3 "Environment" = "${var.application_name}"
6 # Settings for all loadbalancer types
7 generic_elb_settings = [
9 namespace = "aws:elasticbeanstalk:environment"
10 name = "LoadBalancerType"
11 value = var.environment_loadbalancer_type
15 classic_elb_settings = [
17 namespace = "aws:elb:loadbalancer"
19 value = var.environment_loadbalancer_crosszone
22 namespace = "aws:elb:loadbalancer"
23 name = "SecurityGroups"
24 value = join(",", sort(var.environment_loadbalancer_security_groups))
27 namespace = "aws:elb:loadbalancer"
28 name = "ManagedSecurityGroup"
29 value = var.environment_loadbalancer_managed_security_group
32 namespace = "aws:elb:listener"
33 name = "ListenerProtocol"
37 namespace = "aws:elb:listener"
39 value = var.environment_process_default_port
42 namespace = "aws:elb:listener"
43 name = "ListenerEnabled"
44 value = var.default_listener_enabled || var.environment_loadbalancer_ssl_certificate_id == "" ? "true" : "false"
47 namespace = "aws:elb:listener:443"
48 name = "ListenerProtocol"
52 namespace = "aws:elb:listener:443"
54 value = var.environment_process_default_port
57 namespace = "aws:elb:listener:443"
58 name = "SSLCertificateId"
59 value = var.environment_loadbalancer_ssl_certificate_id
62 namespace = "aws:elb:listener:443"
63 name = "ListenerEnabled"
64 value = var.environment_loadbalancer_ssl_certificate_id == "" ? "false" : "true"
67 namespace = "aws:elb:policies"
68 name = "ConnectionSettingIdleTimeout"
69 value = var.loadbalancer_connection_settings_idle_timeout
72 namespace = "aws:elb:policies"
73 name = "ConnectionDrainingEnabled"
80 namespace = "aws:elbv2:listener:default"
81 name = "ListenerEnabled"
82 value = var.default_listener_enabled
86 beanstalk_elb_settings = [
88 namespace = "aws:ec2:vpc"
90 value = aws_subnet.subnet.id
93 namespace = "aws:elasticbeanstalk:environment:process:default"
95 value = var.environment_process_default_port
98 namespace = "aws:elasticbeanstalk:environment:process:default"
100 value = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
103 namespace = "aws:ec2:vpc"
105 value = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
108 namespace = "aws:elasticbeanstalk:environment:process:default"
109 name = "HealthCheckInterval"
110 value = var.environment_process_default_healthcheck_interval
113 namespace = "aws:elasticbeanstalk:environment:process:default"
114 name = "HealthyThresholdCount"
115 value = var.environment_process_default_healthy_threshold_count
118 namespace = "aws:elasticbeanstalk:environment:process:default"
119 name = "UnhealthyThresholdCount"
120 value = var.environment_process_default_unhealthy_threshold_count
123 elb_settings_nlb = var.environment_loadbalancer_type == "network" ? concat(local.nlb_settings, local.generic_elb_settings, local.beanstalk_elb_settings) : []
124 elb_setting_classic = var.environment_loadbalancer_type == "classic" ? concat(local.classic_elb_settings, local.generic_elb_settings, local.beanstalk_elb_settings) : []
126 # Full set of LoadBlanacer settings.
127 elb_settings = var.environment_tier == "WebServer" ? concat(local.elb_settings_nlb, local.elb_setting_classic) : []
130 # Create elastic beanstalk VPC
131 resource "aws_vpc" "vpc" {
132 assign_generated_ipv6_cidr_block = true
133 cidr_block = var.vpc_cidr_block
134 enable_dns_hostnames = var.vpc_enable_dns_hostnames
135 enable_dns_support = var.vpc_enable_dns_support
136 instance_tenancy = var.vpc_instance_tenancy
140 # Create elastic beanstalk Subnets
141 resource "aws_subnet" "subnet" {
145 availability_zone = var.subnet_availability_zone
146 assign_ipv6_address_on_creation = true
147 cidr_block = aws_vpc.vpc.cidr_block
148 ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 1)
149 map_public_ip_on_launch = true
150 vpc_id = aws_vpc.vpc.id
154 resource "aws_internet_gateway" "internet_gateway" {
158 vpc_id = aws_vpc.vpc.id
162 resource "aws_route" "route" {
165 aws_internet_gateway.internet_gateway
167 destination_cidr_block = "0.0.0.0/0"
168 gateway_id = aws_internet_gateway.internet_gateway.id
169 route_table_id = aws_vpc.vpc.main_route_table_id
172 # Create elastic beanstalk IAM mapping
173 data "aws_iam_policy_document" "service" {
180 identifiers = ["elasticbeanstalk.amazonaws.com"]
186 resource "aws_iam_role" "service" {
187 assume_role_policy = data.aws_iam_policy_document.service.json
188 name = "${var.application_name}-eb-service"
191 resource "aws_iam_role_policy_attachment" "enhanced_health" {
192 policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
193 role = aws_iam_role.service.name
196 resource "aws_iam_role_policy_attachment" "service" {
197 policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
198 role = aws_iam_role.service.name
201 data "aws_iam_policy_document" "ec2" {
208 identifiers = ["ec2.amazonaws.com"]
218 identifiers = ["ssm.amazonaws.com"]
224 resource "aws_iam_role" "ec2" {
225 assume_role_policy = data.aws_iam_policy_document.ec2.json
226 name = "${var.application_name}-eb-ec2"
229 resource "aws_iam_instance_profile" "ec2_iam_instance_profile" {
230 name = "${var.application_name}-iam-instance-profile"
231 role = aws_iam_role.ec2.name
234 resource "aws_iam_role_policy_attachment" "multicontainer_docker" {
235 policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
236 role = aws_iam_role.ec2.name
239 resource "aws_iam_role_policy_attachment" "web_tier" {
240 policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
241 role = aws_iam_role.ec2.name
244 resource "aws_iam_role_policy_attachment" "worker_tier" {
245 policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
246 role = aws_iam_role.ec2.name
249 resource "aws_iam_role_policy_attachment" "ssm_automation" {
250 policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
251 role = aws_iam_role.ec2.name
254 resource "aws_iam_role_policy_attachment" "ssm_ec2" {
255 policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
256 role = aws_iam_role.ec2.name
259 resource "aws_iam_role_policy_attachment" "ecr_readonly" {
260 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
261 role = aws_iam_role.ec2.name
264 resource "aws_ssm_activation" "ec2" {
267 aws_iam_role_policy_attachment.ssm_ec2
269 name = "${var.application_name}-ec2-activation"
270 iam_role = aws_iam_role.ec2.id
271 registration_limit = 3
274 data "aws_iam_policy_document" "default" {
277 "elasticloadbalancing:DescribeInstanceHealth",
278 "elasticloadbalancing:DescribeLoadBalancers",
279 "elasticloadbalancing:DescribeTargetHealth",
280 "ec2:DescribeInstances",
281 "ec2:DescribeInstanceStatus",
282 "ec2:GetConsoleOutput",
283 "ec2:AssociateAddress",
284 "ec2:DescribeAddresses",
285 "ec2:DescribeSecurityGroups",
286 "sqs:GetQueueAttributes",
288 "autoscaling:DescribeAutoScalingGroups",
289 "autoscaling:DescribeAutoScalingInstances",
290 "autoscaling:DescribeScalingActivities",
291 "autoscaling:DescribeNotificationConfigurations",
298 sid = "AllowOperations"
300 "autoscaling:AttachInstances",
301 "autoscaling:CreateAutoScalingGroup",
302 "autoscaling:CreateLaunchConfiguration",
303 "autoscaling:DeleteLaunchConfiguration",
304 "autoscaling:DeleteAutoScalingGroup",
305 "autoscaling:DeleteScheduledAction",
306 "autoscaling:DescribeAccountLimits",
307 "autoscaling:DescribeAutoScalingGroups",
308 "autoscaling:DescribeAutoScalingInstances",
309 "autoscaling:DescribeLaunchConfigurations",
310 "autoscaling:DescribeLoadBalancers",
311 "autoscaling:DescribeNotificationConfigurations",
312 "autoscaling:DescribeScalingActivities",
313 "autoscaling:DescribeScheduledActions",
314 "autoscaling:DetachInstances",
315 "autoscaling:PutScheduledUpdateGroupAction",
316 "autoscaling:ResumeProcesses",
317 "autoscaling:SetDesiredCapacity",
318 "autoscaling:SetInstanceProtection",
319 "autoscaling:SuspendProcesses",
320 "autoscaling:TerminateInstanceInAutoScalingGroup",
321 "autoscaling:UpdateAutoScalingGroup",
322 "cloudwatch:PutMetricAlarm",
323 "ec2:AssociateAddress",
324 "ec2:AllocateAddress",
325 "ec2:AuthorizeSecurityGroupEgress",
326 "ec2:AuthorizeSecurityGroupIngress",
327 "ec2:CreateSecurityGroup",
328 "ec2:DeleteSecurityGroup",
329 "ec2:DescribeAccountAttributes",
330 "ec2:DescribeAddresses",
331 "ec2:DescribeImages",
332 "ec2:DescribeInstances",
333 "ec2:DescribeKeyPairs",
334 "ec2:DescribeSecurityGroups",
335 "ec2:DescribeSnapshots",
336 "ec2:DescribeSubnets",
338 "ec2:DisassociateAddress",
339 "ec2:ReleaseAddress",
340 "ec2:RevokeSecurityGroupEgress",
341 "ec2:RevokeSecurityGroupIngress",
342 "ec2:TerminateInstances",
345 "ecs:DescribeClusters",
346 "ecs:RegisterTaskDefinition",
347 "elasticbeanstalk:*",
348 "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
349 "elasticloadbalancing:ConfigureHealthCheck",
350 "elasticloadbalancing:CreateLoadBalancer",
351 "elasticloadbalancing:DeleteLoadBalancer",
352 "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
353 "elasticloadbalancing:DescribeInstanceHealth",
354 "elasticloadbalancing:DescribeLoadBalancers",
355 "elasticloadbalancing:DescribeTargetHealth",
356 "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
357 "elasticloadbalancing:DescribeTargetGroups",
358 "elasticloadbalancing:RegisterTargets",
359 "elasticloadbalancing:DeregisterTargets",
362 "logs:CreateLogGroup",
363 "logs:PutRetentionPolicy",
364 "rds:DescribeDBEngineVersions",
365 "rds:DescribeDBInstances",
366 "rds:DescribeOrderableDBInstanceOptions",
371 "sns:GetTopicAttributes",
372 "sns:ListSubscriptionsByTopic",
374 "sqs:GetQueueAttributes",
376 "codebuild:CreateProject",
377 "codebuild:DeleteProject",
378 "codebuild:BatchGetBuilds",
379 "codebuild:StartBuild",
386 sid = "AllowS3OperationsOnElasticBeanstalkBuckets"
397 sid = "AllowDeleteCloudwatchLogGroups"
399 "logs:DeleteLogGroup"
402 "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
408 sid = "AllowCloudformationOperationsOnElasticBeanstalkStacks"
413 "arn:aws:cloudformation:*:*:stack/awseb-*",
414 "arn:aws:cloudformation:*:*:stack/eb-*"
420 resource "aws_iam_role_policy" "default" {
424 name = "${var.application_name}-eb-default"
425 policy = data.aws_iam_policy_document.default.json
426 role = aws_iam_role.ec2.id
429 # Create elastic beanstalk Environment
430 resource "aws_elastic_beanstalk_environment" "environment" {
434 aws_ssm_activation.ec2
436 application = var.environment_application
437 description = var.environment_description
438 name = var.environment_name
439 solution_stack_name = var.environment_solution_stack_name
440 tier = var.environment_tier
441 wait_for_ready_timeout = var.environment_wait_for_ready_timeout
442 version_label = var.environment_version_label
447 namespace = "aws:ec2:instances"
448 name = "InstanceTypes"
449 value = var.instances_instance_types
454 namespace = "aws:ec2:vpc"
456 value = aws_vpc.vpc.id
460 namespace = "aws:ec2:vpc"
462 value = aws_subnet.subnet.id
466 namespace = "aws:ec2:vpc"
467 name = "AssociatePublicIpAddress"
468 value = var.associate_public_ip_address
472 namespace = "aws:elasticbeanstalk:environment"
474 value = aws_iam_role.service.name
477 # aws:autoscaling:launchconfiguration
479 namespace = "aws:autoscaling:launchconfiguration"
480 name = "IamInstanceProfile"
481 value = aws_iam_instance_profile.ec2_iam_instance_profile.name
485 namespace = "aws:autoscaling:launchconfiguration"
486 name = "DisableIMDSv1"
491 for_each = local.elb_settings
493 namespace = setting.value["namespace"]
494 name = setting.value["name"]
495 value = setting.value["value"]
499 # aws:autoscaling:updatepolicy:rollingupdate
501 namespace = "aws:autoscaling:updatepolicy:rollingupdate"
502 name = "RollingUpdateEnabled"
503 value = var.autoscaling_updatepolicy_rolling_update_enabled
507 namespace = "aws:autoscaling:updatepolicy:rollingupdate"
508 name = "RollingUpdateType"
509 value = var.autoscaling_updatepolicy_rolling_update_type
513 namespace = "aws:autoscaling:updatepolicy:rollingupdate"
514 name = "MinInstancesInService"
515 value = var.autoscaling_updatepolicy_min_instance_in_service
519 namespace = "aws:elasticbeanstalk:application"
520 name = "Application Healthcheck URL"
521 value = var.application_healthcheck_url
524 # aws:elasticbeanstalk:command
526 namespace = "aws:elasticbeanstalk:command"
527 name = "DeploymentPolicy"
528 value = var.command_deployment_policy
531 # aws:autoscaling:updatepolicy:rollingupdate
533 namespace = "aws:autoscaling:updatepolicy:rollingupdate"
534 name = "MaxBatchSize"
535 value = var.updatepolicy_max_batch_size
538 # aws:elasticbeanstalk:healthreporting:system
540 namespace = "aws:elasticbeanstalk:healthreporting:system"
542 value = var.healthreporting_system_type
545 # aws:elasticbeanstalk:managedactions
547 namespace = "aws:elasticbeanstalk:managedactions"
548 name = "ManagedActionsEnabled"
549 value = var.managedactions_managed_actions_enabled ? "true" : "false"
553 namespace = "aws:elasticbeanstalk:managedactions"
554 name = "PreferredStartTime"
555 value = var.managedactions_preferred_start_time
558 # aws:elasticbeanstalk:managedactions:platformupdate
560 namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
562 value = var.managedactions_platformupdate_update_level
566 namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
567 name = "InstanceRefreshEnabled"
568 value = var.managedactions_platformupdate_instance_refresh_enabled
572 namespace = "aws:elasticbeanstalk:command"
573 name = "IgnoreHealthCheck"
574 value = var.command_ignore_health_check
577 # aws:autoscaling:asg
579 namespace = "aws:autoscaling:asg"
581 value = var.autoscaling_asg_minsize
584 namespace = "aws:autoscaling:asg"
586 value = var.autoscaling_asg_maxsize
589 # aws:autoscaling:trigger
591 namespace = "aws:autoscaling:trigger"
593 value = var.autoscaling_trigger_measure_name
597 namespace = "aws:autoscaling:trigger"
599 value = var.autoscaling_trigger_statistic
603 namespace = "aws:autoscaling:trigger"
605 value = var.autoscaling_trigger_unit
609 namespace = "aws:autoscaling:trigger"
610 name = "LowerThreshold"
611 value = var.autoscaling_trigger_lower_threshold
615 namespace = "aws:autoscaling:trigger"
616 name = "LowerBreachScaleIncrement"
617 value = var.autoscaling_trigger_lower_breach_scale_increment
621 namespace = "aws:autoscaling:trigger"
622 name = "UpperThreshold"
623 value = var.autoscaling_trigger_upper_threshold
627 namespace = "aws:autoscaling:trigger"
628 name = "UpperBreachScaleIncrement"
629 value = var.autoscaling_trigger_upper_breach_scale_increment
632 # aws:elasticbeanstalk:hostmanager
634 namespace = "aws:elasticbeanstalk:hostmanager"
635 name = "LogPublicationControl"
636 value = var.hostmanager_log_publication_control ? "true" : "false"
639 # aws:elasticbeanstalk:cloudwatch:logs
641 namespace = "aws:elasticbeanstalk:cloudwatch:logs"
643 value = var.cloudwatch_logs_stream_logs ? "true" : "false"
647 namespace = "aws:elasticbeanstalk:cloudwatch:logs"
648 name = "DeleteOnTerminate"
649 value = var.cloudwatch_logs_delete_on_terminate ? "true" : "false"
653 namespace = "aws:elasticbeanstalk:cloudwatch:logs"
654 name = "RetentionInDays"
655 value = var.cloudwatch_logs_retention_in_days
658 # aws:elasticbeanstalk:cloudwatch:logs:health
660 namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
661 name = "HealthStreamingEnabled"
662 value = var.cloudwatch_logs_health_health_streaming_enabled ? "true" : "false"
666 namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
667 name = "DeleteOnTerminate"
668 value = var.cloudwatch_logs_health_delete_on_terminate ? "true" : "false"
672 namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
673 name = "RetentionInDays"
674 value = var.cloudwatch_logs_health_retention_in_days
677 # aws:elasticbeanstalk:application:environment
679 for_each = var.environment_variables
681 namespace = "aws:elasticbeanstalk:application:environment"
683 value = setting.value