Terraform module to provision AWS Elastic Beanstalk environment
The Cloud Posse team no longer utilizes Beanstalk all that much, but this module is still fairly popular. In an effort to give it the attention it deserves, we're searching for a volunteer maintainer to manage this specific repository's issues and pull requests (of which a number are already stacked up). This is a great opportunity for anyone who is looking to solidify and strengthen their Terraform skillset while also giving back to the SweetOps open source community!
You can learn more about being a SweetOps contributor on our docs site here.
If you're interested, reach out to us via the #terraform channel in the SweetOps Slack or directly via email @ hello@cloudposse.com
This project is part of our comprehensive "SweetOps" approach towards DevOps.
It's 100% Open Source and licensed under the APACHE2.
We literally have hundreds of terraform modules that are Open Source and well-maintained. Check them out!
Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.
| Benchmark | Description |
|---|---|
| Infrastructure Security Compliance | |
| Center for Internet Security, KUBERNETES Compliance | |
| Center for Internet Security, AWS Compliance | |
| Center for Internet Security, AZURE Compliance | |
| Payment Card Industry Data Security Standards Compliance | |
| National Institute of Standards and Technology Compliance | |
| Information Security Management System, ISO/IEC 27001 Compliance | |
| Service Organization Control 2 Compliance | |
| Center for Internet Security, GCP Compliance | |
| Health Insurance Portability and Accountability Compliance |
IMPORTANT: We do not pin modules to versions in our examples because of the difficulty of keeping the versions in the documentation in sync with the latest released versions. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise.
Also, because of a bug in the Terraform registry (hashicorp/terraform#21417), the registry shows many of our inputs as required when in fact they are optional. The table below correctly indicates which inputs are required.
For a complete example, see examples/complete
provider "aws" {
region = var.region
}
module "vpc" {
source = "git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.8.0"
namespace = var.namespace
stage = var.stage
name = var.name
cidr_block = "172.16.0.0/16"
}
module "subnets" {
source = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.16.0"
availability_zones = var.availability_zones
namespace = var.namespace
stage = var.stage
name = var.name
vpc_id = module.vpc.vpc_id
igw_id = module.vpc.igw_id
cidr_block = module.vpc.vpc_cidr_block
nat_gateway_enabled = true
nat_instance_enabled = false
}
module "elastic_beanstalk_application" {
source = "git::https://github.com/cloudposse/terraform-aws-elastic-beanstalk-application.git?ref=tags/0.3.0"
namespace = var.namespace
stage = var.stage
name = var.name
description = "Test elastic_beanstalk_application"
}
module "elastic_beanstalk_environment" {
source = "cloudposse/elastic-beanstalk-environment/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = var.namespace
stage = var.stage
name = var.name
description = "Test elastic_beanstalk_environment"
region = var.region
availability_zone_selector = "Any 2"
dns_zone_id = var.dns_zone_id
elastic_beanstalk_application_name = module.elastic_beanstalk_application.elastic_beanstalk_application_name
instance_type = "t3.small"
autoscale_min = 1
autoscale_max = 2
updating_min_in_service = 0
updating_max_batch = 1
loadbalancer_type = "application"
vpc_id = module.vpc.vpc_id
loadbalancer_subnets = module.subnets.public_subnet_ids
application_subnets = module.subnets.private_subnet_ids
security_group_rules = [
{
type = "egress"
from_port = 0
to_port = 65535
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
source_security_group_id = null
description = "Allow all outbound traffic"
},
{
type = "ingress"
from_port = 0
to_port = 65535
protocol = "-1"
source_security_group_id = [module.vpc.vpc_default_security_group_id]
cidr_blocks = null
description = "Allow all ingress traffic from trusted Security Groups"
},
]
prefer_legacy_service_policy = false
// https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html
// https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.docker
solution_stack_name = "64bit Amazon Linux 2018.03 v2.12.17 running Docker 18.06.1-ce"
additional_settings = [
{
namespace = "aws:elasticbeanstalk:application:environment"
name = "DB_HOST"
value = "xxxxxxxxxxxxxx"
},
{
namespace = "aws:elasticbeanstalk:application:environment"
name = "DB_USERNAME"
value = "yyyyyyyyyyyyy"
},
{
namespace = "aws:elasticbeanstalk:application:environment"
name = "DB_PASSWORD"
value = "zzzzzzzzzzzzzzzzzzz"
},
{
namespace = "aws:elasticbeanstalk:application:environment"
name = "ANOTHER_ENV_VAR"
value = "123456789"
}
]
}Available targets:
help Help screen
help/all Display help for all targets
help/short This help short screen
lint Lint terraform code
| Name | Version |
|---|---|
| terraform | >= 0.13.0 |
| aws | >= 2.0 |
| Name | Version |
|---|---|
| aws | >= 2.0 |
| Name | Source | Version |
|---|---|---|
| dns_hostname | cloudposse/route53-cluster-hostname/aws | 0.12.0 |
| security_group | cloudposse/security-group/aws | 0.3.1 |
| this | cloudposse/label/null | 0.24.1 |
| Name | Type |
|---|---|
| aws_elastic_beanstalk_environment.default | resource |
| aws_iam_instance_profile.ec2 | resource |
| aws_iam_role.ec2 | resource |
| aws_iam_role.service | resource |
| aws_iam_role_policy.default | resource |
| aws_iam_role_policy_attachment.ecr_readonly | resource |
| aws_iam_role_policy_attachment.elastic_beanstalk_multi_container_docker | resource |
| aws_iam_role_policy_attachment.enhanced_health | resource |
| aws_iam_role_policy_attachment.service | resource |
| aws_iam_role_policy_attachment.ssm_automation | resource |
| aws_iam_role_policy_attachment.ssm_ec2 | resource |
| aws_iam_role_policy_attachment.web_tier | resource |
| aws_iam_role_policy_attachment.worker_tier | resource |
| aws_s3_bucket.elb_logs | resource |
| aws_ssm_activation.ec2 | resource |
| aws_elb_service_account.main | data source |
| aws_iam_policy_document.default | data source |
| aws_iam_policy_document.ec2 | data source |
| aws_iam_policy_document.elb_logs | data source |
| aws_iam_policy_document.extended | data source |
| aws_iam_policy_document.service | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_settings | Additional Elastic Beanstalk setttings. For full list of options, see https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html | list(object({ |
[] |
no |
| additional_tag_map | Additional tags for appending to tags_as_list_of_maps. Not added to tags. |
map(string) |
{} |
no |
| alb_zone_id | ALB zone id | map(string) |
{ |
no |
| ami_id | The id of the AMI to associate with the Amazon EC2 instances | string |
null |
no |
| application_port | Port application is listening on | number |
80 |
no |
| application_subnets | List of subnets to place EC2 instances | list(string) |
n/a | yes |
| associate_public_ip_address | Whether to associate public IP addresses to the instances | bool |
false |
no |
| attributes | Additional attributes (e.g. 1) |
list(string) |
[] |
no |
| autoscale_lower_bound | Minimum level of autoscale metric to remove an instance | number |
20 |
no |
| autoscale_lower_increment | How many Amazon EC2 instances to remove when performing a scaling activity. | number |
-1 |
no |
| autoscale_max | Maximum instances to launch | number |
3 |
no |
| autoscale_measure_name | Metric used for your Auto Scaling trigger | string |
"CPUUtilization" |
no |
| autoscale_min | Minumum instances to launch | number |
2 |
no |
| autoscale_statistic | Statistic the trigger should use, such as Average | string |
"Average" |
no |
| autoscale_unit | Unit for the trigger measurement, such as Bytes | string |
"Percent" |
no |
| autoscale_upper_bound | Maximum level of autoscale metric to add an instance | number |
80 |
no |
| autoscale_upper_increment | How many Amazon EC2 instances to add when performing a scaling activity | number |
1 |
no |
| availability_zone_selector | Availability Zone selector | string |
"Any 2" |
no |
| context | Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value.Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged. |
any |
{ |
no |
| delimiter | Delimiter to be used between namespace, environment, stage, name and attributes.Defaults to - (hyphen). Set to "" to use no delimiter at all. |
string |
null |
no |
| deployment_batch_size | Percentage or fixed number of Amazon EC2 instances in the Auto Scaling group on which to simultaneously perform deployments. Valid values vary per deployment_batch_size_type setting | number |
1 |
no |
| deployment_batch_size_type | The type of number that is specified in deployment_batch_size_type | string |
"Fixed" |
no |
| deployment_ignore_health_check | Do not cancel a deployment due to failed health checks | bool |
false |
no |
| deployment_timeout | Number of seconds to wait for an instance to complete executing commands | number |
600 |
no |
| description | Short description of the Environment | string |
"" |
no |
| dns_subdomain | The subdomain to create on Route53 for the EB environment. For the subdomain to be created, the dns_zone_id variable must be set as well |
string |
"" |
no |
| dns_zone_id | Route53 parent zone ID. The module will create sub-domain DNS record in the parent zone for the EB environment | string |
"" |
no |
| elastic_beanstalk_application_name | Elastic Beanstalk application name | string |
n/a | yes |
| elb_scheme | Specify internal if you want to create an internal load balancer in your Amazon VPC so that your Elastic Beanstalk application cannot be accessed from outside your Amazon VPC |
string |
"public" |
no |
| enable_log_publication_control | Copy the log files for your application's Amazon EC2 instances to the Amazon S3 bucket associated with your application | bool |
false |
no |
| enable_spot_instances | Enable Spot Instance requests for your environment | bool |
false |
no |
| enable_stream_logs | Whether to create groups in CloudWatch Logs for proxy and deployment logs, and stream logs from each instance in your environment | bool |
false |
no |
| enabled | Set to false to prevent the module from creating any resources | bool |
null |
no |
| enhanced_reporting_enabled | Whether to enable "enhanced" health reporting for this environment. If false, "basic" reporting is used. When you set this to false, you must also set enable_managed_actions to false |
bool |
true |
no |
| env_vars | Map of custom ENV variables to be provided to the application running on Elastic Beanstalk, e.g. env_vars = { DB_USER = 'admin' DB_PASS = 'xxxxxx' } | map(string) |
{} |
no |
| environment | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | string |
null |
no |
| environment_type | Environment type, e.g. 'LoadBalanced' or 'SingleInstance'. If setting to 'SingleInstance', rolling_update_type must be set to 'Time', updating_min_in_service must be set to 0, and loadbalancer_subnets will be unused (it applies to the ELB, which does not exist in SingleInstance environments) |
string |
"LoadBalanced" |
no |
| extended_ec2_policy_document | Extensions or overrides for the IAM role assigned to EC2 instances | string |
"{}" |
no |
| force_destroy | Force destroy the S3 bucket for load balancer logs | bool |
false |
no |
| health_streaming_delete_on_terminate | Whether to delete the log group when the environment is terminated. If false, the health data is kept RetentionInDays days. | bool |
false |
no |
| health_streaming_enabled | For environments with enhanced health reporting enabled, whether to create a group in CloudWatch Logs for environment health and archive Elastic Beanstalk environment health data. For information about enabling enhanced health, see aws:elasticbeanstalk:healthreporting:system. | bool |
false |
no |
| health_streaming_retention_in_days | The number of days to keep the archived health data before it expires. | number |
7 |
no |
| healthcheck_url | Application Health Check URL. Elastic Beanstalk will call this URL to check the health of the application running on EC2 instances | string |
"/healthcheck" |
no |
| http_listener_enabled | Enable port 80 (http) | bool |
true |
no |
| id_length_limit | Limit id to this many characters (minimum 6).Set to 0 for unlimited length.Set to null for default, which is 0.Does not affect id_full. |
number |
null |
no |
| instance_refresh_enabled | Enable weekly instance replacement. | bool |
true |
no |
| instance_type | Instances type | string |
"t2.micro" |
no |
| keypair | Name of SSH key that will be deployed on Elastic Beanstalk and DataPipeline instance. The key should be present in AWS | string |
"" |
no |
| label_key_case | The letter case of label keys (tag names) (i.e. name, namespace, environment, stage, attributes) to use in tags.Possible values: lower, title, upper.Default value: title. |
string |
null |
no |
| label_order | The naming order of the id output and Name tag. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 5 elements, but at least one must be present. |
list(string) |
null |
no |
| label_value_case | The letter case of output label values (also used in tags and id).Possible values: lower, title, upper and none (no transformation).Default value: lower. |
string |
null |
no |
| loadbalancer_certificate_arn | Load Balancer SSL certificate ARN. The certificate must be present in AWS Certificate Manager | string |
"" |
no |
| loadbalancer_crosszone | Configure the classic load balancer to route traffic evenly across all instances in all Availability Zones rather than only within each zone. | bool |
true |
no |
| loadbalancer_managed_security_group | Load balancer managed security group | string |
"" |
no |
| loadbalancer_security_groups | Load balancer security groups | list(string) |
[] |
no |
| loadbalancer_ssl_policy | Specify a security policy to apply to the listener. This option is only applicable to environments with an application load balancer | string |
"" |
no |
| loadbalancer_subnets | List of subnets to place Elastic Load Balancer | list(string) |
[] |
no |
| loadbalancer_type | Load Balancer type, e.g. 'application' or 'classic' | string |
"classic" |
no |
| logs_delete_on_terminate | Whether to delete the log groups when the environment is terminated. If false, the logs are kept RetentionInDays days | bool |
false |
no |
| logs_retention_in_days | The number of days to keep log events before they expire. | number |
7 |
no |
| managed_actions_enabled | Enable managed platform updates. When you set this to true, you must also specify a PreferredStartTime and UpdateLevel |
bool |
true |
no |
| name | Solution name, e.g. 'app' or 'jenkins' | string |
null |
no |
| namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | string |
null |
no |
| prefer_legacy_service_policy | Whether to use AWSElasticBeanstalkService (deprecated) or AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy policy | bool |
true |
no |
| prefer_legacy_ssm_policy | Whether to use AmazonEC2RoleforSSM (will soon be deprecated) or AmazonSSMManagedInstanceCore policy | bool |
true |
no |
| preferred_start_time | Configure a maintenance window for managed actions in UTC | string |
"Sun:10:00" |
no |
| regex_replace_chars | Regex to replace chars with empty string in namespace, environment, stage and name.If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits. |
string |
null |
no |
| region | AWS region | string |
n/a | yes |
| rolling_update_enabled | Whether to enable rolling update | bool |
true |
no |
| rolling_update_type | Health or Immutable. Set it to Immutable to apply the configuration change to a fresh group of instances |
string |
"Health" |
no |
| root_volume_size | The size of the EBS root volume | number |
8 |
no |
| root_volume_type | The type of the EBS root volume | string |
"gp2" |
no |
| s3_bucket_access_log_bucket_name | Name of the S3 bucket where s3 access log will be sent to | string |
"" |
no |
| s3_bucket_encryption_enabled | When set to 'true' the resource will have aes256 encryption enabled by default | bool |
true |
no |
| s3_bucket_versioning_enabled | When set to 'true' the s3 origin bucket will have versioning enabled | bool |
true |
no |
| scheduled_actions | Define a list of scheduled actions | list(object({ |
[] |
no |
| security_group_description | The Security Group description. | string |
"Elastic Beanstalk environment Security Group" |
no |
| security_group_enabled | Whether to create Security Group. | bool |
true |
no |
| security_group_rules | A list of maps of Security Group rules. The values of map is fully complated with aws_security_group_rule resource.To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule . |
list(any) |
[ |
no |
| security_group_use_name_prefix | Whether to create a default Security Group with unique name beginning with the normalized prefix. | bool |
false |
no |
| security_groups | A list of Security Group IDs to associate with EC2 instances. | list(string) |
[] |
no |
| solution_stack_name | Elastic Beanstalk stack, e.g. Docker, Go, Node, Java, IIS. For more info, see https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html | string |
n/a | yes |
| spot_fleet_on_demand_above_base_percentage | The percentage of On-Demand Instances as part of additional capacity that your Auto Scaling group provisions beyond the SpotOnDemandBase instances. This option is relevant only when enable_spot_instances is true. | number |
-1 |
no |
| spot_fleet_on_demand_base | The minimum number of On-Demand Instances that your Auto Scaling group provisions before considering Spot Instances as your environment scales up. This option is relevant only when enable_spot_instances is true. | number |
0 |
no |
| spot_max_price | The maximum price per unit hour, in US$, that you're willing to pay for a Spot Instance. This option is relevant only when enable_spot_instances is true. Valid values are between 0.001 and 20.0 | number |
-1 |
no |
| ssh_listener_enabled | Enable SSH port | bool |
false |
no |
| ssh_listener_port | SSH port | number |
22 |
no |
| ssh_source_restriction | Used to lock down SSH access to the EC2 instances | string |
"0.0.0.0/0" |
no |
| stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | string |
null |
no |
| tags | Additional tags (e.g. map('BusinessUnit','XYZ') |
map(string) |
{} |
no |
| tier | Elastic Beanstalk Environment tier, 'WebServer' or 'Worker' | string |
"WebServer" |
no |
| update_level | The highest level of update to apply with managed platform updates | string |
"minor" |
no |
| updating_max_batch | Maximum number of instances to update at once | number |
1 |
no |
| updating_min_in_service | Minimum number of instances in service during update | number |
1 |
no |
| version_label | Elastic Beanstalk Application version to deploy | string |
"" |
no |
| vpc_id | ID of the VPC in which to provision the AWS resources | string |
n/a | yes |
| wait_for_ready_timeout | The maximum duration to wait for the Elastic Beanstalk Environment to be in a ready state before timing out | string |
"20m" |
no |
| Name | Description |
|---|---|
| all_settings | List of all option settings configured in the environment. These are a combination of default settings and their overrides from setting in the configuration |
| application | The Elastic Beanstalk Application specified for this environment |
| autoscaling_groups | The autoscaling groups used by this environment |
| ec2_instance_profile_role_name | Instance IAM role name |
| elb_zone_id | ELB zone id |
| endpoint | Fully qualified DNS name for the environment |
| hostname | DNS hostname |
| id | ID of the Elastic Beanstalk environment |
| instances | Instances used by this environment |
| launch_configurations | Launch configurations in use by this environment |
| load_balancers | Elastic Load Balancers in use by this environment |
| name | Name |
| queues | SQS queues in use by this environment |
| security_group_arn | Elastic Beanstalk environment Security Group ARN |
| security_group_id | Elastic Beanstalk environment Security Group ID |
| security_group_name | Elastic Beanstalk environment Security Group name |
| setting | Settings specifically set for this environment |
| tier | The environment tier |
| triggers | Autoscaling triggers in use by this environment |
Like this project? Please give it a ★ on our GitHub! (it helps us a lot)
Are you using this project or any of our other projects? Consider leaving a testimonial. =)
Check out these related projects.
- terraform-aws-jenkins - Terraform module to build Docker image with Jenkins, save it to an ECR repo, and deploy to Elastic Beanstalk running Docker stack
- terraform-aws-elastic-beanstalk-application - Terraform Module to define an ElasticBeanstalk Application
- geodesic - Geodesic is the fastest way to get up and running with a rock solid, production grade cloud platform built on strictly Open Source tools.
- terraform-aws-elasticache-cloudwatch-sns-alarms - Terraform module that configures CloudWatch SNS alerts for ElastiCache
Got a question? We got answers.
File a GitHub issue, send us an email or join our Slack Community.
We are a DevOps Accelerator. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.
Work directly with our team of DevOps experts via email, slack, and video conferencing.
We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet.
- Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
- Release Engineering. You'll have end-to-end CI/CD with unlimited staging environments.
- Site Reliability Engineering. You'll have total visibility into your apps and microservices.
- Security Baseline. You'll have built-in governance with accountability and audit logs for all changes.
- GitOps. You'll be able to operate your infrastructure via Pull Requests.
- Training. You'll receive hands-on training so your team can operate what we build.
- Questions. You'll have a direct line of communication between our teams via a Shared Slack channel.
- Troubleshooting. You'll get help to triage when things aren't working.
- Code Reviews. You'll receive constructive feedback on Pull Requests.
- Bug Fixes. We'll rapidly work with you to fix any bugs in our projects.
Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.
Participate in our Discourse Forums. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account.
Sign up for our newsletter that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.
Join us every Wednesday via Zoom for our weekly "Lunch & Learn" sessions. It's FREE for everyone!
Please use the issue tracker to report any bugs or file feature requests.
If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.
In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
- Fork the repo on GitHub
- Clone the project to your own machine
- Commit changes to your own branch
- Push your work back up to your fork
- Submit a Pull Request so that we can review your changes
NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!
Copyright © 2017-2021 Cloud Posse, LLC
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
All other trademarks referenced herein are the property of their respective owners.
This project is maintained and funded by Cloud Posse, LLC. Like it? Please let us know by leaving a testimonial!
We're a DevOps Professional Services company based in Los Angeles, CA. We ❤️ Open Source Software.
We offer paid support on all of our projects.
Check out our other projects, follow us on twitter, apply for a job, or hire us to help with your cloud strategy and implementation.
 Erik Osterman |
 Igor Rodionov |
 Andriy Knysh |
 Guillaume Delacour |
 Viktor Erpylev |
 Lucas Pearson |
 Chris Green |
 Vladimir Syromyatnikov |
|---|