Install Env from Marketplace

Refer to Overview▸, using AutoMQ Cloud requires an initial environment setup. This article explains how to install a BYOC environment from the AWS Marketplace.

In this article, references to AutoMQ product services, AutoMQ services, and AutoMQ specifically refer to AutoMQ HK Limited and its affiliates.

Prerequisites

Condition 1: Cloud Account Operation Permissions

To create a BYOC environment, the operating cloud account must be the primary account or an IAM sub-account with the necessary operation permissions. If you are currently using an IAM sub-account on the AWS console, authorization must be granted before proceeding with service activation.

Use AWS Managed Policies for Authorization

Typically, you can grant the following AWS managed policies to an IAM sub-account to proceed with subsequent deployment and installation:

• AmazonVPCFullAccess: Permissions to manage Virtual Private Cloud (VPC).

• AmazonEC2FullAccess: Full access to manage EC2 products.

• AmazonS3FullAccess: Full access to manage object storage S3.

• AmazonRoute53FullAccess: Full access to manage the Route 53 service.

Using Custom Policies for Authorization

If you prefer not to use the AWS-managed policies and want more granular control over permissions, you can refer to the authorization policy content below to create custom policies and assign them to the appropriate user accounts or roles.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:PutBucketTagging",
        "s3:DeleteBucket"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteVpcEndpoints",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSubnet",
        "ec2:DeleteInternetGateway",
        "ec2:DetachInternetGateway",
        "ec2:DisassociateRouteTable"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/automqVendor": "automq"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpc",
        "ec2:CreateTags",
        "ec2:CreateRouteTable",
        "ec2:CreateSubnet",
        "ec2:CreateInternetGateway",
        "ec2:RunInstances",
        "ec2:AssociateRouteTable",
        "ec2:AttachInternetGateway",
        "ec2:DescribeAddresses",
        "ec2:DescribeAddressesAttribute",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeImages",
        "ec2:DescribeInstanceCreditSpecifications",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeInstances",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribePrefixLists",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeVpcs",
        "sts:GetCallerIdentity",
        "ssm:GetParameter",
        "ec2:DescribeVpcAttribute",
        "ec2:ModifyVpcAttribute",
        "route53:AssociateVPCWithHostedZone",
        "route53:ListResourceRecordSets",
        "route53:ListTagsForResource",
        "route53:GetChange",
        "route53:DeleteHostedZone",
        "route53:GetHostedZone",
        "ec2:DisassociateAddress",
        "ec2:AssociateAddress",
        "ec2:DescribeInstanceAttribute",
        "ec2:ModifyInstanceAttribute",
        "ec2:TerminateInstances",
        "ec2:AllocateAddress",
        "ec2:ReleaseAddress",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "route53:ChangeTagsForResource",
        "ec2:CreateRoute",
        "route53:CreateHostedZone",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteNetworkAclEntry",
        "ec2:CreateNetworkAclEntry",
        "ec2:CreateVpcEndpoint",
        "s3:ListBucket",
        "ec2:DeleteVpc"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:TagRole",
        "iam:TagPolicy",
        "iam:CreatePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/automqVendor": "automq"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:AttachRolePolicy",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "iam:ListInstanceProfilesForRole",
        "iam:ListRolePolicies",
        "iam:PassRole",
        "iam:AddRoleToInstanceProfile",
        "iam:GetInstanceProfile",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:ListPolicyVersions",
        "iam:CreateInstanceProfile",
        "iam:TagInstanceProfile"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:DeleteInstanceProfile",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:DeletePolicy",
        "iam:DeleteRole",
        "iam:DetachRolePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/automqVendor": "automq"
        }
      }
    }
  ]
}

Condition Two: Prepare VPC

The AutoMQ BYOC environment is deployed within the user's VPC to ensure data privacy and security. When installing the AutoMQ environment from AWS Marketplace, the following two methods are supported:

• Automatically create a new VPC installation environment: Select this option to have Marketplace CloudFormation automatically create the VPC and other resources, eliminating the need for manual configuration. This is recommended for initial POCs and testing.

• VPC Environment Provided by User: Marketplace will not proactively create a VPC network; users must specify an existing VPC network.

If you choose VPC Environment Provided by User, you must refer to Prepare VPC▸ to prepare the VPC network, ensuring it meets AutoMQ's requirements. Failure to do so may result in installation failure.

Procedure

Step 1: Subscribe to AutoMQ from the Marketplace

The AutoMQ Cloud BYOC environment installation package is distributed on AWS via Marketplace CloudFormation products. Users can subscribe to AutoMQ from the Marketplace, and the product link is AutoMQ for Kafka (BYOC FreeTier).

Go to AWS Marketplace and visit the product page AutoMQ for Kafka (BYOC FreeTier).

Click Continue to Subscribe. If this is your first visit, please confirm the user agreement.

Select the CloudFormation Template configuration, and fill out the form as prompted.

Step 2: Install the Environment Using the CloudFormation Template

In the previous step, after selecting the CloudFormation Template configuration, you will be redirected to the CloudFormation product page to create a new Stack.

Follow the prompts to fill in the parameters and continue configuring to start the creation process.

Parameter Settings	Value Description
Stack Name	Description: The name of the current CloudFormation Stack. Constraint: This name will be used for naming resource variables. It is recommended to use only uppercase and lowercase letters and numbers.
ExistingVPCId	Description: Specify the target VPC Id for environment deployment. If left blank, a new VPC will be automatically created.
ExistingPublicSubnetId	Description: Specify the target subnet Id for environment deployment. When setting ExistingVPCId, this parameter must be set for using an existing VPC.
MsgBucket	Description: Set the name of the S3 Bucket for messages. This Bucket is used to store Kafka message data. If not set, a new Bucket will be automatically created.
OpsBucket	Description: Set the operations S3 Bucket name. This Bucket is used to store AutoMQ's system logs, metrics, etc., and does not contain application data. If not set, a new Bucket will be created automatically.
WebConsoleInstanceType	Description: Set the EC2 instance type for deploying the AutoMQ BYOC environment console. Limitation: It is recommended to choose a model with at least 2 cores and 8GB of memory.
SecurityGroupCIDR	Description: Set the CIDR for the security group that can access the AutoMQ environment console.
KeyName	Description: Set the KeyName for the login certificate of the EC2 instance where the AutoMQ environment console is located. If not set, no EC2 Key will be created, and subsequent SSH login to the EC2 instance will not be possible.

Step 3: Retrieve CloudFormation Outputs and Access the Environment

After completing the previous installation, check the current CloudFormation Outputs to retrieve initial information for accessing the environment.

Output Returns	Output Description
AutoMQWebConsoleURL	The URL address of the AutoMQ BYOC environment console. Users can access this address via a browser or use APIs and Terraform to access the service.
DefaultUserName	The initial username for the environment console.
DefaultPassword	The initial password for the environment console, which is the instance ID of the corresponding EC2 instance. Users are required to change this upon first login.

Next Steps

After the environment installation is complete, you can access and use the environment. AutoMQ supports the following two methods:

• Using AutoMQ through WebUI: Access the console address returned in step 3 via a browser, enter the initial username and password, and you will enter the environment console to create instances and experience the product features. Experience AutoMQ for Kafka▸

• Using AutoMQ with Terraform:

After the environment setup is complete, users can manage and use AutoMQ through the AutoMQ Terraform Provider. For details on using AutoMQ with Terraform, please refer to the documentation.