API tools faq
paste
Guest User

Untitled

a guest
May 23rd, 2018
108
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.50 KB | None | 0 0
raw download clone embed print report
  1. Insufficient permissions
  2. The provided role does not have sufficient permissions to access
  3. Elastic Beanstalk: Access Denied
  4.  
  5. /************************************************
  6. * Code Build
  7. ***********************************************/
  8.  
  9. resource "aws_codebuild_project" "project-name-codebuild" {
  10. name = "${var.project}-codebuild"
  11. build_timeout = "15"
  12. service_role = "${aws_iam_role.project-name-codebuild-role.arn}"
  13.  
  14. artifacts {
  15. type = "CODEPIPELINE"
  16. }
  17.  
  18. environment {
  19. compute_type = "BUILD_GENERAL1_SMALL"
  20. type = "LINUX_CONTAINER"
  21. image = "aws/codebuild/java:openjdk-8"
  22. }
  23.  
  24. source {
  25. type = "CODEPIPELINE"
  26. }
  27.  
  28. tags {
  29. Name = "${var.project}"
  30. Environment = "${var.environment}"
  31. }
  32. }
  33.  
  34. resource "aws_ecr_repository" "project-name-ecr-repository" {
  35. name = "${var.project}-ecr-repository"
  36. }
  37.  
  38. resource "aws_iam_role" "project-name-codebuild-role" {
  39. name = "${var.project}-codebuild-role"
  40.  
  41. assume_role_policy = <<EOF
  42. {
  43. "Version": "2012-10-17",
  44. "Statement": [
  45. {
  46. "Effect": "Allow",
  47. "Principal": {
  48. "Service": "codebuild.amazonaws.com"
  49. },
  50. "Action": "sts:AssumeRole"
  51. }
  52. ]
  53. }
  54. EOF
  55. }
  56.  
  57. resource "aws_iam_role_policy" "project-name-codebuild-role-policy" {
  58. role = "${aws_iam_role.project-name-codebuild-role.id}"
  59.  
  60. policy = <<POLICY
  61. {
  62. "Version": "2012-10-17",
  63. "Statement": [
  64. {
  65. "Effect": "Allow",
  66. "Resource": [
  67. "*"
  68. ],
  69. "Action": [
  70. "logs:CreateLogGroup",
  71. "logs:CreateLogStream",
  72. "logs:PutLogEvents"
  73. ]
  74. }
  75. ]
  76. }
  77. POLICY
  78. }
  79.  
  80. resource "aws_iam_role_policy_attachment" "project-name-codebuild-role-policy-bucket" {
  81. policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
  82. role = "${aws_iam_role.project-name-codebuild-role.name}"
  83. }
  84.  
  85. /************************************************
  86. * Code Pipeline
  87. ***********************************************/
  88.  
  89. resource "aws_codepipeline" "project-name-code-pipeline" {
  90. name = "${var.project}-code-pipeline"
  91. role_arn = "${aws_iam_role.project-name-code-pipeline-role.arn}"
  92.  
  93. artifact_store {
  94. location = "${aws_s3_bucket.project-name-code-pipeline-bucket.bucket}"
  95. type = "S3"
  96. }
  97.  
  98. stage {
  99. name = "Source"
  100.  
  101. action {
  102. name = "Source"
  103. category = "Source"
  104. owner = "ThirdParty"
  105. provider = "GitHub"
  106. version = "1"
  107. output_artifacts = [
  108. "source"]
  109.  
  110. configuration {
  111. Owner = "Owner"
  112. Repo = "project-name"
  113. Branch = "master"
  114. OAuthToken = "${var.github-token}"
  115. }
  116. }
  117. }
  118.  
  119. stage {
  120. name = "Build-Everything"
  121.  
  122. action {
  123. name = "Build"
  124. category = "Build"
  125. owner = "AWS"
  126. provider = "CodeBuild"
  127. input_artifacts = [
  128. "source"]
  129. output_artifacts = [
  130. "build"]
  131. version = "1"
  132.  
  133. configuration {
  134. ProjectName = "${aws_codebuild_project.project-name-codebuild.name}"
  135. }
  136. }
  137. }
  138.  
  139. stage {
  140. name = "Deploy"
  141.  
  142. action {
  143. name = "Deploy"
  144. category = "Deploy"
  145. owner = "AWS"
  146. provider = "ElasticBeanstalk"
  147. input_artifacts = [
  148. "build"]
  149. version = "1"
  150.  
  151. configuration {
  152. ApplicationName = "${aws_elastic_beanstalk_application.project-name.name}"
  153. EnvironmentName = "${aws_elastic_beanstalk_environment.project-name-environment.name}"
  154. }
  155. }
  156. }
  157. }
  158.  
  159. resource "aws_s3_bucket" "project-name-code-pipeline-bucket" {
  160. bucket = "${var.project}-code-pipeline-bucket"
  161. acl = "private"
  162. }
  163.  
  164. resource "aws_iam_policy" "project-name-code-pipeline-bucket-access" {
  165. name = "${var.project}-code-pipeline-bucket-access"
  166.  
  167. policy = <<POLICY
  168. {
  169. "Version": "2012-10-17",
  170. "Statement": [
  171. {
  172. "Effect":"Allow",
  173. "Resource": [
  174. "${aws_s3_bucket.project-name-code-pipeline-bucket.arn}",
  175. "${aws_s3_bucket.project-name-code-pipeline-bucket.arn}/*"
  176. ],
  177. "Action": [
  178. "s3:CreateBucket",
  179. "s3:GetAccelerateConfiguration",
  180. "s3:GetBucketAcl",
  181. "s3:GetBucketCORS",
  182. "s3:GetBucketLocation",
  183. "s3:GetBucketLogging",
  184. "s3:GetBucketNotification",
  185. "s3:GetBucketPolicy",
  186. "s3:GetBucketRequestPayment",
  187. "s3:GetBucketTagging",
  188. "s3:GetBucketVersioning",
  189. "s3:GetBucketWebsite",
  190. "s3:GetLifecycleConfiguration",
  191. "s3:GetObject",
  192. "s3:GetObjectAcl",
  193. "s3:GetObjectTagging",
  194. "s3:GetObjectTorrent",
  195. "s3:GetObjectVersion",
  196. "s3:GetObjectVersionAcl",
  197. "s3:GetObjectVersionTagging",
  198. "s3:GetObjectVersionTorrent",
  199. "s3:GetReplicationConfiguration",
  200. "s3:ListAllMyBuckets",
  201. "s3:ListBucket",
  202. "s3:ListBucketMultipartUploads",
  203. "s3:ListBucketVersions",
  204. "s3:ListMultipartUploadParts",
  205. "s3:PutObject"
  206. ]
  207. }
  208. ]
  209. }
  210. POLICY
  211. }
  212.  
  213. resource "aws_iam_role" "project-name-code-pipeline-role" {
  214. name = "${var.project}-code-pipeline-role"
  215.  
  216. assume_role_policy = <<EOF
  217. {
  218. "Version": "2012-10-17",
  219. "Statement": [
  220. {
  221. "Effect": "Allow",
  222. "Principal": {
  223. "Service": "codepipeline.amazonaws.com"
  224. },
  225. "Action": "sts:AssumeRole"
  226. }
  227. ]
  228. }
  229. EOF
  230. }
  231.  
  232. resource "aws_iam_role_policy" "project-name-code-pipeline-role-policy" {
  233. name = "${var.project}-code-pipeline-role-policy"
  234. role = "${aws_iam_role.project-name-code-pipeline-role.id}"
  235.  
  236. policy = <<EOF
  237. {
  238. "Statement": [
  239. {
  240. "Action": [
  241. "s3:GetObject",
  242. "s3:GetObjectVersion",
  243. "s3:GetBucketVersioning"
  244. ],
  245. "Resource": "*",
  246. "Effect": "Allow"
  247. },
  248. {
  249. "Action": [
  250. "s3:PutObject"
  251. ],
  252. "Resource": [
  253. "arn:aws:s3:::codepipeline*",
  254. "arn:aws:s3:::elasticbeanstalk*"
  255. ],
  256. "Effect": "Allow"
  257. },
  258. {
  259. "Action": [
  260. "codedeploy:CreateDeployment",
  261. "codedeploy:GetApplicationRevision",
  262. "codedeploy:GetDeployment",
  263. "codedeploy:GetDeploymentConfig",
  264. "codedeploy:RegisterApplicationRevision"
  265. ],
  266. "Resource": "*",
  267. "Effect": "Allow"
  268. },
  269. {
  270. "Action": [
  271. "elasticbeanstalk:CreateApplicationVersion",
  272. "elasticbeanstalk:DescribeApplicationVersions",
  273. "elasticbeanstalk:DescribeEnvironments",
  274. "elasticbeanstalk:DescribeEvents",
  275. "elasticbeanstalk:UpdateEnvironment",
  276. "autoscaling:DescribeAutoScalingGroups",
  277. "autoscaling:DescribeLaunchConfigurations",
  278. "autoscaling:DescribeScalingActivities",
  279. "autoscaling:ResumeProcesses",
  280. "autoscaling:SuspendProcesses",
  281. "cloudformation:GetTemplate",
  282. "cloudformation:DescribeStackResource",
  283. "cloudformation:DescribeStackResources",
  284. "cloudformation:DescribeStackEvents",
  285. "cloudformation:DescribeStacks",
  286. "cloudformation:UpdateStack",
  287. "ec2:DescribeInstances",
  288. "ec2:DescribeImages",
  289. "ec2:DescribeAddresses",
  290. "ec2:DescribeSubnets",
  291. "ec2:DescribeVpcs",
  292. "ec2:DescribeSecurityGroups",
  293. "ec2:DescribeKeyPairs",
  294. "elasticloadbalancing:DescribeLoadBalancers",
  295. "rds:DescribeDBInstances",
  296. "rds:DescribeOrderableDBInstanceOptions",
  297. "sns:ListSubscriptionsByTopic"
  298. ],
  299. "Resource": "*",
  300. "Effect": "Allow"
  301. },
  302. {
  303. "Action": [
  304. "lambda:invokefunction",
  305. "lambda:listfunctions"
  306. ],
  307. "Resource": "*",
  308. "Effect": "Allow"
  309. },
  310. {
  311. "Action": [
  312. "s3:ListBucket",
  313. "s3:GetBucketPolicy",
  314. "s3:GetObjectAcl",
  315. "s3:PutObjectAcl",
  316. "s3:DeleteObject"
  317. ],
  318. "Resource": "arn:aws:s3:::elasticbeanstalk*",
  319. "Effect": "Allow"
  320. }
  321. ],
  322. "Version": "2012-10-17"
  323. }
  324. EOF
  325. }
  326.  
  327. resource "aws_iam_role_policy_attachment" "project-name-code-pipeline-role-policy-attachment" {
  328. policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
  329. role = "${aws_iam_role.project-name-code-pipeline-role.name}"
  330. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!