Install Env Via Terraform Module

Refer to Overview▸, using AutoMQ Cloud requires installing the environment first. This article explains how to use the Terraform Module to install a BYOC environment.

In this article, references to AutoMQ product service provider, AutoMQ service provider, and AutoMQ specifically refer to AutoMQ HK Limited and its subsidiaries.

Prerequisites

Condition One: Cloud Account Operation Permissions

To create a BYOC environment, you need to provide the credentials of a cloud account with sufficient permissions. The cloud account must be either the primary account or an IAM sub-account that has been granted the necessary permissions. If you are using the credentials of an IAM sub-account, you must grant the necessary permissions before proceeding with the service activation.

Authorize using AWS Managed Policies

Typically, you can grant the following AWS managed policies to an IAM sub-account to proceed with the deployment and installation:

• AmazonVPCFullAccess: Full access to manage the VPC.

• AmazonEC2FullAccess: Full access to manage EC2 products.

• AmazonS3FullAccess: Full access to manage S3 object storage.

• AmazonRoute53FullAccess: Full access to manage Route 53 services.

Custom Policy Authorization

If you prefer not to use AWS-provided managed policies and seek more granular control over permissions, you can refer to the authorization policy content below to create custom policies and assign them to the relevant user accounts or roles.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:PutBucketTagging",
        "s3:DeleteBucket"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion"
      ],
      "Resource": "arn:aws:s3:::*/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteVpcEndpoints",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSubnet",
        "ec2:DeleteInternetGateway",
        "ec2:DetachInternetGateway",
        "ec2:DisassociateRouteTable"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/automqVendor": "automq"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpc",
        "ec2:CreateTags",
        "ec2:CreateRouteTable",
        "ec2:CreateSubnet",
        "ec2:CreateInternetGateway",
        "ec2:RunInstances",
        "ec2:AssociateRouteTable",
        "ec2:AttachInternetGateway",
        "ec2:DescribeAddresses",
        "ec2:DescribeAddressesAttribute",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeImages",
        "ec2:DescribeInstanceCreditSpecifications",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeInstances",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribePrefixLists",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeVpcs",
        "sts:GetCallerIdentity",
        "ssm:GetParameter",
        "ec2:DescribeVpcAttribute",
        "ec2:ModifyVpcAttribute",
        "route53:AssociateVPCWithHostedZone",
        "route53:ListResourceRecordSets",
        "route53:ListTagsForResource",
        "route53:GetChange",
        "route53:DeleteHostedZone",
        "route53:GetHostedZone",
        "ec2:DisassociateAddress",
        "ec2:AssociateAddress",
        "ec2:DescribeInstanceAttribute",
        "ec2:ModifyInstanceAttribute",
        "ec2:TerminateInstances",
        "ec2:AllocateAddress",
        "ec2:ReleaseAddress",
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "route53:ChangeTagsForResource",
        "ec2:CreateRoute",
        "route53:CreateHostedZone",
        "ec2:CreateSecurityGroup",
        "ec2:DeleteNetworkAclEntry",
        "ec2:CreateNetworkAclEntry",
        "ec2:CreateVpcEndpoint",
        "s3:ListBucket",
        "ec2:DeleteVpc"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:TagRole",
        "iam:TagPolicy",
        "iam:CreatePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/automqVendor": "automq"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:AttachRolePolicy",
        "iam:GetRole",
        "iam:ListAttachedRolePolicies",
        "iam:ListInstanceProfilesForRole",
        "iam:ListRolePolicies",
        "iam:PassRole",
        "iam:AddRoleToInstanceProfile",
        "iam:GetInstanceProfile",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:ListPolicyVersions",
        "iam:CreateInstanceProfile",
        "iam:TagInstanceProfile"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:DeleteInstanceProfile",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:DeletePolicy",
        "iam:DeleteRole",
        "iam:DetachRolePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/automqVendor": "automq"
        }
      }
    }
  ]
}

Condition Two: Prepare VPC

The AutoMQ BYOC environment is deployed within the user's VPC to ensure data privacy and security. When installing the AutoMQ environment using Terraform Modules, the following two methods are supported:

• Automatically create a new VPC installation environment: Selecting this option will have Terraform Modules automatically create the VPC and other resources without manual configuration by the user. This is recommended for initial POCs and testing.

• User-provided VPC installation environment: Terraform Modules will not proactively create the VPC network; instead, the user specifies an existing VPC network.

If you choose User-provided VPC installation environment, you must refer to Prepare VPC▸ to prepare the VPC network and ensure it meets AutoMQ's requirements. Otherwise, the installation will fail.

Procedure

Go to AWS Marketplace to Activate the AutoMQ Service

The AutoMQ Cloud BYOC environment installation image is distributed via AWS Marketplace. Users need to subscribe to AutoMQ from the Marketplace. The product link is AutoMQ for Kafka (BYOC AMI for Terraform).

Go to AWS Marketplace and visit the product page AutoMQ for Kafka (BYOC AMI for Terraform).

Click Start Subscription and agree to the user agreement to complete the service activation.

Invoke AutoMQ Terraform Module to Install the Environment

After enabling the AutoMQ service, you can integrate the AutoMQ Terraform Module to install and deploy the environment.

1. Initialize the AWS CLI and Terraform runtime environment to ensure that AWS and Terraform services can be invoked.

2. Access the AutoMQ Terraform Modules repository, obtain the module dependencies, and refer to the corresponding README documentation to execute the creation operations.

Next Steps

After setting up the environment, you can access and use it. AutoMQ supports the following two methods:

• Using AutoMQ via Terraform: Once the environment setup is complete, users can manage and use AutoMQ through the AutoMQ Terraform Provider. For instructions on using AutoMQ via Terraform, please refer to the documentation.

• Using AutoMQ via WebUI: Access the console address returned in step 3 through a browser, enter the initial username and password to enter the environment console, create instances, and experience product features. Experience AutoMQ for Kafka▸