Install Env Via Terraform Module
Refer to Overview▸ to understand the necessary steps before using AutoMQ Cloud. This article explains how to use the Terraform Module to install the BYOC environment.
In this article, references to AutoMQ product service provider, AutoMQ service provider, or AutoMQ specifically refer to AutoMQ HK Limited and its subsidiaries.
Prerequisites
Condition 1: Cloud Account Operation Permissions
To create a BYOC environment, you need to provide the credentials of a cloud account with the necessary permissions and ensure that the cloud account is either the main account or an IAM sub-account that has been granted the relevant operation permissions. If you are currently using the credentials of an IAM sub-account, you need to authorize it before proceeding with the service activation.
- Using AWS Managed Policies for Authorization
- Use Custom Policy Authorization
You can usually grant the following AWS managed policies to the IAM sub-account to perform subsequent deployment and installation:
AmazonVPCFullAccess: Permissions to manage the Virtual Private Cloud (VPC).
AmazonEC2FullAccess: Full permissions to manage EC2 products.
AmazonS3FullAccess: Full permissions to manage S3 object storage.
AmazonRoute53FullAccess: Full permissions to manage Route 53 services.
If you prefer not to use AWS-provided system-managed policies and want finer-grained control over permissions, you can refer to the authorization policy content below to create a custom policy and grant it to the corresponding operational account or role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketTagging",
"s3:DeleteBucket"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVpcEndpoints",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteInternetGateway",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/automqVendor": "automq"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVpc",
"ec2:CreateTags",
"ec2:CreateRouteTable",
"ec2:CreateSubnet",
"ec2:CreateInternetGateway",
"ec2:RunInstances",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"sts:GetCallerIdentity",
"ssm:GetParameter",
"ec2:DescribeVpcAttribute",
"ec2:ModifyVpcAttribute",
"route53:AssociateVPCWithHostedZone",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53:GetChange",
"route53:DeleteHostedZone",
"route53:GetHostedZone",
"ec2:DisassociateAddress",
"ec2:AssociateAddress",
"ec2:DescribeInstanceAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:TerminateInstances",
"ec2:AllocateAddress",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"route53:ChangeTagsForResource",
"ec2:CreateRoute",
"route53:CreateHostedZone",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkAclEntry",
"ec2:CreateNetworkAclEntry",
"ec2:CreateVpcEndpoint",
"s3:ListBucket",
"ec2:DeleteVpc"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:TagRole",
"iam:TagPolicy",
"iam:CreatePolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/automqVendor": "automq"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:CreateInstanceProfile",
"iam:TagInstanceProfile"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/automqVendor": "automq"
}
}
}
]
}
Condition Two: Prepare VPC
AutoMQ BYOC environment is deployed within the user's VPC to ensure data privacy and security. When installing the AutoMQ environment using Terraform Modules, the following two methods are supported:
Automatically create a new VPC installation environment: When selecting this option, Terraform Modules automatically create the VPC and other resources without requiring manual configuration from the user. This is recommended for the first POC and testing.
Provided VPC Installation Environment by User: Terraform Modules will not proactively create a VPC network; users must specify an existing VPC network.
If you choose to install the environment with a user-provided VPC, you must refer to Prepare VPC▸ to set up the VPC network, ensuring it meets AutoMQ's requirements. Failure to do so may result in installation failure.
Operating Procedures
Step 1: Invoke AutoMQ Terraform Module Installation Environment
Before using the Terraform Module to install the BYOC environment, it is recommended to select (or upgrade to) the latest Module version per the documentation, and then integrate the AutoMQ Terraform Module for environment deployment.
Initialize the AWS CLI and Terraform runtime environment to ensure you can invoke AWS and Terraform services.
Access the AutoMQ Terraform Modules Repository to obtain the Modules dependencies, and refer to the corresponding README document to execute the creation operations.
Step 2: Complete BYOC Environment Operation Authorization
The BYOC environment is deployed within the user's VPC, ensuring data security and privacy isolation. However, the BYOC environment will generate system logs, metrics, and other non-business-related system data. After the environment is installed, users need to refer to Manage Environment Ops Authing▸ to provide the necessary operational authorization to the AutoMQ service provider for system stability monitoring and self-healing operations.
Next Steps
Once the environment installation is complete, you can access and use the environment. AutoMQ supports the following two methods:
Using AutoMQ via Terraform: After the environment installation is complete, users can manage and use AutoMQ through the AutoMQ Terraform Provider. For using AutoMQ via Terraform, please refer to the documentation.
Using AutoMQ via WebUI: Access the console address returned in step 3 through a browser, enter the initial username and password to enter the environment console, create instances, and experience product features. Experience AutoMQ for Kafka▸
Appendix
- For a list and description of the installed cloud resources, refer to Cloud Resource List▸