Last active
March 15, 2022 07:51
-
-
Save tomfa/6fc429af5d598a85e723b3f56f681237 to your computer and use it in GitHub Desktop.
Adding Beanstalk roles with Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aws_iam_instance_profile" "beanstalk_service" { | |
| name = "beanstalk-service-user" | |
| roles = ["${aws_iam_role.beanstalk_service.name}"] | |
| } | |
| resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-user" | |
| roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
| } | |
| resource "aws_iam_role" "beanstalk_service" { | |
| name = "beanstalk-service-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "s3.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "s3.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| resource "aws_iam_instance_profile" "beanstalk_service" { | |
| name = "beanstalk-service-user" | |
| roles = ["${aws_iam_role.beanstalk_service.name}"] | |
| } | |
| resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-user" | |
| roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
| } | |
| resource "aws_iam_role" "beanstalk_service" { | |
| name = "beanstalk-service-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "elasticbeanstalk.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole", | |
| "Condition": { | |
| "StringEquals": { | |
| "sts:ExternalId": "elasticbeanstalk" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2008-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "ec2.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_service" { | |
| name = "elastic-beanstalk-service" | |
| roles = ["${aws_iam_role.beanstalk_service.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_service_health" { | |
| name = "elastic-beanstalk-service-health" | |
| roles = ["${aws_iam_role.beanstalk_service.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" { | |
| name = "elastic-beanstalk-ec2-worker" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_web" { | |
| name = "elastic-beanstalk-ec2-web" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_container" { | |
| name = "elastic-beanstalk-ec2-container" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker" | |
| } | |
| resource "aws_elastic_beanstalk_application" "api" { | |
| name = "api-${var.tag_postfix}" | |
| description = "REST api for ${var.tag_postfix} environment" | |
| } | |
| resource "aws_elastic_beanstalk_environment" "api" { | |
| name = "api-${var.tag_postfix}" | |
| application = "${aws_elastic_beanstalk_application.api.name}" | |
| solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Java 8" | |
| wait_for_ready_timeout = "20m" | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "VPCId" | |
| value = "${var.vpc_id}" | |
| } | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "Subnets" | |
| value = "${var.private_subnet_one},${var.private_subnet_two}" | |
| } | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "ELBSubnets" | |
| value = "${var.subnet_one},${var.subnet_two}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "InstanceType" | |
| value = "${var.instance_type}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "SSHSourceRestriction" | |
| value = "tcp, 22, 22, ${var.vpc_cidr}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "EC2KeyName" | |
| value = "${var.ssh_key}" | |
| } | |
| setting { | |
| namespace = "aws:elasticbeanstalk:environment" | |
| name = "ServiceRole" | |
| value = "${aws_iam_instance_profile.beanstalk_service.name}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "IamInstanceProfile" | |
| value = "${aws_iam_instance_profile.beanstalk_ec2.name}" | |
| } | |
| } |
to get this to work I had to change the assume permissions when creating the role
resource "aws_iam_role" "beanstalk_service" {
name = "beanstalk-service"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "elasticbeanstalk.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "elasticbeanstalk"
}
}
}
]
}
EOF
}
resource "aws_iam_role" "beanstalk_ec2" {
name = "beanstalk-ec2"
assume_role_policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
I also ended up adding
resource "null_resource" "setup_roles"{
depends_on = [
"aws_iam_role.beanstalk_service",
"aws_iam_instance_profile.beanstalk_service",
"aws_iam_policy_attachment.beanstalk_service",
"aws_iam_policy_attachment.beanstalk_service_health",
"aws_iam_role.beanstalk_ec2",
"aws_iam_instance_profile.beanstalk_ec2",
"aws_iam_policy_attachment.beanstalk_ec2_container",
"aws_iam_policy_attachment.beanstalk_ec2_web",
"aws_iam_policy_attachment.beanstalk_ec2_worker"
]
}
because if you are working with targets the dependency graph does not fully populate from the beanstalk env.
Thank you for taking the time to figure this out!
@slatemine's null resource trick worked for me.
Thank you !!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Necessary policies when creating a Beanstalk App through Terraform. This is autogenerated by cli, but needs to be specified if using Terraform.
Article at