2 bucket = "${var.application_name}-bucket"
4 "Name" = "${var.application_name}"
5 "Environment" = "${var.application_name}"
9 # Create elastic beanstalk VPC
10 resource "aws_vpc" "vpc" {
11 assign_generated_ipv6_cidr_block = true
12 cidr_block = var.vpc_cidr_block
13 enable_dns_hostnames = var.vpc_enable_dns_hostnames
14 enable_dns_support = var.vpc_enable_dns_support
15 instance_tenancy = var.vpc_instance_tenancy
19 # Create elastic beanstalk Subnets
20 resource "aws_subnet" "subnet" {
24 availability_zone = var.subnet_availability_zone
25 assign_ipv6_address_on_creation = true
26 cidr_block = aws_vpc.vpc.cidr_block
27 ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 1)
28 map_public_ip_on_launch = true
29 vpc_id = aws_vpc.vpc.id
33 resource "aws_internet_gateway" "internet_gateway" {
37 vpc_id = aws_vpc.vpc.id
41 resource "aws_route" "route" {
44 aws_internet_gateway.internet_gateway
46 destination_cidr_block = "0.0.0.0/0"
47 gateway_id = aws_internet_gateway.internet_gateway.id
48 route_table_id = aws_vpc.vpc.main_route_table_id
51 # Create elastic beanstalk IAM mapping
52 data "aws_iam_policy_document" "service" {
59 identifiers = ["elasticbeanstalk.amazonaws.com"]
65 resource "aws_iam_role" "service" {
66 assume_role_policy = data.aws_iam_policy_document.service.json
67 name = "${var.application_name}-eb-service"
70 resource "aws_iam_role_policy_attachment" "enhanced_health" {
71 policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
72 role = aws_iam_role.service.name
75 resource "aws_iam_role_policy_attachment" "service" {
76 policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
77 role = aws_iam_role.service.name
80 data "aws_iam_policy_document" "ec2" {
87 identifiers = ["ec2.amazonaws.com"]
97 identifiers = ["ssm.amazonaws.com"]
103 resource "aws_iam_role" "ec2" {
104 assume_role_policy = data.aws_iam_policy_document.ec2.json
105 name = "${var.application_name}-eb-ec2"
108 resource "aws_iam_instance_profile" "ec2_iam_instance_profile" {
109 name = "${var.application_name}-iam-instance-profile"
110 role = aws_iam_role.ec2.name
113 resource "aws_iam_role_policy_attachment" "multicontainer_docker" {
114 policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
115 role = aws_iam_role.ec2.name
118 resource "aws_iam_role_policy_attachment" "web_tier" {
119 policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
120 role = aws_iam_role.ec2.name
123 resource "aws_iam_role_policy_attachment" "worker_tier" {
124 policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
125 role = aws_iam_role.ec2.name
128 resource "aws_iam_role_policy_attachment" "ssm_automation" {
129 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
130 role = aws_iam_role.ec2.name
133 resource "aws_iam_role_policy_attachment" "ssm_ec2" {
134 policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
135 role = aws_iam_role.ec2.name
138 resource "aws_iam_role_policy_attachment" "ecr_readonly" {
139 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
140 role = aws_iam_role.ec2.name
143 resource "aws_ssm_activation" "ec2" {
146 aws_iam_role_policy_attachment.ssm_ec2
148 name = "${var.application_name}-ec2-activation"
149 iam_role = aws_iam_role.ec2.id
150 registration_limit = 3
153 data "aws_iam_policy_document" "default" {
156 "elasticloadbalancing:DescribeInstanceHealth",
157 "elasticloadbalancing:DescribeLoadBalancers",
158 "elasticloadbalancing:DescribeTargetHealth",
159 "ec2:DescribeInstances",
160 "ec2:DescribeInstanceStatus",
161 "ec2:GetConsoleOutput",
162 "ec2:AssociateAddress",
163 "ec2:DescribeAddresses",
164 "ec2:DescribeSecurityGroups",
165 "sqs:GetQueueAttributes",
167 "autoscaling:DescribeAutoScalingGroups",
168 "autoscaling:DescribeAutoScalingInstances",
169 "autoscaling:DescribeScalingActivities",
170 "autoscaling:DescribeNotificationConfigurations",
177 sid = "AllowOperations"
179 "autoscaling:AttachInstances",
180 "autoscaling:CreateAutoScalingGroup",
181 "autoscaling:CreateLaunchConfiguration",
182 "autoscaling:DeleteLaunchConfiguration",
183 "autoscaling:DeleteAutoScalingGroup",
184 "autoscaling:DeleteScheduledAction",
185 "autoscaling:DescribeAccountLimits",
186 "autoscaling:DescribeAutoScalingGroups",
187 "autoscaling:DescribeAutoScalingInstances",
188 "autoscaling:DescribeLaunchConfigurations",
189 "autoscaling:DescribeLoadBalancers",
190 "autoscaling:DescribeNotificationConfigurations",
191 "autoscaling:DescribeScalingActivities",
192 "autoscaling:DescribeScheduledActions",
193 "autoscaling:DetachInstances",
194 "autoscaling:PutScheduledUpdateGroupAction",
195 "autoscaling:ResumeProcesses",
196 "autoscaling:SetDesiredCapacity",
197 "autoscaling:SetInstanceProtection",
198 "autoscaling:SuspendProcesses",
199 "autoscaling:TerminateInstanceInAutoScalingGroup",
200 "autoscaling:UpdateAutoScalingGroup",
201 "cloudwatch:PutMetricAlarm",
202 "ec2:AssociateAddress",
203 "ec2:AllocateAddress",
204 "ec2:AuthorizeSecurityGroupEgress",
205 "ec2:AuthorizeSecurityGroupIngress",
206 "ec2:CreateSecurityGroup",
207 "ec2:DeleteSecurityGroup",
208 "ec2:DescribeAccountAttributes",
209 "ec2:DescribeAddresses",
210 "ec2:DescribeImages",
211 "ec2:DescribeInstances",
212 "ec2:DescribeKeyPairs",
213 "ec2:DescribeSecurityGroups",
214 "ec2:DescribeSnapshots",
215 "ec2:DescribeSubnets",
217 "ec2:DisassociateAddress",
218 "ec2:ReleaseAddress",
219 "ec2:RevokeSecurityGroupEgress",
220 "ec2:RevokeSecurityGroupIngress",
221 "ec2:TerminateInstances",
224 "ecs:DescribeClusters",
225 "ecs:RegisterTaskDefinition",
226 "elasticbeanstalk:*",
227 "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
228 "elasticloadbalancing:ConfigureHealthCheck",
229 "elasticloadbalancing:CreateLoadBalancer",
230 "elasticloadbalancing:DeleteLoadBalancer",
231 "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
232 "elasticloadbalancing:DescribeInstanceHealth",
233 "elasticloadbalancing:DescribeLoadBalancers",
234 "elasticloadbalancing:DescribeTargetHealth",
235 "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
236 "elasticloadbalancing:DescribeTargetGroups",
237 "elasticloadbalancing:RegisterTargets",
238 "elasticloadbalancing:DeregisterTargets",
241 "logs:CreateLogGroup",
242 "logs:PutRetentionPolicy",
243 "rds:DescribeDBEngineVersions",
244 "rds:DescribeDBInstances",
245 "rds:DescribeOrderableDBInstanceOptions",
250 "sns:GetTopicAttributes",
251 "sns:ListSubscriptionsByTopic",
253 "sqs:GetQueueAttributes",
255 "codebuild:CreateProject",
256 "codebuild:DeleteProject",
257 "codebuild:BatchGetBuilds",
258 "codebuild:StartBuild",
265 sid = "AllowS3OperationsOnElasticBeanstalkBuckets"
276 sid = "AllowDeleteCloudwatchLogGroups"
278 "logs:DeleteLogGroup"
281 "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
287 sid = "AllowCloudformationOperationsOnElasticBeanstalkStacks"
292 "arn:aws:cloudformation:*:*:stack/awseb-*",
293 "arn:aws:cloudformation:*:*:stack/eb-*"
299 resource "aws_iam_role_policy" "default" {
303 name = "${var.application_name}-eb-default"
304 policy = data.aws_iam_policy_document.default.json
305 role = aws_iam_role.ec2.id
308 # Create elastic beanstalk Application
309 resource "aws_s3_bucket" "bucket" {
310 bucket = local.bucket
314 resource "aws_s3_object" "object" {
315 bucket = aws_s3_bucket.bucket.id
316 key = "beanstalk/app.zip"
321 resource "aws_elastic_beanstalk_application_version" "application_version" {
323 aws_elastic_beanstalk_application.application
325 name = "${var.application_name}-base"
326 application = var.application_name
327 description = var.application_description
328 bucket = aws_s3_bucket.bucket.id
329 key = aws_s3_object.object.id
333 resource "aws_elastic_beanstalk_application" "application" {
337 aws_ssm_activation.ec2
339 name = var.application_name
340 description = var.application_description
342 dynamic "appversion_lifecycle" {
343 for_each = var.appversion_lifecycle_service_role_arn != "" ? ["true"] : []
345 service_role = var.appversion_lifecycle_service_role_arn
346 max_count = var.appversion_lifecycle_max_count
347 delete_source_from_s3 = var.appversion_lifecycle_delete_source_from_s3
353 # Create elastic beanstalk Environment
354 resource "aws_elastic_beanstalk_environment" "environment" {
358 aws_ssm_activation.ec2
360 application = aws_elastic_beanstalk_application.application.name
361 description = var.environment_description
362 name = var.environment_name
363 solution_stack_name = var.environment_solution_stack_name
364 tier = var.environment_tier
365 wait_for_ready_timeout = var.environment_wait_for_ready_timeout
366 version_label = var.environment_version_label
371 namespace = "aws:ec2:instances"
372 name = "InstanceTypes"
373 value = var.instances_instance_types
378 namespace = "aws:ec2:vpc"
380 value = aws_vpc.vpc.id
384 namespace = "aws:ec2:vpc"
386 value = aws_subnet.subnet.id
390 namespace = "aws:ec2:vpc"
392 value = aws_subnet.subnet.id
396 namespace = "aws:ec2:vpc"
398 value = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
402 namespace = "aws:ec2:vpc"
403 name = "AssociatePublicIpAddress"
404 value = var.associate_public_ip_address
408 namespace = "aws:elasticbeanstalk:application"
409 name = "Application Healthcheck URL"
413 # aws:elbv2:listener:default
415 namespace = "aws:elbv2:listener:default"
416 name = "ListenerEnabled"
417 value = var.default_listener_enabled
420 # aws:elasticbeanstalk:environment
422 namespace = "aws:elasticbeanstalk:environment"
423 name = "LoadBalancerType"
424 value = var.environment_loadbalancer_type
428 namespace = "aws:elasticbeanstalk:environment"
430 value = aws_iam_role.service.name
433 # aws:elasticbeanstalk:environment:process:default
435 namespace = "aws:elasticbeanstalk:environment:process:default"
436 name = "HealthCheckInterval"
437 value = var.environment_process_default_healthcheck_interval
441 namespace = "aws:elasticbeanstalk:environment:process:default"
442 name = "HealthyThresholdCount"
443 value = var.environment_process_default_healthy_threshold_count
447 namespace = "aws:elasticbeanstalk:environment:process:default"
449 value = var.environment_process_default_port
453 namespace = "aws:elasticbeanstalk:environment:process:default"
455 value = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
459 namespace = "aws:elasticbeanstalk:environment:process:default"
460 name = "UnhealthyThresholdCount"
461 value = var.environment_process_default_unhealthy_threshold_count
464 # aws:autoscaling:launchconfiguration
466 namespace = "aws:autoscaling:launchconfiguration"
467 name = "IamInstanceProfile"
468 value = aws_iam_instance_profile.ec2_iam_instance_profile.name
471 # aws:elasticbeanstalk:healthreporting:system
473 namespace = "aws:elasticbeanstalk:healthreporting:system"
475 value = var.healthreporting_system_type
478 # aws:elasticbeanstalk:managedactions
480 namespace = "aws:elasticbeanstalk:managedactions"
481 name = "ManagedActionsEnabled"
482 value = var.managedactions_managed_actions_enabled ? "true" : "false"
486 namespace = "aws:elasticbeanstalk:managedactions"
487 name = "PreferredStartTime"
488 value = var.managedactions_preferred_start_time
491 # aws:elasticbeanstalk:managedactions:platformupdate
493 namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
495 value = var.managedactions_platformupdate_update_level
499 namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
500 name = "InstanceRefreshEnabled"
501 value = var.managedactions_platformupdate_instance_refresh_enabled
504 # aws:autoscaling:asg
506 namespace = "aws:autoscaling:asg"
508 value = var.autoscaling_asg_minsize
511 namespace = "aws:autoscaling:asg"
513 value = var.autoscaling_asg_maxsize
516 # aws:autoscaling:trigger
518 namespace = "aws:autoscaling:trigger"
520 value = var.autoscaling_trigger_measure_name
524 namespace = "aws:autoscaling:trigger"
526 value = var.autoscaling_trigger_statistic
530 namespace = "aws:autoscaling:trigger"
532 value = var.autoscaling_trigger_unit
536 namespace = "aws:autoscaling:trigger"
537 name = "LowerThreshold"
538 value = var.autoscaling_trigger_lower_threshold
542 namespace = "aws:autoscaling:trigger"
543 name = "LowerBreachScaleIncrement"
544 value = var.autoscaling_trigger_lower_breach_scale_increment
548 namespace = "aws:autoscaling:trigger"
549 name = "UpperThreshold"
550 value = var.autoscaling_trigger_upper_threshold
554 namespace = "aws:autoscaling:trigger"
555 name = "UpperBreachScaleIncrement"
556 value = var.autoscaling_trigger_upper_breach_scale_increment
559 # aws:elasticbeanstalk:hostmanager
561 namespace = "aws:elasticbeanstalk:hostmanager"
562 name = "LogPublicationControl"
563 value = var.hostmanager_log_publication_control ? "true" : "false"
566 # aws:elasticbeanstalk:cloudwatch:logs
568 namespace = "aws:elasticbeanstalk:cloudwatch:logs"
570 value = var.cloudwatch_logs_stream_logs ? "true" : "false"
574 namespace = "aws:elasticbeanstalk:cloudwatch:logs"
575 name = "DeleteOnTerminate"
576 value = var.cloudwatch_logs_delete_on_terminate ? "true" : "false"
580 namespace = "aws:elasticbeanstalk:cloudwatch:logs"
581 name = "RetentionInDays"
582 value = var.cloudwatch_logs_retention_in_days
585 # aws:elasticbeanstalk:cloudwatch:logs:health
587 namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
588 name = "HealthStreamingEnabled"
589 value = var.cloudwatch_logs_health_health_streaming_enabled ? "true" : "false"
593 namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
594 name = "DeleteOnTerminate"
595 value = var.cloudwatch_logs_health_delete_on_terminate ? "true" : "false"
599 namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
600 name = "RetentionInDays"
601 value = var.cloudwatch_logs_health_retention_in_days
604 # aws:elasticbeanstalk:application:environment
606 for_each = var.environment_variables
608 namespace = "aws:elasticbeanstalk:application:environment"
610 value = setting.value