From 2eae1b2fc8ac3235387770b250303a46c5d44237 Mon Sep 17 00:00:00 2001 From: Rahil Date: Thu, 23 Mar 2023 13:37:18 +0530 Subject: [PATCH 1/2] Changes are below: 1. Added Service for Elastic Beanstalk to function. 2. Region name fixed. 3. Region name fixed in vars.tf --- examples/multiple_apps/ci.auto.tfvars | 2 +- examples/multiple_apps/iam.tf | 67 +++++++++++++++++++++++++++ examples/multiple_apps/vars.tf | 2 +- 3 files changed, 69 insertions(+), 2 deletions(-) diff --git a/examples/multiple_apps/ci.auto.tfvars b/examples/multiple_apps/ci.auto.tfvars index ee81d1a..1db446f 100644 --- a/examples/multiple_apps/ci.auto.tfvars +++ b/examples/multiple_apps/ci.auto.tfvars @@ -1,6 +1,6 @@ aws_profile = "default" -region = "ap-south-1" +region = "ap-southeast-1" name = "Application" diff --git a/examples/multiple_apps/iam.tf b/examples/multiple_apps/iam.tf index c8023b7..f06193a 100644 --- a/examples/multiple_apps/iam.tf +++ b/examples/multiple_apps/iam.tf @@ -13,3 +13,70 @@ resource "aws_iam_role" "this" { name = "eb_appversion_deletion_role" assume_role_policy = data.aws_iam_policy_document.this.json } + + +resource "aws_iam_role_policy_attachment" "service_policy_attachment" { + role = aws_iam_role.this.name + policy_arn = aws_iam_policy.eb_custom_service_policy.arn +} + + +resource "aws_iam_policy" "eb_custom_service_policy" { + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "AllowCloudformationReadOperationsOnElasticBeanstalkStacks", + "Effect" : "Allow", + "Action" : [ + "cloudformation:DescribeStackResource", + "cloudformation:DescribeStackResources", + "cloudformation:DescribeStacks" + ], + "Resource" : [ + "arn:aws:cloudformation:*:*:stack/awseb-*", + "arn:aws:cloudformation:*:*:stack/eb-*" + ] + }, + { + "Sid" : "AllowOperations", + "Effect" : "Allow", + "Action" : [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeNotificationConfigurations", + "autoscaling:DescribeScalingActivities", + "autoscaling:PutNotificationConfiguration", + "ec2:DescribeInstanceStatus", + "ec2:AssociateAddress", + "ec2:DescribeAddresses", + "ec2:DescribeInstances", + "ec2:DescribeSecurityGroups", + "elasticloadbalancing:DescribeInstanceHealth", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTargetGroups", + "lambda:GetFunction", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sns:Publish" + ], + "Resource" : [ + "*" + ] + }, + { + "Sid" : "AllowOperationsOnHealthStreamingLogs", + "Effect" : "Allow", + "Action" : [ + "logs:CreateLogStream", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + "logs:DeleteLogGroup", + "logs:PutLogEvents" + ], + "Resource" : "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk/*" + } + ] + }) +} \ No newline at end of file diff --git a/examples/multiple_apps/vars.tf b/examples/multiple_apps/vars.tf index 18f6243..fc05d4f 100644 --- a/examples/multiple_apps/vars.tf +++ b/examples/multiple_apps/vars.tf @@ -5,7 +5,7 @@ variable "aws_profile" { variable "region" { type = string - default = "us-east-1" + default = "ap-southeast-1" description = "AWS region for running the TF scripts" } From c1fe4da27288557ca7d692484d04f9fac2504ecd Mon Sep 17 00:00:00 2001 From: Rahil Date: Thu, 23 Mar 2023 17:40:17 +0530 Subject: [PATCH 2/2] Added Pre-commit config files and tflint into the repo. Also the code has been formatted as per the pre-commit hook. --- .pre-commit-config.yaml | 20 ++++++++++++++++++++ .tflint.hcl | 29 +++++++++++++++++++++++++++++ examples/multiple_apps/iam.tf | 2 +- out.tf | 14 +++++++------- vars.tf | 1 - 5 files changed, 57 insertions(+), 9 deletions(-) create mode 100644 .pre-commit-config.yaml create mode 100644 .tflint.hcl diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..7f5fed9 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,20 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: detect-aws-credentials + args: [--allow-missing-credentials] + - id: detect-private-key + - id: end-of-file-fixer + - id: trailing-whitespace + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.74.1 + hooks: + - id: terraform_fmt + - id: terraform_tfsec + args: + - > + - --args=--exclude-downloaded-modules + - id: terraform_tflint + args: + - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..a00a5b1 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,29 @@ +plugin "aws" { + enabled = true + version = "0.18.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} + +rule "terraform_naming_convention" { + enabled = true +} + +rule "terraform_unused_declarations" { + enabled = true +} + +rule "terraform_deprecated_index" { + enabled = true +} + +rule "terraform_documented_outputs" { + enabled = true +} + +rule "terraform_documented_variables" { + enabled = true +} + +rule "terraform_typed_variables" { + enabled = true +} diff --git a/examples/multiple_apps/iam.tf b/examples/multiple_apps/iam.tf index f06193a..dfc962f 100644 --- a/examples/multiple_apps/iam.tf +++ b/examples/multiple_apps/iam.tf @@ -79,4 +79,4 @@ resource "aws_iam_policy" "eb_custom_service_policy" { } ] }) -} \ No newline at end of file +} diff --git a/out.tf b/out.tf index a5bc5f1..151baa1 100644 --- a/out.tf +++ b/out.tf @@ -1,34 +1,34 @@ output "name" { - value = aws_elastic_beanstalk_application.this.name + value = aws_elastic_beanstalk_application.this.name description = "Elastic beanstalk application name" } output "description" { - value = aws_elastic_beanstalk_application.this.description + value = aws_elastic_beanstalk_application.this.description description = "Elastic beanstalk application description" } output "tags" { - value = aws_elastic_beanstalk_application.this.tags + value = aws_elastic_beanstalk_application.this.tags description = "Elastic beanstalk application tags" } output "service_role" { - value = aws_elastic_beanstalk_application.this.appversion_lifecycle.0.service_role + value = aws_elastic_beanstalk_application.this.appversion_lifecycle.0.service_role description = "Elastic beanstalk application appversion service role" } output "max_age_in_days" { - value = aws_elastic_beanstalk_application.this.appversion_lifecycle.0.max_age_in_days + value = aws_elastic_beanstalk_application.this.appversion_lifecycle.0.max_age_in_days description = "Elastic beanstalk application appversion max age in days" } output "delete_source_from_s3" { - value = aws_elastic_beanstalk_application.this.appversion_lifecycle.0.delete_source_from_s3 + value = aws_elastic_beanstalk_application.this.appversion_lifecycle.0.delete_source_from_s3 description = "Elastic beanstalk application appversion delete source from s3" } output "max_count" { - value = aws_elastic_beanstalk_application.this.appversion_lifecycle.0.max_count + value = aws_elastic_beanstalk_application.this.appversion_lifecycle.0.max_count description = "Elastic beanstalk application appversion max count" } diff --git a/vars.tf b/vars.tf index f3383bd..2e69c1d 100644 --- a/vars.tf +++ b/vars.tf @@ -38,4 +38,3 @@ variable "appversion_delete_source_from_s3" { default = false description = "(Optional) Set to true to delete a version's source bundle from S3 when the application version is deleted." } -