3 "Name" = "${var.application_name}"
4 "Environment" = "${var.application_name}"
7 # Settings for all loadbalancer types
8 generic_elb_settings = [
10 namespace = "aws:elasticbeanstalk:environment"
11 name = "LoadBalancerType"
12 value = var.environment_loadbalancer_type
18 namespace = "aws:ec2:vpc"
20 value = join(",", [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id])
23 namespace = "aws:elasticbeanstalk:environment:process:default"
25 value = var.environment_process_default_port
28 namespace = "aws:elasticbeanstalk:environment:process:default"
30 value = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
33 namespace = "aws:ec2:vpc"
35 value = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
38 namespace = "aws:elasticbeanstalk:environment:process:default"
39 name = "HealthCheckInterval"
40 value = var.environment_process_default_healthcheck_interval
43 namespace = "aws:elasticbeanstalk:environment:process:default"
44 name = "HealthyThresholdCount"
45 value = var.environment_process_default_healthy_threshold_count
48 namespace = "aws:elasticbeanstalk:environment:process:default"
49 name = "UnhealthyThresholdCount"
50 value = var.environment_process_default_unhealthy_threshold_count
54 generic_alb_settings = [
56 namespace = "aws:elbv2:loadbalancer"
57 name = "SecurityGroups"
58 value = join(",", sort(var.environment_loadbalancer_security_groups))
64 namespace = "aws:elbv2:listener:default"
65 name = "ListenerEnabled"
66 value = var.default_listener_enabled || var.environment_loadbalancer_ssl_certificate_id == "" ? "true" : "false"
69 namespace = "aws:elbv2:loadbalancer"
70 name = "ManagedSecurityGroup"
71 value = var.environment_loadbalancer_managed_security_group
74 namespace = "aws:elbv2:listener:443"
75 name = "ListenerEnabled"
76 value = var.environment_loadbalancer_ssl_certificate_id == "" ? "false" : "true"
79 namespace = "aws:elbv2:listener:443"
84 namespace = "aws:elbv2:listener:443"
85 name = "SSLCertificateArns"
86 value = var.environment_loadbalancer_ssl_certificate_id
89 namespace = "aws:elasticbeanstalk:environment:process:default"
90 name = "HealthCheckPath"
91 value = var.application_healthcheck_url
94 namespace = "aws:elasticbeanstalk:environment:process:default"
95 name = "MatcherHTTPCode"
96 value = join(",", sort(var.default_matcher_http_code))
99 namespace = "aws:elasticbeanstalk:environment:process:default"
100 name = "HealthCheckTimeout"
101 value = var.default_health_check_timeout
107 namespace = "aws:elbv2:listener:default"
108 name = "ListenerEnabled"
109 value = var.default_listener_enabled
113 settings_nlb = var.environment_loadbalancer_type == "network" ? concat(local.nlb_settings, local.generic_elb_settings, local.elb_settings) : []
114 settings_alb = var.environment_loadbalancer_type == "application" ? concat(local.generic_alb_settings, local.alb_settings, local.generic_elb_settings, local.elb_settings) : []
116 # Full set of LoadBlanacer settings.
117 elb = var.environment_tier == "WebServer" ? concat(local.settings_nlb, local.settings_alb) : []
120 # Create elastic beanstalk VPC
121 resource "aws_vpc" "vpc" {
122 assign_generated_ipv6_cidr_block = true
123 cidr_block = var.vpc_cidr_block
124 enable_dns_hostnames = var.vpc_enable_dns_hostnames
125 enable_dns_support = var.vpc_enable_dns_support
126 instance_tenancy = var.vpc_instance_tenancy
130 # Create elastic beanstalk Subnets
131 resource "aws_subnet" "subnet_a" {
135 availability_zone = var.subnet_a_availability_zone
136 assign_ipv6_address_on_creation = true
137 cidr_block = var.subnet_a_cidr_block
138 ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 1)
139 map_public_ip_on_launch = true
140 vpc_id = aws_vpc.vpc.id
144 resource "aws_subnet" "subnet_b" {
148 availability_zone = var.subnet_b_availability_zone
149 assign_ipv6_address_on_creation = true
150 cidr_block = var.subnet_b_cidr_block
151 ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 2)
152 map_public_ip_on_launch = true
153 vpc_id = aws_vpc.vpc.id
157 resource "aws_internet_gateway" "internet_gateway" {
161 vpc_id = aws_vpc.vpc.id
165 resource "aws_route" "route" {
168 aws_internet_gateway.internet_gateway
170 destination_cidr_block = "0.0.0.0/0"
171 gateway_id = aws_internet_gateway.internet_gateway.id
172 route_table_id = aws_vpc.vpc.main_route_table_id
175 # Create elastic beanstalk IAM mapping
176 data "aws_iam_policy_document" "service" {
183 identifiers = ["elasticbeanstalk.amazonaws.com"]
189 resource "aws_iam_role" "service" {
190 assume_role_policy = data.aws_iam_policy_document.service.json
191 name = "${var.application_name}-eb-service"
194 resource "aws_iam_role_policy_attachment" "enhanced_health" {
195 policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
196 role = aws_iam_role.service.name
199 resource "aws_iam_role_policy_attachment" "service" {
200 policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
201 role = aws_iam_role.service.name
204 data "aws_iam_policy_document" "ec2" {
211 identifiers = ["ec2.amazonaws.com"]
221 identifiers = ["ssm.amazonaws.com"]
227 resource "aws_iam_role" "ec2" {
228 assume_role_policy = data.aws_iam_policy_document.ec2.json
229 name = "${var.application_name}-eb-ec2"
232 resource "aws_iam_instance_profile" "ec2_iam_instance_profile" {
233 name = "${var.application_name}-iam-instance-profile"
234 role = aws_iam_role.ec2.name
237 resource "aws_iam_role_policy_attachment" "multicontainer_docker" {
238 policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
239 role = aws_iam_role.ec2.name
242 resource "aws_iam_role_policy_attachment" "web_tier" {
243 policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
244 role = aws_iam_role.ec2.name
247 resource "aws_iam_role_policy_attachment" "worker_tier" {
248 policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
249 role = aws_iam_role.ec2.name
252 resource "aws_iam_role_policy_attachment" "ssm_automation" {
253 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
254 role = aws_iam_role.ec2.name
257 resource "aws_iam_role_policy_attachment" "ssm_ec2" {
258 policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
259 role = aws_iam_role.ec2.name
262 resource "aws_iam_role_policy_attachment" "ecr_readonly" {
263 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
264 role = aws_iam_role.ec2.name
267 resource "aws_ssm_activation" "ec2" {
270 aws_iam_role_policy_attachment.ssm_ec2
272 name = "${var.application_name}-ec2-activation"
273 iam_role = aws_iam_role.ec2.id
274 registration_limit = 3
277 data "aws_iam_policy_document" "default" {
280 "elasticloadbalancing:DescribeInstanceHealth",
281 "elasticloadbalancing:DescribeLoadBalancers",
282 "elasticloadbalancing:DescribeTargetHealth",
283 "ec2:DescribeInstances",
284 "ec2:DescribeInstanceStatus",
285 "ec2:GetConsoleOutput",
286 "ec2:AssociateAddress",
287 "ec2:DescribeAddresses",
288 "ec2:DescribeSecurityGroups",
289 "sqs:GetQueueAttributes",
291 "autoscaling:DescribeAutoScalingGroups",
292 "autoscaling:DescribeAutoScalingInstances",
293 "autoscaling:DescribeScalingActivities",
294 "autoscaling:DescribeNotificationConfigurations",
301 sid = "AllowOperations"
303 "autoscaling:AttachInstances",
304 "autoscaling:CreateAutoScalingGroup",
305 "autoscaling:CreateLaunchConfiguration",
306 "autoscaling:DeleteLaunchConfiguration",
307 "autoscaling:DeleteAutoScalingGroup",
308 "autoscaling:DeleteScheduledAction",
309 "autoscaling:DescribeAccountLimits",
310 "autoscaling:DescribeAutoScalingGroups",
311 "autoscaling:DescribeAutoScalingInstances",
312 "autoscaling:DescribeLaunchConfigurations",
313 "autoscaling:DescribeLoadBalancers",
314 "autoscaling:DescribeNotificationConfigurations",
315 "autoscaling:DescribeScalingActivities",
316 "autoscaling:DescribeScheduledActions",
317 "autoscaling:DetachInstances",
318 "autoscaling:PutScheduledUpdateGroupAction",
319 "autoscaling:ResumeProcesses",
320 "autoscaling:SetDesiredCapacity",
321 "autoscaling:SetInstanceProtection",
322 "autoscaling:SuspendProcesses",
323 "autoscaling:TerminateInstanceInAutoScalingGroup",
324 "autoscaling:UpdateAutoScalingGroup",
325 "cloudwatch:PutMetricAlarm",
326 "ec2:AssociateAddress",
327 "ec2:AllocateAddress",
328 "ec2:AuthorizeSecurityGroupEgress",
329 "ec2:AuthorizeSecurityGroupIngress",
330 "ec2:CreateSecurityGroup",
331 "ec2:DeleteSecurityGroup",
332 "ec2:DescribeAccountAttributes",
333 "ec2:DescribeAddresses",
334 "ec2:DescribeImages",
335 "ec2:DescribeInstances",
336 "ec2:DescribeKeyPairs",
337 "ec2:DescribeSecurityGroups",
338 "ec2:DescribeSnapshots",
339 "ec2:DescribeSubnets",
341 "ec2:DisassociateAddress",
342 "ec2:ReleaseAddress",
343 "ec2:RevokeSecurityGroupEgress",
344 "ec2:RevokeSecurityGroupIngress",
345 "ec2:TerminateInstances",
348 "ecs:DescribeClusters",
349 "ecs:RegisterTaskDefinition",
350 "elasticbeanstalk:*",
351 "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
352 "elasticloadbalancing:ConfigureHealthCheck",
353 "elasticloadbalancing:CreateLoadBalancer",
354 "elasticloadbalancing:DeleteLoadBalancer",
355 "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
356 "elasticloadbalancing:DescribeInstanceHealth",
357 "elasticloadbalancing:DescribeLoadBalancers",
358 "elasticloadbalancing:DescribeTargetHealth",
359 "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
360 "elasticloadbalancing:DescribeTargetGroups",
361 "elasticloadbalancing:RegisterTargets",
362 "elasticloadbalancing:DeregisterTargets",
365 "logs:CreateLogGroup",
366 "logs:PutRetentionPolicy",
367 "rds:DescribeDBEngineVersions",
368 "rds:DescribeDBInstances",
369 "rds:DescribeOrderableDBInstanceOptions",
374 "sns:GetTopicAttributes",
375 "sns:ListSubscriptionsByTopic",
377 "sqs:GetQueueAttributes",
379 "codebuild:CreateProject",
380 "codebuild:DeleteProject",
381 "codebuild:BatchGetBuilds",
382 "codebuild:StartBuild",
389 sid = "AllowS3OperationsOnElasticBeanstalkBuckets"
400 sid = "AllowDeleteCloudwatchLogGroups"
402 "logs:DeleteLogGroup"
405 "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
411 sid = "AllowCloudformationOperationsOnElasticBeanstalkStacks"
416 "arn:aws:cloudformation:*:*:stack/awseb-*",
417 "arn:aws:cloudformation:*:*:stack/eb-*"
423 resource "aws_iam_role_policy" "default" {
427 name = "${var.application_name}-eb-default"
428 policy = data.aws_iam_policy_document.default.json
429 role = aws_iam_role.ec2.id
432 # Create elastic beanstalk Environment
433 resource "aws_elastic_beanstalk_environment" "environment" {
438 aws_ssm_activation.ec2
440 application = var.environment_application
441 description = var.environment_description
442 name = var.environment_name
443 solution_stack_name = var.environment_solution_stack_name
444 tier = var.environment_tier
445 wait_for_ready_timeout = var.environment_wait_for_ready_timeout
446 version_label = var.environment_version_label
451 namespace = "aws:ec2:instances"
452 name = "InstanceTypes"
453 value = var.instances_instance_types
458 namespace = "aws:ec2:vpc"
460 value = aws_vpc.vpc.id
464 namespace = "aws:ec2:vpc"
466 value = join(",", [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id])
470 namespace = "aws:ec2:vpc"
471 name = "AssociatePublicIpAddress"
472 value = var.associate_public_ip_address
476 namespace = "aws:elasticbeanstalk:environment"
478 value = aws_iam_role.service.name
481 # aws:autoscaling:launchconfiguration
483 namespace = "aws:autoscaling:launchconfiguration"
484 name = "IamInstanceProfile"
485 value = aws_iam_instance_profile.ec2_iam_instance_profile.name
489 namespace = "aws:autoscaling:launchconfiguration"
490 name = "DisableIMDSv1"
497 namespace = setting.value["namespace"]
498 name = setting.value["name"]
499 value = setting.value["value"]
503 # aws:autoscaling:updatepolicy:rollingupdate
505 namespace = "aws:autoscaling:updatepolicy:rollingupdate"
506 name = "RollingUpdateEnabled"
507 value = var.autoscaling_updatepolicy_rolling_update_enabled
511 namespace = "aws:autoscaling:updatepolicy:rollingupdate"
512 name = "RollingUpdateType"
513 value = var.autoscaling_updatepolicy_rolling_update_type
517 namespace = "aws:autoscaling:updatepolicy:rollingupdate"
518 name = "MinInstancesInService"
519 value = var.autoscaling_updatepolicy_min_instance_in_service
523 namespace = "aws:elasticbeanstalk:application"
524 name = "Application Healthcheck URL"
525 value = var.application_healthcheck_url
528 # aws:elasticbeanstalk:command
530 namespace = "aws:elasticbeanstalk:command"
531 name = "DeploymentPolicy"
532 value = var.command_deployment_policy
535 # aws:autoscaling:updatepolicy:rollingupdate
537 namespace = "aws:autoscaling:updatepolicy:rollingupdate"
538 name = "MaxBatchSize"
539 value = var.updatepolicy_max_batch_size
542 # aws:elasticbeanstalk:healthreporting:system
544 namespace = "aws:elasticbeanstalk:healthreporting:system"
546 value = var.healthreporting_system_type
549 # aws:elasticbeanstalk:managedactions
551 namespace = "aws:elasticbeanstalk:managedactions"
552 name = "ManagedActionsEnabled"
553 value = var.managedactions_managed_actions_enabled ? "true" : "false"
557 namespace = "aws:elasticbeanstalk:managedactions"
558 name = "PreferredStartTime"
559 value = var.managedactions_preferred_start_time
562 # aws:elasticbeanstalk:managedactions:platformupdate
564 namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
566 value = var.managedactions_platformupdate_update_level
570 namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
571 name = "InstanceRefreshEnabled"
572 value = var.managedactions_platformupdate_instance_refresh_enabled
576 namespace = "aws:elasticbeanstalk:command"
577 name = "IgnoreHealthCheck"
578 value = var.command_ignore_health_check
581 # aws:autoscaling:asg
583 namespace = "aws:autoscaling:asg"
585 value = var.autoscaling_asg_minsize
588 namespace = "aws:autoscaling:asg"
590 value = var.autoscaling_asg_maxsize
593 # aws:autoscaling:trigger
595 namespace = "aws:autoscaling:trigger"
597 value = var.autoscaling_trigger_measure_name
601 namespace = "aws:autoscaling:trigger"
603 value = var.autoscaling_trigger_statistic
607 namespace = "aws:autoscaling:trigger"
609 value = var.autoscaling_trigger_unit
613 namespace = "aws:autoscaling:trigger"
614 name = "LowerThreshold"
615 value = var.autoscaling_trigger_lower_threshold
619 namespace = "aws:autoscaling:trigger"
620 name = "LowerBreachScaleIncrement"
621 value = var.autoscaling_trigger_lower_breach_scale_increment
625 namespace = "aws:autoscaling:trigger"
626 name = "UpperThreshold"
627 value = var.autoscaling_trigger_upper_threshold
631 namespace = "aws:autoscaling:trigger"
632 name = "UpperBreachScaleIncrement"
633 value = var.autoscaling_trigger_upper_breach_scale_increment
636 # aws:elasticbeanstalk:hostmanager
638 namespace = "aws:elasticbeanstalk:hostmanager"
639 name = "LogPublicationControl"
640 value = var.hostmanager_log_publication_control ? "true" : "false"
643 # aws:elasticbeanstalk:cloudwatch:logs
645 namespace = "aws:elasticbeanstalk:cloudwatch:logs"
647 value = var.cloudwatch_logs_stream_logs ? "true" : "false"
651 namespace = "aws:elasticbeanstalk:cloudwatch:logs"
652 name = "DeleteOnTerminate"
653 value = var.cloudwatch_logs_delete_on_terminate ? "true" : "false"
657 namespace = "aws:elasticbeanstalk:cloudwatch:logs"
658 name = "RetentionInDays"
659 value = var.cloudwatch_logs_retention_in_days
662 # aws:elasticbeanstalk:cloudwatch:logs:health
664 namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
665 name = "HealthStreamingEnabled"
666 value = var.cloudwatch_logs_health_health_streaming_enabled ? "true" : "false"
670 namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
671 name = "DeleteOnTerminate"
672 value = var.cloudwatch_logs_health_delete_on_terminate ? "true" : "false"
676 namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
677 name = "RetentionInDays"
678 value = var.cloudwatch_logs_health_retention_in_days
681 # aws:elasticbeanstalk:application:environment
683 for_each = var.environment_variables
685 namespace = "aws:elasticbeanstalk:application:environment"
687 value = setting.value