infra-dapps/modules/aws-eb-env/access.tf

resource "aws_iam_group" "deploy" {
  name = "${var.name}-deploy"
}

resource "aws_iam_user" "deploy" {
  name = "${var.name}-deploy"

  tags = {
    Description = "User for deploying the ${var.stage}.${var.dns_domain} Elastic Beanstalk app"
  }
}

resource "aws_iam_access_key" "deploy" {
  user    = aws_iam_user.deploy.name
  pgp_key = file("files/support@dap.ps.gpg")
}

resource "aws_iam_user_group_membership" "deploy" {
  user   = aws_iam_user.deploy.name
  groups = [aws_iam_group.deploy.name]
}

/* TODO narrow down these permissions to only deployment */
resource "aws_iam_group_policy_attachment" "deploy" {
  group      = aws_iam_group.deploy.name
  policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess"
}
create deployment keys for prod environment Also use aws_iam_group_policy_attachment instead of aws_iam_policy_attachment which is exclusive. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-25 13:41:57 -04:00			`resource "aws_iam_group" "deploy" {`
fix elb dns entry records Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-29 16:52:10 -04:00			`name = "${var.name}-deploy"`
create deployment keys for prod environment Also use aws_iam_group_policy_attachment instead of aws_iam_policy_attachment which is exclusive. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-25 13:41:57 -04:00			`}`

			`resource "aws_iam_user" "deploy" {`
			`name = "${var.name}-deploy"`
fix elb dns entry records Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-29 16:52:10 -04:00
create deployment keys for prod environment Also use aws_iam_group_policy_attachment instead of aws_iam_policy_attachment which is exclusive. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-25 13:41:57 -04:00			`tags = {`
use the CloudPosse modules for ElasicBeanstalk environment Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-25 17:05:05 -04:00			`Description = "User for deploying the ${var.stage}.${var.dns_domain} Elastic Beanstalk app"`
create deployment keys for prod environment Also use aws_iam_group_policy_attachment instead of aws_iam_policy_attachment which is exclusive. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-25 13:41:57 -04:00			`}`
			`}`

			`resource "aws_iam_access_key" "deploy" {`
upgrade to Terraform 0.12 Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-30 14:36:52 -04:00			`user = aws_iam_user.deploy.name`
			`pgp_key = file("files/support@dap.ps.gpg")`
create deployment keys for prod environment Also use aws_iam_group_policy_attachment instead of aws_iam_policy_attachment which is exclusive. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-25 13:41:57 -04:00			`}`

			`resource "aws_iam_user_group_membership" "deploy" {`
upgrade to Terraform 0.12 Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-30 14:36:52 -04:00			`user = aws_iam_user.deploy.name`
			`groups = [aws_iam_group.deploy.name]`
create deployment keys for prod environment Also use aws_iam_group_policy_attachment instead of aws_iam_policy_attachment which is exclusive. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-25 13:41:57 -04:00			`}`

enable access outputs Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-31 10:07:41 -04:00			`/* TODO narrow down these permissions to only deployment */`
create deployment keys for prod environment Also use aws_iam_group_policy_attachment instead of aws_iam_policy_attachment which is exclusive. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-25 13:41:57 -04:00			`resource "aws_iam_group_policy_attachment" "deploy" {`
upgrade to Terraform 0.12 Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-30 14:36:52 -04:00			`group = aws_iam_group.deploy.name`
create deployment keys for prod environment Also use aws_iam_group_policy_attachment instead of aws_iam_policy_attachment which is exclusive. https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html https://www.terraform.io/docs/providers/aws/r/iam_group_policy_attachment.html Signed-off-by: Jakub Sokołowski <jakub@status.im> 2019-07-25 13:41:57 -04:00			`policy_arn = "arn:aws:iam::aws:policy/AWSElasticBeanstalkFullAccess"`
			`}`