Merge pull request #8 from Sellix/feature/multi-environment

Elastic Beanstalk multi environment
Sellix · Nov 21, 2021 · e37a367 · e37a367
2 parents 3734dc5 + a003e6e
commit e37a367
Show file tree

Hide file tree

Showing 18 changed files with 524 additions and 349 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 plan.save
 terraform.*
 .terraform*
+terraform.tfvars.json
diff --git a/README.md b/README.md
@@ -2,9 +2,7 @@
 
 ![](https://img.shields.io/badge/Sellix-AWS-orange) ![](https://img.shields.io/badge/Version-v2.0.0-blueviolet)
 
-<p align="center">
-  <img src="https://cdn.sellix.io//static/github/aws-elastic-beanstalk-infrastructure.png" alt="Sellix Web App Infrastructure Schema"/>
-</p>
+![infrastructure chart](https://cdn.sellix.io/static/github/aws-elastic-beanstalk-infrastructure-v2.0.0.png)
 
 ## Description
 
@@ -14,16 +12,32 @@ AWS Elastic Beanstalk infrastructure for Sellix's [web-app](https://sellix.io),
 
 ### Apply
 
-`export ENV={environment}; envsubst < main.tf | tee main.tf`
+1. Initialize Environment
 
-`terraform init -backend-config="access_key=" -backend-config="secret_key="`
+`export ENV={environment}`
 
-`terraform workspace new {environment}`
+2. Initialize TFVARS
 
-`terraform workspace select {environment}`
+`mv terraform.tfvars.example.json terraform.tfvars.json`
 
-`terraform apply`
+then edit
+
+3. Edit Providers according to desired Regions in main.tf
+4. AWS IAM (optional, see main.tf)
+```
+export AWS_ACCESS_KEY=""
+export AWS_SECRET_KEY=""
+```
+
+5. Terraform Apply
+
+```
+terraform init
+terraform workspace new $ENV
+terraform workspace select $ENV
+terraform apply
+```
 
 ### Switch Workspaces
 
-`terraform select {environment}`
+`terraform select $ENV`
diff --git a/beanstalk.tf → beanstalk/beanstalk.tf b/beanstalk.tf → beanstalk/beanstalk.tf
@@ -1,9 +1,16 @@
+data "aws_elastic_beanstalk_solution_stack" "nodejs" {
+  most_recent = true
+
+  name_regex = "^64bit Amazon Linux (.*) running Node.js ${var.nodejs_version != null ?
+  var.nodejs_version : "(.*)"}$"
+}
+
 resource "aws_elastic_beanstalk_environment" "sellix-web-app-environment" {
-  name                   = "sellix-web-app-${terraform.workspace}"
+  name                   = local.tags["Project"]
   application            = aws_elastic_beanstalk_application.sellix-web-app.name
   tier                   = "WebServer"
   wait_for_ready_timeout = "20m"
-  solution_stack_name    = "64bit Amazon Linux 2 v5.3.0 running Node.js 14"
+  solution_stack_name    = data.aws_elastic_beanstalk_solution_stack.nodejs.name
   setting {
     namespace = "aws:elasticbeanstalk:monitoring"
     name      = "Automatically Terminate Unhealthy Instances"
@@ -71,7 +78,8 @@ resource "aws_elastic_beanstalk_environment" "sellix-web-app-environment" {
   }
 
   dynamic "setting" {
-    for_each = concat(local.vpc,
+    for_each = concat(
+      local.vpc,
       local.environment,
       local.cloudwatch,
       local.healthcheck,
@@ -89,12 +97,14 @@ resource "aws_elastic_beanstalk_environment" "sellix-web-app-environment" {
       resource  = ""
     }
   }
-  tags = {
-    "Project" = "sellix-web-app-${terraform.workspace}"
-  }
+  tags = merge({
+    "Name" = local.tags["Project"]
+    },
+    local.tags
+  )
 }
 
 resource "aws_elastic_beanstalk_application" "sellix-web-app" {
-  name        = "sellix-web-app-${terraform.workspace}"
+  name        = local.tags["Project"]
   description = "NodeJS Web Application"
 }
diff --git a/chatbot.tf → beanstalk/chatbot.tf b/chatbot.tf → beanstalk/chatbot.tf
@@ -3,17 +3,18 @@ data "terraform_remote_state" "sellix-web-app-chatbot-terraform-state" {
   config = {
     bucket     = "sellix-deployments"
     key        = "aws-chatbot.tfstate"
-    region     = var.aws_region
+    region     = "eu-west-1"
+    profile    = "sellix-terraform"
     access_key = var.aws_access_key
     secret_key = var.aws_secret_key
   }
 }
 
 resource "aws_codestarnotifications_notification_rule" "sellix-web-app-codestarnotifications" {
-  name           = "sellix-web-app-${terraform.workspace}-chatbot"
-  detail_type    = "BASIC"
-  resource       = aws_codepipeline.sellix-web-app-codepipeline.arn
-  status         = "ENABLED"
+  name        = "${local.tags["Project"]}-${var.aws_region}-chatbot"
+  detail_type = "BASIC"
+  resource    = aws_codepipeline.sellix-web-app-codepipeline.arn
+  status      = "ENABLED"
   event_type_ids = [
     "codepipeline-pipeline-pipeline-execution-started",
     "codepipeline-pipeline-pipeline-execution-succeeded",

diff --git a/iam.tf → beanstalk/iam.tf b/iam.tf → beanstalk/iam.tf
@@ -28,7 +28,7 @@ data "aws_iam_policy_document" "sellix-web-app-elb-policy-document" {
       "s3:PutObject",
     ]
     resources = [
-      "arn:aws:s3:::sellix-web-app-${terraform.workspace}-elb-logs/*"
+      "arn:aws:s3:::${local.tags["Project"]}-${var.aws_region}-elb-logs/*"
     ]
     principals {
       type        = "AWS"
@@ -53,15 +53,15 @@ data "aws_iam_policy_document" "sellix-web-app-service-policy-document" {
 
 data "aws_iam_policy_document" "sellix-web-app-service-sns-policy-document" {
   statement {
-    sid     = ""
+    sid = ""
     actions = [
       "sns:Publish"
     ]
     resources = [
       data.terraform_remote_state.sellix-web-app-chatbot-terraform-state.outputs.chatbot_arn,
       "arn:aws:sns:eu-west-1:671586216466:ElasticBeanstalkNotifications*"
     ]
-    effect    = "Allow"
+    effect = "Allow"
   }
 }
 
@@ -108,6 +108,19 @@ data "aws_iam_policy_document" "sellix-web-app-codebuild-policy-document" {
   }
 }
 
+data "aws_iam_policy_document" "sellix-web-app-codebuild-codestar-connection-policy-document" {
+  statement {
+    sid    = ""
+    effect = "Allow"
+    actions = [
+      "codestar-connections:UseConnection"
+    ]
+    resources = [
+      var.codestar_connection_arn
+    ]
+  }
+}
+
 data "aws_iam_policy_document" "sellix-web-app-codebuild-assumerole-policy-document" {
   statement {
     sid    = "AllowCodeBuildAssumeRole"
@@ -155,28 +168,28 @@ data "aws_elb_service_account" "sellix-web-app-elb-service" {
 }
 
 resource "aws_iam_role" "sellix-web-app-codepipeline-role" {
-  name               = "sellix-web-app-${terraform.workspace}-codepipeline-role"
+  name               = "${local.tags["Project"]}-${var.aws_region}-codepipeline-role"
   assume_role_policy = data.aws_iam_policy_document.sellix-web-app-service-policy-document.json
 }
 
 resource "aws_iam_role" "sellix-web-app-service-role" {
-  name               = "sellix-web-app-${terraform.workspace}-service-role"
+  name               = "${local.tags["Project"]}-${var.aws_region}-service-role"
   assume_role_policy = data.aws_iam_policy_document.sellix-web-app-service-policy-document.json
 }
 
 resource "aws_iam_role" "sellix-web-app-ec2-role" {
-  name               = "sellix-web-app-${terraform.workspace}-ec2-role"
+  name               = "${local.tags["Project"]}-${var.aws_region}-ec2-role"
   assume_role_policy = data.aws_iam_policy_document.sellix-web-app-ec2-policy-document.json
 }
 
 resource "aws_iam_instance_profile" "sellix-web-app-ec2-instance-profile" {
-  name = "sellix-web-app-${terraform.workspace}-ec2-instance-profile"
+  name = "${local.tags["Project"]}-${var.aws_region}-ec2-instance-profile"
   role = aws_iam_role.sellix-web-app-ec2-role.name
 }
 
 resource "aws_iam_role_policy" "sellix-web-app-codepipeline-policy" {
-  name = "sellix-web-app-${terraform.workspace}-codepipeline-policy"
-  role = aws_iam_role.sellix-web-app-codepipeline-role.id
+  name   = "${local.tags["Project"]}-${var.aws_region}-codepipeline-policy"
+  role   = aws_iam_role.sellix-web-app-codepipeline-role.id
   policy = <<EOF
 {
   "Version": "2012-10-17",
@@ -201,41 +214,56 @@ resource "aws_iam_role_policy" "sellix-web-app-codepipeline-policy" {
         "codebuild:StartBuild"
       ],
       "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "codestar-connections:*"
+      ],
+      "Resource": [
+        "${var.codestar_connection_arn}"
+      ]
     }
   ]
 }
 EOF
 }
 
 resource "aws_iam_role_policy" "sellix-web-app-service-sns-policy" {
-  name   = "sellix-web-app-${terraform.workspace}-service-sns-policy"
+  name   = "${local.tags["Project"]}-${var.aws_region}-service-sns-policy"
   role   = aws_iam_role.sellix-web-app-service-role.id
   policy = data.aws_iam_policy_document.sellix-web-app-service-sns-policy-document.json
 }
 
 resource "aws_iam_role_policy" "sellix-web-app-default-policy" {
-  name   = "sellix-web-app-${terraform.workspace}-default-policy"
+  name   = "${local.tags["Project"]}-${var.aws_region}-default-policy"
   role   = aws_iam_role.sellix-web-app-ec2-role.id
   policy = data.aws_iam_policy_document.sellix-web-app-default-policy-document.json
 }
 
 resource "aws_iam_role" "sellix-web-app-codebuild-role" {
-  name               = "sellix-web-app-${terraform.workspace}-codebuild-role"
+  name               = "${local.tags["Project"]}-${var.aws_region}-codebuild-role"
   assume_role_policy = data.aws_iam_policy_document.sellix-web-app-codebuild-assumerole-policy-document.json
 }
 
 resource "aws_iam_policy" "sellix-web-app-codebuild-permissions-policy" {
-  name   = "sellix-web-app-${terraform.workspace}-codebuild-permissions-policy"
+  name   = "${local.tags["Project"]}-${var.aws_region}-codebuild-permissions-policy"
   path   = "/service-role/"
   policy = data.aws_iam_policy_document.sellix-web-app-codebuild-permissions-policy-document.json
 }
 
 resource "aws_iam_policy" "sellix-web-app-codebuild-policy" {
-  name        = "sellix-web-app-${terraform.workspace}-codebuild-policy"
+  name        = "${local.tags["Project"]}-${var.aws_region}-codebuild-policy"
   description = "CodeBuild access policy"
   policy      = data.aws_iam_policy_document.sellix-web-app-codebuild-policy-document.json
 }
 
+resource "aws_iam_policy" "sellix-web-app-codebuild-codestar-connection-policy" {
+  name        = "${local.tags["Project"]}-${var.aws_region}-codebuild-codestar-connection-policy"
+  description = "CodeBuild CodeStar Connection policy"
+  policy      = data.aws_iam_policy_document.sellix-web-app-codebuild-codestar-connection-policy-document.json
+}
+
 resource "aws_iam_role_policy_attachment" "sellix-web-app-codepipeline-policy-attachment" {
   policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk"
   role       = aws_iam_role.sellix-web-app-codepipeline-role.id
@@ -287,6 +315,11 @@ resource "aws_iam_role_policy_attachment" "sellix-web-app-codebuild-policy-attac
   policy_arn = aws_iam_policy.sellix-web-app-codebuild-policy.arn
 }
 
+resource "aws_iam_role_policy_attachment" "sellix-web-app-codebuild-codestar-connection-policy-attachment" {
+  role       = aws_iam_role.sellix-web-app-codebuild-role.name
+  policy_arn = aws_iam_policy.sellix-web-app-codebuild-codestar-connection-policy.arn
+}
+
 resource "aws_iam_role_policy_attachment" "sellix-web-app-codebuild-permissions-policy-attachment" {
   role       = aws_iam_role.sellix-web-app-codebuild-role.name
   policy_arn = aws_iam_policy.sellix-web-app-codebuild-permissions-policy.arn