fdio.infra.terraform/1n_aws_t3/main.tf

   1 locals {
   2   bucket = "${var.application_name}-bucket"
   3   tags = {
   4     "Name"        = "${var.application_name}"
   5     "Environment" = "${var.application_name}"
   6   }
   7 }
   8
   9 # Create elastic beanstalk VPC
  10 resource "aws_vpc" "vpc" {
  11   assign_generated_ipv6_cidr_block = true
  12   cidr_block                       = var.vpc_cidr_block
  13   enable_dns_hostnames             = var.vpc_enable_dns_hostnames
  14   enable_dns_support               = var.vpc_enable_dns_support
  15   instance_tenancy                 = var.vpc_instance_tenancy
  16   tags                             = local.tags
  17 }
  18
  19 # Create elastic beanstalk Subnets
  20 resource "aws_subnet" "subnet" {
  21   depends_on = [
  22     aws_vpc.vpc
  23   ]
  24   availability_zone               = var.subnet_availability_zone
  25   assign_ipv6_address_on_creation = true
  26   cidr_block                      = aws_vpc.vpc.cidr_block
  27   ipv6_cidr_block                 = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 1)
  28   map_public_ip_on_launch         = true
  29   vpc_id                          = aws_vpc.vpc.id
  30   tags                            = local.tags
  31 }
  32
  33 resource "aws_internet_gateway" "internet_gateway" {
  34   depends_on = [
  35     aws_vpc.vpc
  36   ]
  37   vpc_id = aws_vpc.vpc.id
  38   tags   = local.tags
  39 }
  40
  41 resource "aws_route" "route" {
  42   depends_on = [
  43     aws_vpc.vpc,
  44     aws_internet_gateway.internet_gateway
  45   ]
  46   destination_cidr_block = "0.0.0.0/0"
  47   gateway_id             = aws_internet_gateway.internet_gateway.id
  48   route_table_id         = aws_vpc.vpc.main_route_table_id
  49 }
  50
  51 # Create elastic beanstalk IAM mapping
  52 data "aws_iam_policy_document" "service" {
  53   statement {
  54     actions = [
  55       "sts:AssumeRole"
  56     ]
  57     principals {
  58       type        = "Service"
  59       identifiers = ["elasticbeanstalk.amazonaws.com"]
  60     }
  61     effect = "Allow"
  62   }
  63 }
  64
  65 resource "aws_iam_role" "service" {
  66   assume_role_policy = data.aws_iam_policy_document.service.json
  67   name               = "${var.application_name}-eb-service"
  68 }
  69
  70 resource "aws_iam_role_policy_attachment" "enhanced_health" {
  71   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
  72   role       = aws_iam_role.service.name
  73 }
  74
  75 resource "aws_iam_role_policy_attachment" "service" {
  76   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
  77   role       = aws_iam_role.service.name
  78 }
  79
  80 data "aws_iam_policy_document" "ec2" {
  81   statement {
  82     actions = [
  83       "sts:AssumeRole"
  84     ]
  85     principals {
  86       type        = "Service"
  87       identifiers = ["ec2.amazonaws.com"]
  88     }
  89     effect = "Allow"
  90   }
  91   statement {
  92     actions = [
  93       "sts:AssumeRole",
  94     ]
  95     principals {
  96       type        = "Service"
  97       identifiers = ["ssm.amazonaws.com"]
  98     }
  99     effect = "Allow"
 100   }
 101 }
 102
 103 resource "aws_iam_role" "ec2" {
 104   assume_role_policy = data.aws_iam_policy_document.ec2.json
 105   name               = "${var.application_name}-eb-ec2"
 106 }
 107
 108 resource "aws_iam_instance_profile" "ec2_iam_instance_profile" {
 109   name = "${var.application_name}-iam-instance-profile"
 110   role = aws_iam_role.ec2.name
 111 }
 112
 113 resource "aws_iam_role_policy_attachment" "multicontainer_docker" {
 114   policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
 115   role       = aws_iam_role.ec2.name
 116 }
 117
 118 resource "aws_iam_role_policy_attachment" "web_tier" {
 119   policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
 120   role       = aws_iam_role.ec2.name
 121 }
 122
 123 resource "aws_iam_role_policy_attachment" "worker_tier" {
 124   policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
 125   role       = aws_iam_role.ec2.name
 126 }
 127
 128 resource "aws_iam_role_policy_attachment" "ssm_automation" {
 129   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
 130   role       = aws_iam_role.ec2.name
 131 }
 132
 133 resource "aws_iam_role_policy_attachment" "ssm_ec2" {
 134   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 135   role       = aws_iam_role.ec2.name
 136 }
 137
 138 resource "aws_iam_role_policy_attachment" "ecr_readonly" {
 139   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 140   role       = aws_iam_role.ec2.name
 141 }
 142
 143 resource "aws_ssm_activation" "ec2" {
 144   depends_on = [
 145     aws_iam_role.ec2,
 146     aws_iam_role_policy_attachment.ssm_ec2
 147   ]
 148   name               = "${var.application_name}-ec2-activation"
 149   iam_role           = aws_iam_role.ec2.id
 150   registration_limit = 3
 151 }
 152
 153 data "aws_iam_policy_document" "default" {
 154   statement {
 155     actions = [
 156       "elasticloadbalancing:DescribeInstanceHealth",
 157       "elasticloadbalancing:DescribeLoadBalancers",
 158       "elasticloadbalancing:DescribeTargetHealth",
 159       "ec2:DescribeInstances",
 160       "ec2:DescribeInstanceStatus",
 161       "ec2:GetConsoleOutput",
 162       "ec2:AssociateAddress",
 163       "ec2:DescribeAddresses",
 164       "ec2:DescribeSecurityGroups",
 165       "sqs:GetQueueAttributes",
 166       "sqs:GetQueueUrl",
 167       "autoscaling:DescribeAutoScalingGroups",
 168       "autoscaling:DescribeAutoScalingInstances",
 169       "autoscaling:DescribeScalingActivities",
 170       "autoscaling:DescribeNotificationConfigurations",
 171     ]
 172     resources = ["*"]
 173     effect    = "Allow"
 174   }
 175
 176   statement {
 177     sid = "AllowOperations"
 178     actions = [
 179       "autoscaling:AttachInstances",
 180       "autoscaling:CreateAutoScalingGroup",
 181       "autoscaling:CreateLaunchConfiguration",
 182       "autoscaling:DeleteLaunchConfiguration",
 183       "autoscaling:DeleteAutoScalingGroup",
 184       "autoscaling:DeleteScheduledAction",
 185       "autoscaling:DescribeAccountLimits",
 186       "autoscaling:DescribeAutoScalingGroups",
 187       "autoscaling:DescribeAutoScalingInstances",
 188       "autoscaling:DescribeLaunchConfigurations",
 189       "autoscaling:DescribeLoadBalancers",
 190       "autoscaling:DescribeNotificationConfigurations",
 191       "autoscaling:DescribeScalingActivities",
 192       "autoscaling:DescribeScheduledActions",
 193       "autoscaling:DetachInstances",
 194       "autoscaling:PutScheduledUpdateGroupAction",
 195       "autoscaling:ResumeProcesses",
 196       "autoscaling:SetDesiredCapacity",
 197       "autoscaling:SetInstanceProtection",
 198       "autoscaling:SuspendProcesses",
 199       "autoscaling:TerminateInstanceInAutoScalingGroup",
 200       "autoscaling:UpdateAutoScalingGroup",
 201       "cloudwatch:PutMetricAlarm",
 202       "ec2:AssociateAddress",
 203       "ec2:AllocateAddress",
 204       "ec2:AuthorizeSecurityGroupEgress",
 205       "ec2:AuthorizeSecurityGroupIngress",
 206       "ec2:CreateSecurityGroup",
 207       "ec2:DeleteSecurityGroup",
 208       "ec2:DescribeAccountAttributes",
 209       "ec2:DescribeAddresses",
 210       "ec2:DescribeImages",
 211       "ec2:DescribeInstances",
 212       "ec2:DescribeKeyPairs",
 213       "ec2:DescribeSecurityGroups",
 214       "ec2:DescribeSnapshots",
 215       "ec2:DescribeSubnets",
 216       "ec2:DescribeVpcs",
 217       "ec2:DisassociateAddress",
 218       "ec2:ReleaseAddress",
 219       "ec2:RevokeSecurityGroupEgress",
 220       "ec2:RevokeSecurityGroupIngress",
 221       "ec2:TerminateInstances",
 222       "ecs:CreateCluster",
 223       "ecs:DeleteCluster",
 224       "ecs:DescribeClusters",
 225       "ecs:RegisterTaskDefinition",
 226       "elasticbeanstalk:*",
 227       "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
 228       "elasticloadbalancing:ConfigureHealthCheck",
 229       "elasticloadbalancing:CreateLoadBalancer",
 230       "elasticloadbalancing:DeleteLoadBalancer",
 231       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
 232       "elasticloadbalancing:DescribeInstanceHealth",
 233       "elasticloadbalancing:DescribeLoadBalancers",
 234       "elasticloadbalancing:DescribeTargetHealth",
 235       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
 236       "elasticloadbalancing:DescribeTargetGroups",
 237       "elasticloadbalancing:RegisterTargets",
 238       "elasticloadbalancing:DeregisterTargets",
 239       "iam:ListRoles",
 240       "iam:PassRole",
 241       "logs:CreateLogGroup",
 242       "logs:PutRetentionPolicy",
 243       "rds:DescribeDBEngineVersions",
 244       "rds:DescribeDBInstances",
 245       "rds:DescribeOrderableDBInstanceOptions",
 246       "s3:GetObject",
 247       "s3:GetObjectAcl",
 248       "s3:ListBucket",
 249       "sns:CreateTopic",
 250       "sns:GetTopicAttributes",
 251       "sns:ListSubscriptionsByTopic",
 252       "sns:Subscribe",
 253       "sqs:GetQueueAttributes",
 254       "sqs:GetQueueUrl",
 255       "codebuild:CreateProject",
 256       "codebuild:DeleteProject",
 257       "codebuild:BatchGetBuilds",
 258       "codebuild:StartBuild",
 259     ]
 260     resources = ["*"]
 261     effect    = "Allow"
 262   }
 263
 264   statement {
 265     sid = "AllowS3OperationsOnElasticBeanstalkBuckets"
 266     actions = [
 267       "s3:*"
 268     ]
 269     resources = [
 270       "arn:aws:s3:::*"
 271     ]
 272     effect = "Allow"
 273   }
 274
 275   statement {
 276     sid = "AllowDeleteCloudwatchLogGroups"
 277     actions = [
 278       "logs:DeleteLogGroup"
 279     ]
 280     resources = [
 281       "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
 282     ]
 283     effect = "Allow"
 284   }
 285
 286   statement {
 287     sid = "AllowCloudformationOperationsOnElasticBeanstalkStacks"
 288     actions = [
 289       "cloudformation:*"
 290     ]
 291     resources = [
 292       "arn:aws:cloudformation:*:*:stack/awseb-*",
 293       "arn:aws:cloudformation:*:*:stack/eb-*"
 294     ]
 295     effect = "Allow"
 296   }
 297 }
 298
 299 resource "aws_iam_role_policy" "default" {
 300   depends_on = [
 301     aws_iam_role.ec2
 302   ]
 303   name   = "${var.application_name}-eb-default"
 304   policy = data.aws_iam_policy_document.default.json
 305   role   = aws_iam_role.ec2.id
 306 }
 307
 308 # Create elastic beanstalk Application
 309 resource "aws_s3_bucket" "bucket" {
 310   bucket = local.bucket
 311   tags   = local.tags
 312 }
 313
 314 resource "aws_s3_object" "object" {
 315   bucket = aws_s3_bucket.bucket.id
 316   key    = "beanstalk/app.zip"
 317   source = "app.zip"
 318   tags   = local.tags
 319 }
 320
 321 resource "aws_elastic_beanstalk_application_version" "application_version" {
 322   depends_on = [
 323     aws_elastic_beanstalk_application.application
 324   ]
 325   name        = "${var.application_name}-base"
 326   application = var.application_name
 327   description = var.application_description
 328   bucket      = aws_s3_bucket.bucket.id
 329   key         = aws_s3_object.object.id
 330   tags        = local.tags
 331 }
 332
 333 resource "aws_elastic_beanstalk_application" "application" {
 334   depends_on = [
 335     aws_vpc.vpc,
 336     aws_subnet.subnet,
 337     aws_ssm_activation.ec2
 338   ]
 339   name        = var.application_name
 340   description = var.application_description
 341
 342   dynamic "appversion_lifecycle" {
 343     for_each = var.appversion_lifecycle_service_role_arn != "" ? ["true"] : []
 344     content {
 345       service_role          = var.appversion_lifecycle_service_role_arn
 346       max_count             = var.appversion_lifecycle_max_count
 347       delete_source_from_s3 = var.appversion_lifecycle_delete_source_from_s3
 348     }
 349   }
 350   tags = local.tags
 351 }
 352
 353 # Create elastic beanstalk Environment
 354 resource "aws_elastic_beanstalk_environment" "environment" {
 355   depends_on = [
 356     aws_vpc.vpc,
 357     aws_subnet.subnet,
 358     aws_ssm_activation.ec2
 359   ]
 360   application            = aws_elastic_beanstalk_application.application.name
 361   description            = var.environment_description
 362   name                   = var.environment_name
 363   solution_stack_name    = var.environment_solution_stack_name
 364   tier                   = var.environment_tier
 365   wait_for_ready_timeout = var.environment_wait_for_ready_timeout
 366   version_label          = var.environment_version_label
 367   tags                   = local.tags
 368
 369   # aws:ec2:instances
 370   setting {
 371     namespace = "aws:ec2:instances"
 372     name      = "InstanceTypes"
 373     value     = var.instances_instance_types
 374   }
 375
 376   # aws:ec2:vpc
 377   setting {
 378     namespace = "aws:ec2:vpc"
 379     name      = "VPCId"
 380     value     = aws_vpc.vpc.id
 381   }
 382
 383   setting {
 384     namespace = "aws:ec2:vpc"
 385     name      = "Subnets"
 386     value     = aws_subnet.subnet.id
 387   }
 388
 389   setting {
 390     namespace = "aws:ec2:vpc"
 391     name      = "ELBSubnets"
 392     value     = aws_subnet.subnet.id
 393   }
 394
 395   setting {
 396     namespace = "aws:ec2:vpc"
 397     name      = "ELBScheme"
 398     value     = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
 399   }
 400
 401   setting {
 402     namespace = "aws:ec2:vpc"
 403     name      = "AssociatePublicIpAddress"
 404     value     = var.associate_public_ip_address
 405   }
 406
 407   setting {
 408     namespace = "aws:elasticbeanstalk:application"
 409     name      = "Application Healthcheck URL"
 410     value     = "/"
 411   }
 412
 413   # aws:elbv2:listener:default
 414   setting {
 415     namespace = "aws:elbv2:listener:default"
 416     name      = "ListenerEnabled"
 417     value     = var.default_listener_enabled
 418   }
 419
 420   # aws:elasticbeanstalk:environment
 421   setting {
 422     namespace = "aws:elasticbeanstalk:environment"
 423     name      = "LoadBalancerType"
 424     value     = var.environment_loadbalancer_type
 425   }
 426
 427   setting {
 428     namespace = "aws:elasticbeanstalk:environment"
 429     name      = "ServiceRole"
 430     value     = aws_iam_role.service.name
 431   }
 432
 433   # aws:elasticbeanstalk:environment:process:default
 434   setting {
 435     namespace = "aws:elasticbeanstalk:environment:process:default"
 436     name      = "HealthCheckInterval"
 437     value     = var.environment_process_default_healthcheck_interval
 438   }
 439
 440   setting {
 441     namespace = "aws:elasticbeanstalk:environment:process:default"
 442     name      = "HealthyThresholdCount"
 443     value     = var.environment_process_default_healthy_threshold_count
 444   }
 445
 446   setting {
 447     namespace = "aws:elasticbeanstalk:environment:process:default"
 448     name      = "Port"
 449     value     = var.environment_process_default_port
 450   }
 451
 452   setting {
 453     namespace = "aws:elasticbeanstalk:environment:process:default"
 454     name      = "Protocol"
 455     value     = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
 456   }
 457
 458   setting {
 459     namespace = "aws:elasticbeanstalk:environment:process:default"
 460     name      = "UnhealthyThresholdCount"
 461     value     = var.environment_process_default_unhealthy_threshold_count
 462   }
 463
 464   # aws:autoscaling:launchconfiguration
 465   setting {
 466     namespace = "aws:autoscaling:launchconfiguration"
 467     name      = "IamInstanceProfile"
 468     value     = aws_iam_instance_profile.ec2_iam_instance_profile.name
 469   }
 470
 471   # aws:elasticbeanstalk:healthreporting:system
 472   setting {
 473     namespace = "aws:elasticbeanstalk:healthreporting:system"
 474     name      = "SystemType"
 475     value     = var.healthreporting_system_type
 476   }
 477
 478   # aws:elasticbeanstalk:managedactions
 479   setting {
 480     namespace = "aws:elasticbeanstalk:managedactions"
 481     name      = "ManagedActionsEnabled"
 482     value     = var.managedactions_managed_actions_enabled ? "true" : "false"
 483   }
 484
 485   setting {
 486     namespace = "aws:elasticbeanstalk:managedactions"
 487     name      = "PreferredStartTime"
 488     value     = var.managedactions_preferred_start_time
 489   }
 490
 491   # aws:elasticbeanstalk:managedactions:platformupdate
 492   setting {
 493     namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
 494     name      = "UpdateLevel"
 495     value     = var.managedactions_platformupdate_update_level
 496   }
 497
 498   setting {
 499     namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
 500     name      = "InstanceRefreshEnabled"
 501     value     = var.managedactions_platformupdate_instance_refresh_enabled
 502   }
 503
 504   # aws:autoscaling:asg
 505   setting {
 506     namespace = "aws:autoscaling:asg"
 507     name      = "MinSize"
 508     value     = var.autoscaling_asg_minsize
 509   }
 510   setting {
 511     namespace = "aws:autoscaling:asg"
 512     name      = "MaxSize"
 513     value     = var.autoscaling_asg_maxsize
 514   }
 515
 516   # aws:autoscaling:trigger
 517   setting {
 518     namespace = "aws:autoscaling:trigger"
 519     name      = "MeasureName"
 520     value     = var.autoscaling_trigger_measure_name
 521   }
 522
 523   setting {
 524     namespace = "aws:autoscaling:trigger"
 525     name      = "Statistic"
 526     value     = var.autoscaling_trigger_statistic
 527   }
 528
 529   setting {
 530     namespace = "aws:autoscaling:trigger"
 531     name      = "Unit"
 532     value     = var.autoscaling_trigger_unit
 533   }
 534
 535   setting {
 536     namespace = "aws:autoscaling:trigger"
 537     name      = "LowerThreshold"
 538     value     = var.autoscaling_trigger_lower_threshold
 539   }
 540
 541   setting {
 542     namespace = "aws:autoscaling:trigger"
 543     name      = "LowerBreachScaleIncrement"
 544     value     = var.autoscaling_trigger_lower_breach_scale_increment
 545   }
 546
 547   setting {
 548     namespace = "aws:autoscaling:trigger"
 549     name      = "UpperThreshold"
 550     value     = var.autoscaling_trigger_upper_threshold
 551   }
 552
 553   setting {
 554     namespace = "aws:autoscaling:trigger"
 555     name      = "UpperBreachScaleIncrement"
 556     value     = var.autoscaling_trigger_upper_breach_scale_increment
 557   }
 558
 559   # aws:elasticbeanstalk:hostmanager
 560   setting {
 561     namespace = "aws:elasticbeanstalk:hostmanager"
 562     name      = "LogPublicationControl"
 563     value     = var.hostmanager_log_publication_control ? "true" : "false"
 564   }
 565
 566   # aws:elasticbeanstalk:cloudwatch:logs
 567   setting {
 568     namespace = "aws:elasticbeanstalk:cloudwatch:logs"
 569     name      = "StreamLogs"
 570     value     = var.cloudwatch_logs_stream_logs ? "true" : "false"
 571   }
 572
 573   setting {
 574     namespace = "aws:elasticbeanstalk:cloudwatch:logs"
 575     name      = "DeleteOnTerminate"
 576     value     = var.cloudwatch_logs_delete_on_terminate ? "true" : "false"
 577   }
 578
 579   setting {
 580     namespace = "aws:elasticbeanstalk:cloudwatch:logs"
 581     name      = "RetentionInDays"
 582     value     = var.cloudwatch_logs_retention_in_days
 583   }
 584
 585   # aws:elasticbeanstalk:cloudwatch:logs:health
 586   setting {
 587     namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
 588     name      = "HealthStreamingEnabled"
 589     value     = var.cloudwatch_logs_health_health_streaming_enabled ? "true" : "false"
 590   }
 591
 592   setting {
 593     namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
 594     name      = "DeleteOnTerminate"
 595     value     = var.cloudwatch_logs_health_delete_on_terminate ? "true" : "false"
 596   }
 597
 598   setting {
 599     namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
 600     name      = "RetentionInDays"
 601     value     = var.cloudwatch_logs_health_retention_in_days
 602   }
 603
 604   # aws:elasticbeanstalk:application:environment
 605   dynamic "setting" {
 606     for_each = var.environment_variables
 607     content {
 608       namespace = "aws:elasticbeanstalk:application:environment"
 609       name      = setting.key
 610       value     = setting.value
 611     }
 612   }
 613 }