Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Insufficient permissions
- The provided role does not have sufficient permissions to access
- Elastic Beanstalk: Access Denied
- /************************************************
- * Code Build
- ***********************************************/
- resource "aws_codebuild_project" "project-name-codebuild" {
- name = "${var.project}-codebuild"
- build_timeout = "15"
- service_role = "${aws_iam_role.project-name-codebuild-role.arn}"
- artifacts {
- type = "CODEPIPELINE"
- }
- environment {
- compute_type = "BUILD_GENERAL1_SMALL"
- type = "LINUX_CONTAINER"
- image = "aws/codebuild/java:openjdk-8"
- }
- source {
- type = "CODEPIPELINE"
- }
- tags {
- Name = "${var.project}"
- Environment = "${var.environment}"
- }
- }
- resource "aws_ecr_repository" "project-name-ecr-repository" {
- name = "${var.project}-ecr-repository"
- }
- resource "aws_iam_role" "project-name-codebuild-role" {
- name = "${var.project}-codebuild-role"
- assume_role_policy = <<EOF
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Service": "codebuild.amazonaws.com"
- },
- "Action": "sts:AssumeRole"
- }
- ]
- }
- EOF
- }
- resource "aws_iam_role_policy" "project-name-codebuild-role-policy" {
- role = "${aws_iam_role.project-name-codebuild-role.id}"
- policy = <<POLICY
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Resource": [
- "*"
- ],
- "Action": [
- "logs:CreateLogGroup",
- "logs:CreateLogStream",
- "logs:PutLogEvents"
- ]
- }
- ]
- }
- POLICY
- }
- resource "aws_iam_role_policy_attachment" "project-name-codebuild-role-policy-bucket" {
- policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
- role = "${aws_iam_role.project-name-codebuild-role.name}"
- }
- /************************************************
- * Code Pipeline
- ***********************************************/
- resource "aws_codepipeline" "project-name-code-pipeline" {
- name = "${var.project}-code-pipeline"
- role_arn = "${aws_iam_role.project-name-code-pipeline-role.arn}"
- artifact_store {
- location = "${aws_s3_bucket.project-name-code-pipeline-bucket.bucket}"
- type = "S3"
- }
- stage {
- name = "Source"
- action {
- name = "Source"
- category = "Source"
- owner = "ThirdParty"
- provider = "GitHub"
- version = "1"
- output_artifacts = [
- "source"]
- configuration {
- Owner = "Owner"
- Repo = "project-name"
- Branch = "master"
- OAuthToken = "${var.github-token}"
- }
- }
- }
- stage {
- name = "Build-Everything"
- action {
- name = "Build"
- category = "Build"
- owner = "AWS"
- provider = "CodeBuild"
- input_artifacts = [
- "source"]
- output_artifacts = [
- "build"]
- version = "1"
- configuration {
- ProjectName = "${aws_codebuild_project.project-name-codebuild.name}"
- }
- }
- }
- stage {
- name = "Deploy"
- action {
- name = "Deploy"
- category = "Deploy"
- owner = "AWS"
- provider = "ElasticBeanstalk"
- input_artifacts = [
- "build"]
- version = "1"
- configuration {
- ApplicationName = "${aws_elastic_beanstalk_application.project-name.name}"
- EnvironmentName = "${aws_elastic_beanstalk_environment.project-name-environment.name}"
- }
- }
- }
- }
- resource "aws_s3_bucket" "project-name-code-pipeline-bucket" {
- bucket = "${var.project}-code-pipeline-bucket"
- acl = "private"
- }
- resource "aws_iam_policy" "project-name-code-pipeline-bucket-access" {
- name = "${var.project}-code-pipeline-bucket-access"
- policy = <<POLICY
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect":"Allow",
- "Resource": [
- "${aws_s3_bucket.project-name-code-pipeline-bucket.arn}",
- "${aws_s3_bucket.project-name-code-pipeline-bucket.arn}/*"
- ],
- "Action": [
- "s3:CreateBucket",
- "s3:GetAccelerateConfiguration",
- "s3:GetBucketAcl",
- "s3:GetBucketCORS",
- "s3:GetBucketLocation",
- "s3:GetBucketLogging",
- "s3:GetBucketNotification",
- "s3:GetBucketPolicy",
- "s3:GetBucketRequestPayment",
- "s3:GetBucketTagging",
- "s3:GetBucketVersioning",
- "s3:GetBucketWebsite",
- "s3:GetLifecycleConfiguration",
- "s3:GetObject",
- "s3:GetObjectAcl",
- "s3:GetObjectTagging",
- "s3:GetObjectTorrent",
- "s3:GetObjectVersion",
- "s3:GetObjectVersionAcl",
- "s3:GetObjectVersionTagging",
- "s3:GetObjectVersionTorrent",
- "s3:GetReplicationConfiguration",
- "s3:ListAllMyBuckets",
- "s3:ListBucket",
- "s3:ListBucketMultipartUploads",
- "s3:ListBucketVersions",
- "s3:ListMultipartUploadParts",
- "s3:PutObject"
- ]
- }
- ]
- }
- POLICY
- }
- resource "aws_iam_role" "project-name-code-pipeline-role" {
- name = "${var.project}-code-pipeline-role"
- assume_role_policy = <<EOF
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Service": "codepipeline.amazonaws.com"
- },
- "Action": "sts:AssumeRole"
- }
- ]
- }
- EOF
- }
- resource "aws_iam_role_policy" "project-name-code-pipeline-role-policy" {
- name = "${var.project}-code-pipeline-role-policy"
- role = "${aws_iam_role.project-name-code-pipeline-role.id}"
- policy = <<EOF
- {
- "Statement": [
- {
- "Action": [
- "s3:GetObject",
- "s3:GetObjectVersion",
- "s3:GetBucketVersioning"
- ],
- "Resource": "*",
- "Effect": "Allow"
- },
- {
- "Action": [
- "s3:PutObject"
- ],
- "Resource": [
- "arn:aws:s3:::codepipeline*",
- "arn:aws:s3:::elasticbeanstalk*"
- ],
- "Effect": "Allow"
- },
- {
- "Action": [
- "codedeploy:CreateDeployment",
- "codedeploy:GetApplicationRevision",
- "codedeploy:GetDeployment",
- "codedeploy:GetDeploymentConfig",
- "codedeploy:RegisterApplicationRevision"
- ],
- "Resource": "*",
- "Effect": "Allow"
- },
- {
- "Action": [
- "elasticbeanstalk:CreateApplicationVersion",
- "elasticbeanstalk:DescribeApplicationVersions",
- "elasticbeanstalk:DescribeEnvironments",
- "elasticbeanstalk:DescribeEvents",
- "elasticbeanstalk:UpdateEnvironment",
- "autoscaling:DescribeAutoScalingGroups",
- "autoscaling:DescribeLaunchConfigurations",
- "autoscaling:DescribeScalingActivities",
- "autoscaling:ResumeProcesses",
- "autoscaling:SuspendProcesses",
- "cloudformation:GetTemplate",
- "cloudformation:DescribeStackResource",
- "cloudformation:DescribeStackResources",
- "cloudformation:DescribeStackEvents",
- "cloudformation:DescribeStacks",
- "cloudformation:UpdateStack",
- "ec2:DescribeInstances",
- "ec2:DescribeImages",
- "ec2:DescribeAddresses",
- "ec2:DescribeSubnets",
- "ec2:DescribeVpcs",
- "ec2:DescribeSecurityGroups",
- "ec2:DescribeKeyPairs",
- "elasticloadbalancing:DescribeLoadBalancers",
- "rds:DescribeDBInstances",
- "rds:DescribeOrderableDBInstanceOptions",
- "sns:ListSubscriptionsByTopic"
- ],
- "Resource": "*",
- "Effect": "Allow"
- },
- {
- "Action": [
- "lambda:invokefunction",
- "lambda:listfunctions"
- ],
- "Resource": "*",
- "Effect": "Allow"
- },
- {
- "Action": [
- "s3:ListBucket",
- "s3:GetBucketPolicy",
- "s3:GetObjectAcl",
- "s3:PutObjectAcl",
- "s3:DeleteObject"
- ],
- "Resource": "arn:aws:s3:::elasticbeanstalk*",
- "Effect": "Allow"
- }
- ],
- "Version": "2012-10-17"
- }
- EOF
- }
- resource "aws_iam_role_policy_attachment" "project-name-code-pipeline-role-policy-attachment" {
- policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
- role = "${aws_iam_role.project-name-code-pipeline-role.name}"
- }
Add Comment
Please, Sign In to add comment