpc"
name = "Subnets"
value = "${var.private_subnet_one},${var.private_subnet_two}"
}
setting {
namespace = "aws:ec2:vpc"
name = "ELBSubnets"
value = "${var.subnet_one},${var.subnet_two}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "InstanceType"
value = "${var.instance_type}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "SSHSourceRestriction"
value = "tcp, 22, 22, ${var.vpc_cidr}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "EC2KeyName"
value = "${var.ssh_key}"
}
setting {
namespace = "aws:elasticbeanstalk:environment"
name = "ServiceRole"
value = "${aws_iam_instance_profile.beanstalk_service.name}"
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "IamInstanceProfile"
value = "${aws_iam_instance_profile.beanstalk_ec2.name}"
}
}
@tomfa

This comment has been minimized.

Copy link
Owner Author

commented Oct 16, 2016

Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform.

Article at

@slatemine

This comment has been minimized.

Copy link

commented Jun 14, 2017

to get this to work I had to change the assume permissions when creating the role

resource "aws_iam_role" "beanstalk_service" {
    name = "beanstalk-service"
    assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "elasticbeanstalk.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "elasticbeanstalk"
        }
      }
    }
  ]
}
EOF
}

resource "aws_iam_role" "beanstalk_ec2" {
  name = "beanstalk-ec2"
  assume_role_policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

I also ended up adding

resource "null_resource" "setup_roles"{
  depends_on = [
    "aws_iam_role.beanstalk_service",
    "aws_iam_instance_profile.beanstalk_service",
    "aws_iam_policy_attachment.beanstalk_service",
    "aws_iam_policy_attachment.beanstalk_service_health",
    "aws_iam_role.beanstalk_ec2",
    "aws_iam_instance_profile.beanstalk_ec2",
    "aws_iam_policy_attachment.beanstalk_ec2_container",
    "aws_iam_policy_attachment.beanstalk_ec2_web",
    "aws_iam_policy_attachment.beanstalk_ec2_worker"
  ]
}

because if you are working with targets the dependency graph does not fully populate from the beanstalk env.

@mtoigo

This comment has been minimized.

Copy link

commented Jul 27, 2017

Thank you for taking the time to figure this out!

@mach-kernel

This comment has been minimized.

Copy link

commented May 21, 2018

@slatemine's null resource trick worked for me.

@sanhardik

This comment has been minimized.

Copy link

commented Feb 23, 2019

Thank you !!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.