带有 Terraform 和 Beanstalk 的 CodePipeline [英] CodePipeline with Terraform and Beanstalk
本文介绍了带有 Terraform 和 Beanstalk 的 CodePipeline的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试创建一个要在 Beanstalk 上部署的管道,但我在管道的 deploy 部分经常遇到错误:
I'm trying to create a pipeline to deploy on Beanstalk but I constantly get an error in the deploy section of the pipeline:
Insufficient permissions
The provided role does not have sufficient permissions to access
Elastic Beanstalk: Access Denied
我错过了什么?
/************************************************
* Code Build
***********************************************/
resource "aws_codebuild_project" "project-name-codebuild" {
name = "${var.project}-codebuild"
build_timeout = "15"
service_role = "${aws_iam_role.project-name-codebuild-role.arn}"
artifacts {
type = "CODEPIPELINE"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
type = "LINUX_CONTAINER"
image = "aws/codebuild/java:openjdk-8"
}
source {
type = "CODEPIPELINE"
}
tags {
Name = "${var.project}"
Environment = "${var.environment}"
}
}
resource "aws_ecr_repository" "project-name-ecr-repository" {
name = "${var.project}-ecr-repository"
}
resource "aws_iam_role" "project-name-codebuild-role" {
name = "${var.project}-codebuild-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "project-name-codebuild-role-policy" {
role = "${aws_iam_role.project-name-codebuild-role.id}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "project-name-codebuild-role-policy-bucket" {
policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
role = "${aws_iam_role.project-name-codebuild-role.name}"
}
/************************************************
* Code Pipeline
***********************************************/
resource "aws_codepipeline" "project-name-code-pipeline" {
name = "${var.project}-code-pipeline"
role_arn = "${aws_iam_role.project-name-code-pipeline-role.arn}"
artifact_store {
location = "${aws_s3_bucket.project-name-code-pipeline-bucket.bucket}"
type = "S3"
}
stage {
name = "Source"
action {
name = "Source"
category = "Source"
owner = "ThirdParty"
provider = "GitHub"
version = "1"
output_artifacts = [
"source"]
configuration {
Owner = "Owner"
Repo = "project-name"
Branch = "master"
OAuthToken = "${var.github-token}"
}
}
}
stage {
name = "Build-Everything"
action {
name = "Build"
category = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = [
"source"]
output_artifacts = [
"build"]
version = "1"
configuration {
ProjectName = "${aws_codebuild_project.project-name-codebuild.name}"
}
}
}
stage {
name = "Deploy"
action {
name = "Deploy"
category = "Deploy"
owner = "AWS"
provider = "ElasticBeanstalk"
input_artifacts = [
"build"]
version = "1"
configuration {
ApplicationName = "${aws_elastic_beanstalk_application.project-name.name}"
EnvironmentName = "${aws_elastic_beanstalk_environment.project-name-environment.name}"
}
}
}
}
resource "aws_s3_bucket" "project-name-code-pipeline-bucket" {
bucket = "${var.project}-code-pipeline-bucket"
acl = "private"
}
resource "aws_iam_policy" "project-name-code-pipeline-bucket-access" {
name = "${var.project}-code-pipeline-bucket-access"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Resource": [
"${aws_s3_bucket.project-name-code-pipeline-bucket.arn}",
"${aws_s3_bucket.project-name-code-pipeline-bucket.arn}/*"
],
"Action": [
"s3:CreateBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions",
"s3:ListMultipartUploadParts",
"s3:PutObject"
]
}
]
}
POLICY
}
resource "aws_iam_role" "project-name-code-pipeline-role" {
name = "${var.project}-code-pipeline-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codepipeline.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "project-name-code-pipeline-role-policy" {
name = "${var.project}-code-pipeline-role-policy"
role = "${aws_iam_role.project-name-code-pipeline-role.id}"
policy = <<EOF
{
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::codepipeline*",
"arn:aws:s3:::elasticbeanstalk*"
],
"Effect": "Allow"
},
{
"Action": [
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeployment",
"codedeploy:GetDeploymentConfig",
"codedeploy:RegisterApplicationRevision"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:UpdateEnvironment",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:ResumeProcesses",
"autoscaling:SuspendProcesses",
"cloudformation:GetTemplate",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeAddresses",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs",
"elasticloadbalancing:DescribeLoadBalancers",
"rds:DescribeDBInstances",
"rds:DescribeOrderableDBInstanceOptions",
"sns:ListSubscriptionsByTopic"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:invokefunction",
"lambda:listfunctions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetObjectAcl",
"s3:PutObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::elasticbeanstalk*",
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
EOF
}
resource "aws_iam_role_policy_attachment" "project-name-code-pipeline-role-policy-attachment" {
policy_arn = "${aws_iam_policy.project-name-code-pipeline-bucket-access.arn}"
role = "${aws_iam_role.project-name-code-pipeline-role.name}"
}
推荐答案
遇到同样的问题,问题是您需要启用 s3 访问arn:aws:s3:::elasticbeanstalk*"
Came across the same problem, the issue is that you need to enable s3 access to "arn:aws:s3:::elasticbeanstalk*"
同意错误信息有点晦涩
这篇关于带有 Terraform 和 Beanstalk 的 CodePipeline的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
