CodePipeline с Terraform и Beanstalk - PullRequest
Новая
       47

CodePipeline с Terraform и Beanstalk

0 голосов
/ 23 мая 2018

Я пытаюсь создать конвейер для развертывания на Beanstalk, но постоянно получаю сообщение об ошибке в секции deploy конвейера: 

Insufficient permissions
The provided role does not have sufficient permissions to access 
Elastic Beanstalk: Access Denied

Чего мне не хватает? 

/************************************************
 * Code Build
 ***********************************************/

resource "aws_codebuild_project" "project-name-codebuild" {
  name = "${var.project}-codebuild"
  build_timeout = "15"
  service_role = "${aws_iam_role.project-name-codebuild-role.arn}"

  artifacts {
    type = "CODEPIPELINE"
  }

  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    type = "LINUX_CONTAINER"
    image = "aws/codebuild/java:openjdk-8"
  }

  source {
    type = "CODEPIPELINE"
  }

  tags {
    Name = "${var.project}"
    Environment = "${var.environment}"
  }
}

resource "aws_ecr_repository" "project-name-ecr-repository" {
  name = "${var.project}-ecr-repository"
}

resource "aws_iam_role" "project-name-codebuild-role" {
  name = "${var.project}-codebuild-role"

  assume_role_policy = <<EOF
{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "codebuild.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
EOF
}

resource "aws_iam_role_policy" "project-name-codebuild-role-policy" {
  role = "${aws_iam_role.project-name-codebuild-role.id}"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": [
        "*"
      ],
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ]
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "project-name-codebuild-role-policy-bucket" {
  policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
  role = "${aws_iam_role.project-name-codebuild-role.name}"
}

/************************************************
 * Code Pipeline
 ***********************************************/

resource "aws_codepipeline" "project-name-code-pipeline" {
  name = "${var.project}-code-pipeline"
  role_arn = "${aws_iam_role.project-name-code-pipeline-role.arn}"

  artifact_store {
    location = "${aws_s3_bucket.project-name-code-pipeline-bucket.bucket}"
    type = "S3"
  }

  stage {
    name = "Source"

    action {
      name = "Source"
      category = "Source"
      owner = "ThirdParty"
      provider = "GitHub"
      version = "1"
      output_artifacts = [
        "source"]

      configuration {
        Owner = "Owner"
        Repo = "project-name"
        Branch = "master"
        OAuthToken = "${var.github-token}"
      }
    }
  }

  stage {
    name = "Build-Everything"

    action {
      name = "Build"
      category = "Build"
      owner = "AWS"
      provider = "CodeBuild"
      input_artifacts = [
        "source"]
      output_artifacts = [
        "build"]
      version = "1"

      configuration {
        ProjectName = "${aws_codebuild_project.project-name-codebuild.name}"
      }
    }
  }

  stage {
    name = "Deploy"

    action {
      name = "Deploy"
      category = "Deploy"
      owner = "AWS"
      provider = "ElasticBeanstalk"
      input_artifacts = [
        "build"]
      version = "1"

      configuration {
        ApplicationName = "${aws_elastic_beanstalk_application.project-name.name}"
        EnvironmentName = "${aws_elastic_beanstalk_environment.project-name-environment.name}"
      }
    }
  }
}

resource "aws_s3_bucket" "project-name-code-pipeline-bucket" {
  bucket = "${var.project}-code-pipeline-bucket"
  acl = "private"
}

resource "aws_iam_policy" "project-name-code-pipeline-bucket-access" {
  name = "${var.project}-code-pipeline-bucket-access"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
      {
        "Effect":"Allow",
        "Resource": [
          "${aws_s3_bucket.project-name-code-pipeline-bucket.arn}",
          "${aws_s3_bucket.project-name-code-pipeline-bucket.arn}/*"
        ],
        "Action": [
          "s3:CreateBucket",
          "s3:GetAccelerateConfiguration",
          "s3:GetBucketAcl",
          "s3:GetBucketCORS",
          "s3:GetBucketLocation",
          "s3:GetBucketLogging",
          "s3:GetBucketNotification",
          "s3:GetBucketPolicy",
          "s3:GetBucketRequestPayment",
          "s3:GetBucketTagging",
          "s3:GetBucketVersioning",
          "s3:GetBucketWebsite",
          "s3:GetLifecycleConfiguration",
          "s3:GetObject",
          "s3:GetObjectAcl",
          "s3:GetObjectTagging",
          "s3:GetObjectTorrent",
          "s3:GetObjectVersion",
          "s3:GetObjectVersionAcl",
          "s3:GetObjectVersionTagging",
          "s3:GetObjectVersionTorrent",
          "s3:GetReplicationConfiguration",
          "s3:ListAllMyBuckets",
          "s3:ListBucket",
          "s3:ListBucketMultipartUploads",
          "s3:ListBucketVersions",
          "s3:ListMultipartUploadParts",
          "s3:PutObject"
        ]
      }
  ]
}
POLICY
}

resource "aws_iam_role" "project-name-code-pipeline-role" {
  name = "${var.project}-code-pipeline-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "codepipeline.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "project-name-code-pipeline-role-policy" {
  name = "${var.project}-code-pipeline-role-policy"
  role = "${aws_iam_role.project-name-code-pipeline-role.id}"

  policy = <<EOF
{
    "Statement": [
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:GetBucketVersioning"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::codepipeline*",
                "arn:aws:s3:::elasticbeanstalk*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "codedeploy:CreateDeployment",
                "codedeploy:GetApplicationRevision",
                "codedeploy:GetDeployment",
                "codedeploy:GetDeploymentConfig",
                "codedeploy:RegisterApplicationRevision"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "elasticbeanstalk:CreateApplicationVersion",
                "elasticbeanstalk:DescribeApplicationVersions",
                "elasticbeanstalk:DescribeEnvironments",
                "elasticbeanstalk:DescribeEvents",
                "elasticbeanstalk:UpdateEnvironment",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:ResumeProcesses",
                "autoscaling:SuspendProcesses",
                "cloudformation:GetTemplate",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:UpdateStack",
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DescribeAddresses",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeKeyPairs",
                "elasticloadbalancing:DescribeLoadBalancers",
                "rds:DescribeDBInstances",
                "rds:DescribeOrderableDBInstanceOptions",
                "sns:ListSubscriptionsByTopic"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "lambda:invokefunction",
                "lambda:listfunctions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketPolicy",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::elasticbeanstalk*",
            "Effect": "Allow"
        }
    ],
    "Version": "2012-10-17"
}
EOF
}

resource "aws_iam_role_policy_attachment" "project-name-code-pipeline-role-policy-attachment" {
  policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
  role = "${aws_iam_role.project-name-code-pipeline-role.name}"
}

1 Ответ

0 голосов
/ 18 июня 2018

Я бы предложил проверить эти вещи для отладки:

  1. Создал ли шаблон ресурсы, которые вы ожидали?
    1. Правильно ли настроена роль конвейера?Вы можете запустить aws codepipeline get-pipeline, чтобы получить ARN конвейера, и использовать консоль IAM, чтобы убедиться, что политика соответствует вашим ожиданиям.
  2. У вас отсутствуют некоторые эластичные разрешения beanstalk в политике?Я не уверен, что вы, но попробуйте изменить политику на "elasticbeanstalk:*".
  3. Попробуйте взять на себя роль конвейера в консоли и попытаться развернуть экземпляр эластичного beanstalk, посмотрите, получите ли вы большеподробная информация с консоли эластичного бобового стебля.
...