locals {
tags = {
"Name" = "${var.application_name}"
"Environment" = "${var.application_name}"
}
# Settings for all loadbalancer types
generic_elb_settings = [
{
namespace = "aws:elasticbeanstalk:environment"
name = "LoadBalancerType"
value = var.environment_loadbalancer_type
}
]
elb_settings = [
{
namespace = "aws:ec2:vpc"
name = "ELBSubnets"
value = join(",", [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id])
},
{
namespace = "aws:elasticbeanstalk:environment:process:default"
name = "Port"
value = var.environment_process_default_port
},
{
namespace = "aws:elasticbeanstalk:environment:process:default"
name = "Protocol"
value = var.environment_loadbalancer_type == "network" ? "TCP" : "HTTP"
},
{
namespace = "aws:ec2:vpc"
name = "ELBScheme"
value = var.environment_type == "LoadBalanced" ? var.elb_scheme : ""
},
{
namespace = "aws:elasticbeanstalk:environment:process:default"
name = "HealthCheckInterval"
value = var.environment_process_default_healthcheck_interval
},
{
namespace = "aws:elasticbeanstalk:environment:process:default"
name = "HealthyThresholdCount"
value = var.environment_process_default_healthy_threshold_count
},
{
namespace = "aws:elasticbeanstalk:environment:process:default"
name = "UnhealthyThresholdCount"
value = var.environment_process_default_unhealthy_threshold_count
}
]
generic_alb_settings = [
{
namespace = "aws:elbv2:loadbalancer"
name = "SecurityGroups"
value = join(",", sort(var.environment_loadbalancer_security_groups))
}
]
alb_settings = [
{
namespace = "aws:elbv2:listener:default"
name = "ListenerEnabled"
value = var.default_listener_enabled || var.environment_loadbalancer_ssl_certificate_id == "" ? "true" : "false"
},
{
namespace = "aws:elbv2:loadbalancer"
name = "ManagedSecurityGroup"
value = var.environment_loadbalancer_managed_security_group
},
{
namespace = "aws:elbv2:listener:443"
name = "ListenerEnabled"
value = var.environment_loadbalancer_ssl_certificate_id == "" ? "false" : "true"
},
{
namespace = "aws:elbv2:listener:443"
name = "Protocol"
value = "HTTPS"
},
{
namespace = "aws:elbv2:listener:443"
name = "SSLCertificateArns"
value = var.environment_loadbalancer_ssl_certificate_id
},
{
namespace = "aws:elasticbeanstalk:environment:process:default"
name = "HealthCheckPath"
value = var.application_healthcheck_url
},
{
namespace = "aws:elasticbeanstalk:environment:process:default"
name = "MatcherHTTPCode"
value = join(",", sort(var.default_matcher_http_code))
},
{
namespace = "aws:elasticbeanstalk:environment:process:default"
name = "HealthCheckTimeout"
value = var.default_health_check_timeout
}
]
nlb_settings = [
{
namespace = "aws:elbv2:listener:default"
name = "ListenerEnabled"
value = var.default_listener_enabled
}
]
settings_nlb = var.environment_loadbalancer_type == "network" ? concat(local.nlb_settings, local.generic_elb_settings, local.elb_settings) : []
settings_alb = var.environment_loadbalancer_type == "application" ? concat(local.generic_alb_settings, local.alb_settings, local.generic_elb_settings, local.elb_settings) : []
# Full set of LoadBlanacer settings.
elb = var.environment_tier == "WebServer" ? concat(local.settings_nlb, local.settings_alb) : []
}
# Create elastic beanstalk VPC
resource "aws_vpc" "vpc" {
assign_generated_ipv6_cidr_block = true
cidr_block = var.vpc_cidr_block
enable_dns_hostnames = var.vpc_enable_dns_hostnames
enable_dns_support = var.vpc_enable_dns_support
instance_tenancy = var.vpc_instance_tenancy
tags = local.tags
}
# Create elastic beanstalk Subnets
resource "aws_subnet" "subnet_a" {
depends_on = [
aws_vpc.vpc
]
availability_zone = var.subnet_a_availability_zone
assign_ipv6_address_on_creation = true
cidr_block = var.subnet_a_cidr_block
ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 1)
map_public_ip_on_launch = true
vpc_id = aws_vpc.vpc.id
tags = local.tags
}
resource "aws_subnet" "subnet_b" {
depends_on = [
aws_vpc.vpc
]
availability_zone = var.subnet_b_availability_zone
assign_ipv6_address_on_creation = true
cidr_block = var.subnet_b_cidr_block
ipv6_cidr_block = cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, 8, 2)
map_public_ip_on_launch = true
vpc_id = aws_vpc.vpc.id
tags = local.tags
}
resource "aws_internet_gateway" "internet_gateway" {
depends_on = [
aws_vpc.vpc
]
vpc_id = aws_vpc.vpc.id
tags = local.tags
}
resource "aws_route" "route" {
depends_on = [
aws_vpc.vpc,
aws_internet_gateway.internet_gateway
]
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.internet_gateway.id
route_table_id = aws_vpc.vpc.main_route_table_id
}
# Create elastic beanstalk IAM mapping
data "aws_iam_policy_document" "service" {
statement {
actions = [
"sts:AssumeRole"
]
principals {
type = "Service"
identifiers = ["elasticbeanstalk.amazonaws.com"]
}
effect = "Allow"
}
}
resource "aws_iam_role" "service" {
assume_role_policy = data.aws_iam_policy_document.service.json
name = "${var.application_name}-eb-service"
}
resource "aws_iam_role_policy_attachment" "enhanced_health" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth"
role = aws_iam_role.service.name
}
resource "aws_iam_role_policy_attachment" "service" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService"
role = aws_iam_role.service.name
}
data "aws_iam_policy_document" "ec2" {
statement {
actions = [
"sts:AssumeRole"
]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
effect = "Allow"
}
statement {
actions = [
"sts:AssumeRole",
]
principals {
type = "Service"
identifiers = ["ssm.amazonaws.com"]
}
effect = "Allow"
}
}
resource "aws_iam_role" "ec2" {
assume_role_policy = data.aws_iam_policy_document.ec2.json
name = "${var.application_name}-eb-ec2"
}
resource "aws_iam_instance_profile" "ec2_iam_instance_profile" {
name = "${var.application_name}-iam-instance-profile"
role = aws_iam_role.ec2.name
}
resource "aws_iam_role_policy_attachment" "multicontainer_docker" {
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker"
role = aws_iam_role.ec2.name
}
resource "aws_iam_role_policy_attachment" "web_tier" {
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier"
role = aws_iam_role.ec2.name
}
resource "aws_iam_role_policy_attachment" "worker_tier" {
policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier"
role = aws_iam_role.ec2.name
}
resource "aws_iam_role_policy_attachment" "ssm_automation" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole"
role = aws_iam_role.ec2.name
}
resource "aws_iam_role_policy_attachment" "ssm_ec2" {
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
role = aws_iam_role.ec2.name
}
resource "aws_iam_role_policy_attachment" "ecr_readonly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.ec2.name
}
resource "aws_ssm_activation" "ec2" {
depends_on = [
aws_iam_role.ec2,
aws_iam_role_policy_attachment.ssm_ec2
]
name = "${var.application_name}-ec2-activation"
iam_role = aws_iam_role.ec2.id
registration_limit = 3
}
data "aws_iam_policy_document" "default" {
statement {
actions = [
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetHealth",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:GetConsoleOutput",
"ec2:AssociateAddress",
"ec2:DescribeAddresses",
"ec2:DescribeSecurityGroups",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeNotificationConfigurations",
]
resources = ["*"]
effect = "Allow"
}
statement {
sid = "AllowOperations"
actions = [
"autoscaling:AttachInstances",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteScheduledAction",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeLoadBalancers",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeScheduledActions",
"autoscaling:DetachInstances",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:ResumeProcesses",
"autoscaling:SetDesiredCapacity",
"autoscaling:SetInstanceProtection",
"autoscaling:SuspendProcesses",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"cloudwatch:PutMetricAlarm",
"ec2:AssociateAddress",
"ec2:AllocateAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:TerminateInstances",
"ecs:CreateCluster",
"ecs:DeleteCluster",
"ecs:DescribeClusters",
"ecs:RegisterTaskDefinition",
"elasticbeanstalk:*",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
"iam:ListRoles",
"iam:PassRole",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeOrderableDBInstanceOptions",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"sns:CreateTopic",
"sns:GetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:Subscribe",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"codebuild:CreateProject",
"codebuild:DeleteProject",
"codebuild:BatchGetBuilds",
"codebuild:StartBuild",
]
resources = ["*"]
effect = "Allow"
}
statement {
sid = "AllowS3OperationsOnElasticBeanstalkBuckets"
actions = [
"s3:*"
]
resources = [
"arn:aws:s3:::*"
]
effect = "Allow"
}
statement {
sid = "AllowDeleteCloudwatchLogGroups"
actions = [
"logs:DeleteLogGroup"
]
resources = [
"arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
]
effect = "Allow"
}
statement {
sid = "AllowCloudformationOperationsOnElasticBeanstalkStacks"
actions = [
"cloudformation:*"
]
resources = [
"arn:aws:cloudformation:*:*:stack/awseb-*",
"arn:aws:cloudformation:*:*:stack/eb-*"
]
effect = "Allow"
}
}
resource "aws_iam_role_policy" "default" {
depends_on = [
aws_iam_role.ec2
]
name = "${var.application_name}-eb-default"
policy = data.aws_iam_policy_document.default.json
role = aws_iam_role.ec2.id
}
# Create elastic beanstalk Environment
resource "aws_elastic_beanstalk_environment" "environment" {
depends_on = [
aws_vpc.vpc,
aws_subnet.subnet_a,
aws_subnet.subnet_b,
aws_ssm_activation.ec2
]
application = var.environment_application
description = var.environment_description
name = var.environment_name
solution_stack_name = var.environment_solution_stack_name
tier = var.environment_tier
wait_for_ready_timeout = var.environment_wait_for_ready_timeout
version_label = var.environment_version_label
tags = local.tags
# aws:ec2:instances
setting {
namespace = "aws:ec2:instances"
name = "InstanceTypes"
value = var.instances_instance_types
}
# aws:ec2:vpc
setting {
namespace = "aws:ec2:vpc"
name = "VPCId"
value = aws_vpc.vpc.id
}
setting {
namespace = "aws:ec2:vpc"
name = "Subnets"
value = join(",", [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id])
}
setting {
namespace = "aws:ec2:vpc"
name = "AssociatePublicIpAddress"
value = var.associate_public_ip_address
}
setting {
namespace = "aws:elasticbeanstalk:environment"
name = "ServiceRole"
value = aws_iam_role.service.name
}
# aws:autoscaling:launchconfiguration
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "IamInstanceProfile"
value = aws_iam_instance_profile.ec2_iam_instance_profile.name
}
setting {
namespace = "aws:autoscaling:launchconfiguration"
name = "DisableIMDSv1"
value = true
}
dynamic "setting" {
for_each = local.elb
content {
namespace = setting.value["namespace"]
name = setting.value["name"]
value = setting.value["value"]
}
}
# aws:autoscaling:updatepolicy:rollingupdate
setting {
namespace = "aws:autoscaling:updatepolicy:rollingupdate"
name = "RollingUpdateEnabled"
value = var.autoscaling_updatepolicy_rolling_update_enabled
}
setting {
namespace = "aws:autoscaling:updatepolicy:rollingupdate"
name = "RollingUpdateType"
value = var.autoscaling_updatepolicy_rolling_update_type
}
setting {
namespace = "aws:autoscaling:updatepolicy:rollingupdate"
name = "MinInstancesInService"
value = var.autoscaling_updatepolicy_min_instance_in_service
}
setting {
namespace = "aws:elasticbeanstalk:application"
name = "Application Healthcheck URL"
value = var.application_healthcheck_url
}
# aws:elasticbeanstalk:command
setting {
namespace = "aws:elasticbeanstalk:command"
name = "DeploymentPolicy"
value = var.command_deployment_policy
}
# aws:autoscaling:updatepolicy:rollingupdate
setting {
namespace = "aws:autoscaling:updatepolicy:rollingupdate"
name = "MaxBatchSize"
value = var.updatepolicy_max_batch_size
}
# aws:elasticbeanstalk:healthreporting:system
setting {
namespace = "aws:elasticbeanstalk:healthreporting:system"
name = "SystemType"
value = var.healthreporting_system_type
}
# aws:elasticbeanstalk:managedactions
setting {
namespace = "aws:elasticbeanstalk:managedactions"
name = "ManagedActionsEnabled"
value = var.managedactions_managed_actions_enabled ? "true" : "false"
}
setting {
namespace = "aws:elasticbeanstalk:managedactions"
name = "PreferredStartTime"
value = var.managedactions_preferred_start_time
}
# aws:elasticbeanstalk:managedactions:platformupdate
setting {
namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
name = "UpdateLevel"
value = var.managedactions_platformupdate_update_level
}
setting {
namespace = "aws:elasticbeanstalk:managedactions:platformupdate"
name = "InstanceRefreshEnabled"
value = var.managedactions_platformupdate_instance_refresh_enabled
}
setting {
namespace = "aws:elasticbeanstalk:command"
name = "IgnoreHealthCheck"
value = var.command_ignore_health_check
}
# aws:autoscaling:asg
setting {
namespace = "aws:autoscaling:asg"
name = "MinSize"
value = var.autoscaling_asg_minsize
}
setting {
namespace = "aws:autoscaling:asg"
name = "MaxSize"
value = var.autoscaling_asg_maxsize
}
# aws:autoscaling:trigger
setting {
namespace = "aws:autoscaling:trigger"
name = "MeasureName"
value = var.autoscaling_trigger_measure_name
}
setting {
namespace = "aws:autoscaling:trigger"
name = "Statistic"
value = var.autoscaling_trigger_statistic
}
setting {
namespace = "aws:autoscaling:trigger"
name = "Unit"
value = var.autoscaling_trigger_unit
}
setting {
namespace = "aws:autoscaling:trigger"
name = "LowerThreshold"
value = var.autoscaling_trigger_lower_threshold
}
setting {
namespace = "aws:autoscaling:trigger"
name = "LowerBreachScaleIncrement"
value = var.autoscaling_trigger_lower_breach_scale_increment
}
setting {
namespace = "aws:autoscaling:trigger"
name = "UpperThreshold"
value = var.autoscaling_trigger_upper_threshold
}
setting {
namespace = "aws:autoscaling:trigger"
name = "UpperBreachScaleIncrement"
value = var.autoscaling_trigger_upper_breach_scale_increment
}
# aws:elasticbeanstalk:hostmanager
setting {
namespace = "aws:elasticbeanstalk:hostmanager"
name = "LogPublicationControl"
value = var.hostmanager_log_publication_control ? "true" : "false"
}
# aws:elasticbeanstalk:cloudwatch:logs
setting {
namespace = "aws:elasticbeanstalk:cloudwatch:logs"
name = "StreamLogs"
value = var.cloudwatch_logs_stream_logs ? "true" : "false"
}
setting {
namespace = "aws:elasticbeanstalk:cloudwatch:logs"
name = "DeleteOnTerminate"
value = var.cloudwatch_logs_delete_on_terminate ? "true" : "false"
}
setting {
namespace = "aws:elasticbeanstalk:cloudwatch:logs"
name = "RetentionInDays"
value = var.cloudwatch_logs_retention_in_days
}
# aws:elasticbeanstalk:cloudwatch:logs:health
setting {
namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
name = "HealthStreamingEnabled"
value = var.cloudwatch_logs_health_health_streaming_enabled ? "true" : "false"
}
setting {
namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
name = "DeleteOnTerminate"
value = var.cloudwatch_logs_health_delete_on_terminate ? "true" : "false"
}
setting {
namespace = "aws:elasticbeanstalk:cloudwatch:logs:health"
name = "RetentionInDays"
value = var.cloudwatch_logs_health_retention_in_days
}
# aws:elasticbeanstalk:application:environment
dynamic "setting" {
for_each = var.environment_variables
content {
namespace = "aws:elasticbeanstalk:application:environment"
name = setting.key
value = setting.value
}
}
}