fdio.infra.terraform/terraform-aws-elastic-beanstalk-environment/main.tf

   1 locals {
   2   tags = {
   3     "Name"        = "${var.application_name}"
   4     "Environment" = "${var.application_name}"
   5   }
   6 }
   7
   8 # Create elastic beanstalk VPC
   9 resource "aws_vpc" "vpc" {
  10   assign_generated_ipv6_cidr_block = true
  11   cidr_block                       = var.vpc_cidr_block
  12   enable_dns_hostnames             = var.vpc_enable_dns_hostnames
  13   enable_dns_support               = var.vpc_enable_dns_support
  14   instance_tenancy                 = var.vpc_instance_tenancy
  15   tags                             = local.tags
  16 }
  17
  18 # Create elastic beanstalk Subnets
  19 resource "aws_subnet" "subnet" {
  20   depends_on = [
  21     aws_vpc.vpc
  22   ]
  23   availability_zone               = var.subnet_availability_zone
  24   assign_ipv6_address_on_creation = true
  25   cidr_block                      = aws_vpc.vpc.cidr_block
  26   ipv6_cidr_block                 = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 1)
  27   map_public_ip_on_launch         = true
  28   vpc_id                          = aws_vpc.vpc.id
  29   tags                            = local.tags
  30 }
  31
  32 resource "aws_internet_gateway" "internet_gateway" {
  33   depends_on = [
  34     aws_vpc.vpc
  35   ]
  36   vpc_id = aws_vpc.vpc.id
  37   tags   = local.tags
  38 }
  39
  40 resource "aws_route" "route" {
  41   depends_on = [
  42     aws_vpc.vpc,
  43     aws_internet_gateway.internet_gateway
  44   ]
  45   destination_cidr_block = "0.0.0.0/0"
  46   gateway_id             = aws_internet_gateway.internet_gateway.id
  47   route_table_id         = aws_vpc.vpc.main_route_table_id
  48 }
  49
  50 # Create elastic beanstalk IAM mapping
  51 data "aws_iam_policy_document" "service" {
  52   statement {
  53     actions = [
  54       "sts:AssumeRole"
  55     ]
  56     principals {
  57       type        = "Service"
  58       identifiers = ["elasticbeanstalk.amazonaws.com"]
  59     }
  60     effect = "Allow"
  61   }
  62 }
  63
  64 resource "aws_iam_role" "service" {
  65   assume_role_policy = data.aws_iam_policy_document.service.json
  66   name               = "${var.application_name}-eb-service"
  67 }
  68
  69 resource "aws_iam_role_policy_attachment" "enhanced_health" {
  70   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
  71   role       = aws_iam_role.service.name
  72 }
  73
  74 resource "aws_iam_role_policy_attachment" "service" {
  75   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
  76   role       = aws_iam_role.service.name
  77 }
  78
  79 data "aws_iam_policy_document" "ec2" {
  80   statement {
  81     actions = [
  82       "sts:AssumeRole"
  83     ]
  84     principals {
  85       type        = "Service"
  86       identifiers = ["ec2.amazonaws.com"]
  87     }
  88     effect = "Allow"
  89   }
  90   statement {
  91     actions = [
  92       "sts:AssumeRole",
  93     ]
  94     principals {
  95       type        = "Service"
  96       identifiers = ["ssm.amazonaws.com"]
  97     }
  98     effect = "Allow"
  99   }
 100 }
 101
 102 resource "aws_iam_role" "ec2" {
 103   assume_role_policy = data.aws_iam_policy_document.ec2.json
 104   name               = "${var.application_name}-eb-ec2"
 105 }
 106
 107 resource "aws_iam_instance_profile" "ec2_iam_instance_profile" {
 108   name = "${var.application_name}-iam-instance-profile"
 109   role = aws_iam_role.ec2.name
 110 }
 111
 112 resource "aws_iam_role_policy_attachment" "multicontainer_docker" {
 113   policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
 114   role       = aws_iam_role.ec2.name
 115 }
 116
 117 resource "aws_iam_role_policy_attachment" "web_tier" {
 118   policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
 119   role       = aws_iam_role.ec2.name
 120 }
 121
 122 resource "aws_iam_role_policy_attachment" "worker_tier" {
 123   policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
 124   role       = aws_iam_role.ec2.name
 125 }
 126
 127 resource "aws_iam_role_policy_attachment" "ssm_automation" {
 128   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
 129   role       = aws_iam_role.ec2.name
 130 }
 131
 132 resource "aws_iam_role_policy_attachment" "ssm_ec2" {
 133   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 134   role       = aws_iam_role.ec2.name
 135 }
 136
 137 resource "aws_iam_role_policy_attachment" "ecr_readonly" {
 138   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 139   role       = aws_iam_role.ec2.name
 140 }
 141
 142 resource "aws_ssm_activation" "ec2" {
 143   depends_on = [
 144     aws_iam_role.ec2,
 145     aws_iam_role_policy_attachment.ssm_ec2
 146   ]
 147   name               = "${var.application_name}-ec2-activation"
 148   iam_role           = aws_iam_role.ec2.id
 149   registration_limit = 3
 150 }
 151
 152 data "aws_iam_policy_document" "default" {
 153   statement {
 154     actions = [
 155       "elasticloadbalancing:DescribeInstanceHealth",
 156       "elasticloadbalancing:DescribeLoadBalancers",
 157       "elasticloadbalancing:DescribeTargetHealth",
 158       "ec2:DescribeInstances",
 159       "ec2:DescribeInstanceStatus",
 160       "ec2:GetConsoleOutput",
 161       "ec2:AssociateAddress",
 162       "ec2:DescribeAddresses",
 163       "ec2:DescribeSecurityGroups",
 164       "sqs:GetQueueAttributes",
 165       "sqs:GetQueueUrl",
 166       "autoscaling:DescribeAutoScalingGroups",
 167       "autoscaling:DescribeAutoScalingInstances",
 168       "autoscaling:DescribeScalingActivities",
 169       "autoscaling:DescribeNotificationConfigurations",
 170     ]
 171     resources = ["*"]
 172     effect    = "Allow"
 173   }
 174
 175   statement {
 176     sid = "AllowOperations"
 177     actions = [
 178       "autoscaling:AttachInstances",
 179       "autoscaling:CreateAutoScalingGroup",
 180       "autoscaling:CreateLaunchConfiguration",
 181       "autoscaling:DeleteLaunchConfiguration",
 182       "autoscaling:DeleteAutoScalingGroup",
 183       "autoscaling:DeleteScheduledAction",
 184       "autoscaling:DescribeAccountLimits",
 185       "autoscaling:DescribeAutoScalingGroups",
 186       "autoscaling:DescribeAutoScalingInstances",
 187       "autoscaling:DescribeLaunchConfigurations",
 188       "autoscaling:DescribeLoadBalancers",
 189       "autoscaling:DescribeNotificationConfigurations",
 190       "autoscaling:DescribeScalingActivities",
 191       "autoscaling:DescribeScheduledActions",
 192       "autoscaling:DetachInstances",
 193       "autoscaling:PutScheduledUpdateGroupAction",
 194       "autoscaling:ResumeProcesses",
 195       "autoscaling:SetDesiredCapacity",
 196       "autoscaling:SetInstanceProtection",
 197       "autoscaling:SuspendProcesses",
 198       "autoscaling:TerminateInstanceInAutoScalingGroup",
 199       "autoscaling:UpdateAutoScalingGroup",
 200       "cloudwatch:PutMetricAlarm",
 201       "ec2:AssociateAddress",
 202       "ec2:AllocateAddress",
 203       "ec2:AuthorizeSecurityGroupEgress",
 204       "ec2:AuthorizeSecurityGroupIngress",
 205       "ec2:CreateSecurityGroup",
 206       "ec2:DeleteSecurityGroup",
 207       "ec2:DescribeAccountAttributes",
 208       "ec2:DescribeAddresses",
 209       "ec2:DescribeImages",
 210       "ec2:DescribeInstances",
 211       "ec2:DescribeKeyPairs",
 212       "ec2:DescribeSecurityGroups",
 213       "ec2:DescribeSnapshots",
 214       "ec2:DescribeSubnets",
 215       "ec2:DescribeVpcs",
 216       "ec2:DisassociateAddress",
 217       "ec2:ReleaseAddress",
 218       "ec2:RevokeSecurityGroupEgress",
 219       "ec2:RevokeSecurityGroupIngress",
 220       "ec2:TerminateInstances",
 221       "ecs:CreateCluster",
 222       "ecs:DeleteCluster",
 223       "ecs:DescribeClusters",
 224       "ecs:RegisterTaskDefinition",
 225       "elasticbeanstalk:*",
 226       "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
 227       "elasticloadbalancing:ConfigureHealthCheck",
 228       "elasticloadbalancing:CreateLoadBalancer",
 229       "elasticloadbalancing:DeleteLoadBalancer",
 230       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
 231       "elasticloadbalancing:DescribeInstanceHealth",
 232       "elasticloadbalancing:DescribeLoadBalancers",
 233       "elasticloadbalancing:DescribeTargetHealth",
 234       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
 235       "elasticloadbalancing:DescribeTargetGroups",
 236       "elasticloadbalancing:RegisterTargets",
 237       "elasticloadbalancing:DeregisterTargets",
 238       "iam:ListRoles",
 239       "iam:PassRole",
 240       "logs:CreateLogGroup",
 241       "logs:PutRetentionPolicy",
 242       "rds:DescribeDBEngineVersions",
 243       "rds:DescribeDBInstances",
 244       "rds:DescribeOrderableDBInstanceOptions",
 245       "s3:GetObject",
 246       "s3:GetObjectAcl",
 247       "s3:ListBucket",
 248       "sns:CreateTopic",
 249       "sns:GetTopicAttributes",
 250       "sns:ListSubscriptionsByTopic",
 251       "sns:Subscribe",
 252       "sqs:GetQueueAttributes",
 253       "sqs:GetQueueUrl",
 254       "codebuild:CreateProject",
 255       "codebuild:DeleteProject",
 256       "codebuild:BatchGetBuilds",
 257       "codebuild:StartBuild",
 258     ]
 259     resources = ["*"]
 260     effect    = "Allow"
 261   }
 262
 263   statement {
 264     sid = "AllowS3OperationsOnElasticBeanstalkBuckets"
 265     actions = [
 266       "s3:*"
 267     ]
 268     resources = [
 269       "arn:aws:s3:::*"
 270     ]
 271     effect = "Allow"
 272   }
 273
 274   statement {
 275     sid = "AllowDeleteCloudwatchLogGroups"
 276     actions = [
 277       "logs:DeleteLogGroup"
 278     ]
 279     resources = [
 280       "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
 281     ]
 282     effect = "Allow"
 283   }
 284
 285   statement {
 286     sid = "AllowCloudformationOperationsOnElasticBeanstalkStacks"
 287     actions = [
 288       "cloudformation:*"
 289     ]
 290     resources = [
 291       "arn:aws:cloudformation:*:*:stack/awseb-*",
 292       "arn:aws:cloudformation:*:*:stack/eb-*"
 293     ]
 294     effect = "Allow"
 295   }
 296 }
 297
 298 resource "aws_iam_role_policy" "default" {
 299   depends_on = [
 300     aws_iam_role.ec2
 301   ]
 302   name   = "${var.application_name}-eb-default"
 303   policy = data.aws_iam_policy_document.default.json
 304   role   = aws_iam_role.ec2.id
 305 }
 306
 307 # Create elastic beanstalk Environment
 308 resource "aws_elastic_beanstalk_environment" "environment" {
 309   depends_on = [
 310     aws_vpc.vpc,
 311     aws_subnet.subnet,
 312     aws_ssm_activation.ec2
 313   ]
 314   application            = var.environment_application
 315   description            = var.environment_description
 316   name                   = var.environment_name
 317   solution_stack_name    = var.environment_solution_stack_name
 318   tier                   = var.environment_tier
 319   wait_for_ready_timeout = var.environment_wait_for_ready_timeout
 320   version_label          = var.environment_version_label
 321   tags                   = local.tags
 322
 323   # aws:ec2:instances
 324   setting {
 325     namespace = "aws:ec2:instances"
 326     name      = "InstanceTypes"
 327     value     = var.instances_instance_types
 328   }
 329
 330   # aws:ec2:vpc
 331   setting {
 332     namespace = "aws:ec2:vpc"
 333     name      = "VPCId"
 334     value     = aws_vpc.vpc.id
 335   }
 336
 337   setting {
 338     namespace = "aws:ec2:vpc"
 339     name      = "Subnets"
 340     value     = aws_subnet.subnet.id
 341   }
 342
 343   setting {
 344     namespace = "aws:ec2:vpc"
 345     name      = "ELBSubnets"
 346     value     = aws_subnet.subnet.id
 347   }
 348
 349   setting {
 350     namespace = "aws:ec2:vpc"
 351     name      = "ELBScheme"
 352     value     = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
 353   }
 354
 355   setting {
 356     namespace = "aws:ec2:vpc"
 357     name      = "AssociatePublicIpAddress"
 358     value     = var.associate_public_ip_address
 359   }
 360
 361   setting {
 362     namespace = "aws:elasticbeanstalk:application"
 363     name      = "Application Healthcheck URL"
 364     value     = "/"
 365   }
 366
 367   # aws:elbv2:listener:default
 368   setting {
 369     namespace = "aws:elbv2:listener:default"
 370     name      = "ListenerEnabled"
 371     value     = var.default_listener_enabled
 372   }
 373
 374   # aws:elasticbeanstalk:environment
 375   setting {
 376     namespace = "aws:elasticbeanstalk:environment"
 377     name      = "LoadBalancerType"
 378     value     = var.environment_loadbalancer_type
 379   }
 380
 381   setting {
 382     namespace = "aws:elasticbeanstalk:environment"
 383     name      = "ServiceRole"
 384     value     = aws_iam_role.service.name
 385   }
 386
 387   # aws:elasticbeanstalk:environment:process:default
 388   setting {
 389     namespace = "aws:elasticbeanstalk:environment:process:default"
 390     name      = "HealthCheckInterval"
 391     value     = var.environment_process_default_healthcheck_interval
 392   }
 393
 394   setting {
 395     namespace = "aws:elasticbeanstalk:environment:process:default"
 396     name      = "HealthyThresholdCount"
 397     value     = var.environment_process_default_healthy_threshold_count
 398   }
 399
 400   setting {
 401     namespace = "aws:elasticbeanstalk:environment:process:default"
 402     name      = "Port"
 403     value     = var.environment_process_default_port
 404   }
 405
 406   setting {
 407     namespace = "aws:elasticbeanstalk:environment:process:default"
 408     name      = "Protocol"
 409     value     = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
 410   }
 411
 412   setting {
 413     namespace = "aws:elasticbeanstalk:environment:process:default"
 414     name      = "UnhealthyThresholdCount"
 415     value     = var.environment_process_default_unhealthy_threshold_count
 416   }
 417
 418   # aws:autoscaling:launchconfiguration
 419   setting {
 420     namespace = "aws:autoscaling:launchconfiguration"
 421     name      = "IamInstanceProfile"
 422     value     = aws_iam_instance_profile.ec2_iam_instance_profile.name
 423   }
 424
 425   # aws:autoscaling:updatepolicy:rollingupdate
 426   setting {
 427     namespace = "aws:autoscaling:updatepolicy:rollingupdate"
 428     name      = "RollingUpdateEnabled"
 429     value     = var.autoscaling_updatepolicy_rolling_update_enabled
 430   }
 431
 432   setting {
 433     namespace = "aws:autoscaling:updatepolicy:rollingupdate"
 434     name      = "RollingUpdateType"
 435     value     = var.autoscaling_updatepolicy_rolling_update_type
 436   }
 437
 438   setting {
 439     namespace = "aws:autoscaling:updatepolicy:rollingupdate"
 440     name      = "MinInstancesInService"
 441     value     = var.autoscaling_updatepolicy_min_instance_in_service
 442   }
 443
 444   # aws:elasticbeanstalk:command
 445   setting {
 446     namespace = "aws:elasticbeanstalk:command"
 447     name      = "DeploymentPolicy"
 448     value     = var.command_deployment_policy
 449   }
 450
 451   # aws:autoscaling:updatepolicy:rollingupdate
 452   setting {
 453     namespace = "aws:autoscaling:updatepolicy:rollingupdate"
 454     name      = "MaxBatchSize"
 455     value     = var.updatepolicy_max_batch_size
 456   }
 457
 458   # aws:elasticbeanstalk:healthreporting:system
 459   setting {
 460     namespace = "aws:elasticbeanstalk:healthreporting:system"
 461     name      = "SystemType"
 462     value     = var.healthreporting_system_type
 463   }
 464
 465   # aws:elasticbeanstalk:managedactions
 466   setting {
 467     namespace = "aws:elasticbeanstalk:managedactions"
 468     name      = "ManagedActionsEnabled"
 469     value     = var.managedactions_managed_actions_enabled ? "true" : "false"
 470   }
 471
 472   setting {
 473     namespace = "aws:elasticbeanstalk:managedactions"
 474     name      = "PreferredStartTime"
 475     value     = var.managedactions_preferred_start_time
 476   }
 477
 478   # aws:elasticbeanstalk:managedactions:platformupdate
 479   setting {
 480     namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
 481     name      = "UpdateLevel"
 482     value     = var.managedactions_platformupdate_update_level
 483   }
 484
 485   setting {
 486     namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
 487     name      = "InstanceRefreshEnabled"
 488     value     = var.managedactions_platformupdate_instance_refresh_enabled
 489   }
 490
 491   # aws:autoscaling:asg
 492   setting {
 493     namespace = "aws:autoscaling:asg"
 494     name      = "MinSize"
 495     value     = var.autoscaling_asg_minsize
 496   }
 497   setting {
 498     namespace = "aws:autoscaling:asg"
 499     name      = "MaxSize"
 500     value     = var.autoscaling_asg_maxsize
 501   }
 502
 503   # aws:autoscaling:trigger
 504   setting {
 505     namespace = "aws:autoscaling:trigger"
 506     name      = "MeasureName"
 507     value     = var.autoscaling_trigger_measure_name
 508   }
 509
 510   setting {
 511     namespace = "aws:autoscaling:trigger"
 512     name      = "Statistic"
 513     value     = var.autoscaling_trigger_statistic
 514   }
 515
 516   setting {
 517     namespace = "aws:autoscaling:trigger"
 518     name      = "Unit"
 519     value     = var.autoscaling_trigger_unit
 520   }
 521
 522   setting {
 523     namespace = "aws:autoscaling:trigger"
 524     name      = "LowerThreshold"
 525     value     = var.autoscaling_trigger_lower_threshold
 526   }
 527
 528   setting {
 529     namespace = "aws:autoscaling:trigger"
 530     name      = "LowerBreachScaleIncrement"
 531     value     = var.autoscaling_trigger_lower_breach_scale_increment
 532   }
 533
 534   setting {
 535     namespace = "aws:autoscaling:trigger"
 536     name      = "UpperThreshold"
 537     value     = var.autoscaling_trigger_upper_threshold
 538   }
 539
 540   setting {
 541     namespace = "aws:autoscaling:trigger"
 542     name      = "UpperBreachScaleIncrement"
 543     value     = var.autoscaling_trigger_upper_breach_scale_increment
 544   }
 545
 546   # aws:elasticbeanstalk:hostmanager
 547   setting {
 548     namespace = "aws:elasticbeanstalk:hostmanager"
 549     name      = "LogPublicationControl"
 550     value     = var.hostmanager_log_publication_control ? "true" : "false"
 551   }
 552
 553   # aws:elasticbeanstalk:cloudwatch:logs
 554   setting {
 555     namespace = "aws:elasticbeanstalk:cloudwatch:logs"
 556     name      = "StreamLogs"
 557     value     = var.cloudwatch_logs_stream_logs ? "true" : "false"
 558   }
 559
 560   setting {
 561     namespace = "aws:elasticbeanstalk:cloudwatch:logs"
 562     name      = "DeleteOnTerminate"
 563     value     = var.cloudwatch_logs_delete_on_terminate ? "true" : "false"
 564   }
 565
 566   setting {
 567     namespace = "aws:elasticbeanstalk:cloudwatch:logs"
 568     name      = "RetentionInDays"
 569     value     = var.cloudwatch_logs_retention_in_days
 570   }
 571
 572   # aws:elasticbeanstalk:cloudwatch:logs:health
 573   setting {
 574     namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
 575     name      = "HealthStreamingEnabled"
 576     value     = var.cloudwatch_logs_health_health_streaming_enabled ? "true" : "false"
 577   }
 578
 579   setting {
 580     namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
 581     name      = "DeleteOnTerminate"
 582     value     = var.cloudwatch_logs_health_delete_on_terminate ? "true" : "false"
 583   }
 584
 585   setting {
 586     namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
 587     name      = "RetentionInDays"
 588     value     = var.cloudwatch_logs_health_retention_in_days
 589   }
 590
 591   # aws:elasticbeanstalk:application:environment
 592   dynamic "setting" {
 593     for_each = var.environment_variables
 594     content {
 595       namespace = "aws:elasticbeanstalk:application:environment"
 596       name      = setting.key
 597       value     = setting.value
 598     }
 599   }
 600 }