From 0b227b0e44b8f36217de51b0c1abc33293be5597 Mon Sep 17 00:00:00 2001 From: Anton Kachurin Date: Tue, 23 Mar 2021 12:52:56 -0400 Subject: [PATCH] Update service role policy (#175) * Use recommended service policy * Make new service role optional * Document prefer_legacy_service_policy variable * Auto Format * Recommend to use new service policy in readme * Auto Format Co-authored-by: Anton Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> --- README.md | 3 +++ README.yaml | 2 ++ docs/terraform.md | 1 + examples/complete/main.tf | 1 + main.tf | 2 +- variables.tf | 6 ++++++ 6 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fef0ef62..53809324 100644 --- a/README.md +++ b/README.md @@ -158,6 +158,8 @@ For a complete example, see [examples/complete](examples/complete) application_subnets = module.subnets.private_subnet_ids allowed_security_groups = [module.vpc.vpc_default_security_group_id] + prefer_legacy_service_policy = false + // https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html // https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.docker solution_stack_name = "64bit Amazon Linux 2018.03 v2.12.17 running Docker 18.06.1-ce" @@ -310,6 +312,7 @@ Available targets: | managed\_actions\_enabled | Enable managed platform updates. When you set this to true, you must also specify a `PreferredStartTime` and `UpdateLevel` | `bool` | `true` | no | | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| prefer\_legacy\_service\_policy | Whether to use AWSElasticBeanstalkService (deprecated) or AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy policy | `bool` | `true` | no | | prefer\_legacy\_ssm\_policy | Whether to use AmazonEC2RoleforSSM (will soon be deprecated) or AmazonSSMManagedInstanceCore policy | `bool` | `true` | no | | preferred\_start\_time | Configure a maintenance window for managed actions in UTC | `string` | `"Sun:10:00"` | no | | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | diff --git a/README.yaml b/README.yaml index b78a4664..f8dba690 100644 --- a/README.yaml +++ b/README.yaml @@ -123,6 +123,8 @@ usage: |- application_subnets = module.subnets.private_subnet_ids allowed_security_groups = [module.vpc.vpc_default_security_group_id] + prefer_legacy_service_policy = false + // https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html // https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.docker solution_stack_name = "64bit Amazon Linux 2018.03 v2.12.17 running Docker 18.06.1-ce" diff --git a/docs/terraform.md b/docs/terraform.md index 2200dbeb..d32e6a30 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -103,6 +103,7 @@ | managed\_actions\_enabled | Enable managed platform updates. When you set this to true, you must also specify a `PreferredStartTime` and `UpdateLevel` | `bool` | `true` | no | | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| prefer\_legacy\_service\_policy | Whether to use AWSElasticBeanstalkService (deprecated) or AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy policy | `bool` | `true` | no | | prefer\_legacy\_ssm\_policy | Whether to use AmazonEC2RoleforSSM (will soon be deprecated) or AmazonSSMManagedInstanceCore policy | `bool` | `true` | no | | preferred\_start\_time | Configure a maintenance window for managed actions in UTC | `string` | `"Sun:10:00"` | no | | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 8b1661c6..e24df404 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -83,6 +83,7 @@ module "elastic_beanstalk_environment" { extended_ec2_policy_document = data.aws_iam_policy_document.minimal_s3_permissions.json prefer_legacy_ssm_policy = false + prefer_legacy_service_policy = false context = module.this.context } diff --git a/main.tf b/main.tf index 0f197bc7..e854e63c 100644 --- a/main.tf +++ b/main.tf @@ -30,7 +30,7 @@ resource "aws_iam_role_policy_attachment" "enhanced_health" { resource "aws_iam_role_policy_attachment" "service" { role = aws_iam_role.service.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService" + policy_arn = var.prefer_legacy_service_policy ? "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService" : "arn:aws:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy" } # diff --git a/variables.tf b/variables.tf index 78a07928..11e2806f 100644 --- a/variables.tf +++ b/variables.tf @@ -471,6 +471,12 @@ variable "prefer_legacy_ssm_policy" { description = "Whether to use AmazonEC2RoleforSSM (will soon be deprecated) or AmazonSSMManagedInstanceCore policy" } +variable "prefer_legacy_service_policy" { + type = bool + default = true + description = "Whether to use AWSElasticBeanstalkService (deprecated) or AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy policy" +} + variable "s3_bucket_access_log_bucket_name" { type = string default = ""