Last active
March 15, 2022 07:51
-
-
Save tomfa/6fc429af5d598a85e723b3f56f681237 to your computer and use it in GitHub Desktop.
Adding Beanstalk roles with Terraform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aws_iam_instance_profile" "beanstalk_service" { | |
| name = "beanstalk-service-user" | |
| roles = ["${aws_iam_role.beanstalk_service.name}"] | |
| } | |
| resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-user" | |
| roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
| } | |
| resource "aws_iam_role" "beanstalk_service" { | |
| name = "beanstalk-service-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "s3.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": "sts:AssumeRole", | |
| "Principal": { | |
| "Service": "s3.amazonaws.com" | |
| }, | |
| "Effect": "Allow", | |
| "Sid": "" | |
| } | |
| ] | |
| } | |
| EOF | |
| resource "aws_iam_instance_profile" "beanstalk_service" { | |
| name = "beanstalk-service-user" | |
| roles = ["${aws_iam_role.beanstalk_service.name}"] | |
| } | |
| resource "aws_iam_instance_profile" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-user" | |
| roles = ["${aws_iam_role.beanstalk_ec2.name}"] | |
| } | |
| resource "aws_iam_role" "beanstalk_service" { | |
| name = "beanstalk-service-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "elasticbeanstalk.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole", | |
| "Condition": { | |
| "StringEquals": { | |
| "sts:ExternalId": "elasticbeanstalk" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_role" "beanstalk_ec2" { | |
| name = "beanstalk-ec2-role" | |
| assume_role_policy = <<EOF | |
| { | |
| "Version": "2008-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "ec2.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| EOF | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_service" { | |
| name = "elastic-beanstalk-service" | |
| roles = ["${aws_iam_role.beanstalk_service.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_service_health" { | |
| name = "elastic-beanstalk-service-health" | |
| roles = ["${aws_iam_role.beanstalk_service.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_worker" { | |
| name = "elastic-beanstalk-ec2-worker" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_web" { | |
| name = "elastic-beanstalk-ec2-web" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier" | |
| } | |
| resource "aws_iam_policy_attachment" "beanstalk_ec2_container" { | |
| name = "elastic-beanstalk-ec2-container" | |
| roles = ["${aws_iam_role.beanstalk_ec2.id}"] | |
| policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker" | |
| } | |
| resource "aws_elastic_beanstalk_application" "api" { | |
| name = "api-${var.tag_postfix}" | |
| description = "REST api for ${var.tag_postfix} environment" | |
| } | |
| resource "aws_elastic_beanstalk_environment" "api" { | |
| name = "api-${var.tag_postfix}" | |
| application = "${aws_elastic_beanstalk_application.api.name}" | |
| solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Java 8" | |
| wait_for_ready_timeout = "20m" | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "VPCId" | |
| value = "${var.vpc_id}" | |
| } | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "Subnets" | |
| value = "${var.private_subnet_one},${var.private_subnet_two}" | |
| } | |
| setting { | |
| namespace = "aws:ec2:vpc" | |
| name = "ELBSubnets" | |
| value = "${var.subnet_one},${var.subnet_two}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "InstanceType" | |
| value = "${var.instance_type}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "SSHSourceRestriction" | |
| value = "tcp, 22, 22, ${var.vpc_cidr}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "EC2KeyName" | |
| value = "${var.ssh_key}" | |
| } | |
| setting { | |
| namespace = "aws:elasticbeanstalk:environment" | |
| name = "ServiceRole" | |
| value = "${aws_iam_instance_profile.beanstalk_service.name}" | |
| } | |
| setting { | |
| namespace = "aws:autoscaling:launchconfiguration" | |
| name = "IamInstanceProfile" | |
| value = "${aws_iam_instance_profile.beanstalk_ec2.name}" | |
| } | |
| } |
Thank you for taking the time to figure this out!
@slatemine's null resource trick worked for me.
Thank you !!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
to get this to work I had to change the assume permissions when creating the role
I also ended up adding
because if you are working with targets the dependency graph does not fully populate from the beanstalk env.