AWS Amazon MQ Broker
This page shows how to write Terraform and CloudFormation for Amazon MQ Broker and write them securely.
aws_mq_broker (Terraform)
The Broker in Amazon MQ can be configured in Terraform with the resource name aws_mq_broker
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_mq_broker" "noncompliant_missing" {
# ^^^^^^^^^^^^^^^
}
resource "aws_mq_broker" "noncompliant_disabled" {
logs { # Noncompliant
resource "aws_mq_broker" "allowed" {
logs {
general = true
}
}
resource "aws_mq_broker" "my_aws_mq_broker_activemq_single_default" {
broker_name = "example"
configuration {
id = aws_mq_configuration.my_aws_mq_configuration.id
revision = aws_mq_configuration.my_aws_mq_configuration.latest_revision
resource "aws_mq_broker" "my_aws_mq_broker_activemq_single_default" {
broker_name = "example"
configuration {
id = aws_mq_configuration.my_aws_mq_configuration.id
revision = aws_mq_configuration.my_aws_mq_configuration.latest_revision
resource "aws_mq_broker" "positive1" {
broker_name = "no-logging"
}
resource "aws_mq_broker" "positive2" {
broker_name = "partial-logging"
Parameters
-
apply_immediately
optional - bool -
arn
optional computed - string -
authentication_strategy
optional computed - string -
auto_minor_version_upgrade
optional - bool -
broker_name
required - string -
deployment_mode
optional - string -
engine_type
required - string -
engine_version
required - string -
host_instance_type
required - string -
id
optional computed - string -
instances
optional computed - list of object-
console_url
- string -
endpoints
- list of string -
ip_address
- string
-
-
publicly_accessible
optional - bool -
security_groups
optional - set of string -
storage_type
optional computed - string -
subnet_ids
optional computed - set of string -
tags
optional - map from string to string -
configuration
list block -
encryption_options
list block-
kms_key_id
optional computed - string -
use_aws_owned_key
optional - bool
-
-
ldap_server_metadata
list block-
hosts
optional - list of string -
role_base
optional - string -
role_name
optional - string -
role_search_matching
optional - string -
role_search_subtree
optional - bool -
service_account_password
optional - string -
service_account_username
optional - string -
user_base
optional - string -
user_role_name
optional - string -
user_search_matching
optional - string -
user_search_subtree
optional - bool
-
-
logs
list block -
maintenance_window_start_time
list block-
day_of_week
required - string -
time_of_day
required - string -
time_zone
required - string
-
-
user
set block-
console_access
optional - bool -
groups
optional - set of string -
password
required - string -
username
required - string
-
Explanation in Terraform Registry
Provides an Amazon MQ broker resource. This resources also manages users for the broker. -> For more information on Amazon MQ, see Amazon MQ documentation.
NOTE: Amazon MQ currently places limits on RabbitMQ brokers. For example, a RabbitMQ broker cannot have: instances with an associated IP address of an ENI attached to the broker, an associated LDAP server to authenticate and authorize broker connections, storage type
EFS
, audit logging, orconfiguration
blocks. Although this resource allows you to create RabbitMQ users, RabbitMQ users cannot have console access or groups. Also, Amazon MQ does not return information about RabbitMQ users so drift detection is not possible. NOTE: Changes to an MQ Broker can occur when you change a parameter, such asconfiguration
oruser
, and are reflected in the next maintenance window. Because of this, Terraform may report a difference in its planning phase because a modification has not yet taken place. You can use theapply_immediately
flag to instruct the service to apply the change immediately (see documentation below). Usingapply_immediately
can result in a brief downtime as the broker reboots. NOTE: All arguments including the username and password will be stored in the raw state as plain-text. Read more about sensitive data in state.
AWS::AmazonMQ::Broker (CloudFormation)
The Broker in AmazonMQ can be configured in CloudFormation with the resource name AWS::AmazonMQ::Broker
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
SecurityGroups
optional - List -
StorageType
optional - String -
EngineVersion
required - String -
Configuration
optional - ConfigurationId -
AuthenticationStrategy
optional - String -
MaintenanceWindowStartTime
optional - MaintenanceWindow -
HostInstanceType
required - String -
AutoMinorVersionUpgrade
required - Boolean -
Users
required - List of User -
Logs
optional - LogList -
SubnetIds
optional - List -
BrokerName
required - String -
LdapServerMetadata
optional - LdapServerMetadata -
DeploymentMode
required - String -
EngineType
required - String -
PubliclyAccessible
required - Boolean -
EncryptionOptions
optional - EncryptionOptions -
Tags
optional - List of TagsEntry
Explanation in CloudFormation Registry
A broker is a message broker environment running on Amazon MQ. It is the basic building block of Amazon MQ.
The
AWS::AmazonMQ::Broker
resource lets you create Amazon MQ for ActiveMQ and Amazon MQ for RabbitMQ brokers, add configuration changes or modify users for a speified ActiveMQ broker, return information about the specified broker, and delete the broker. For more information, see How Amazon MQ works in the Amazon MQ Developer Guide.
ec2:CreateNetworkInterface
This permission is required to allow Amazon MQ to create an elastic network interface (ENI) on behalf of your account.
ec2:CreateNetworkInterfacePermission
This permission is required to attach the ENI to the broker instance.
ec2:DeleteNetworkInterface
+ec2:DeleteNetworkInterfacePermission
+ec2:DetachNetworkInterface
+ec2:DescribeInternetGateways
+ec2:DescribeNetworkInterfaces
+ec2:DescribeNetworkInterfacePermissions
+ec2:DescribeRouteTables
+ec2:DescribeSecurityGroups
+ec2:DescribeSubnets
+ec2:DescribeVpcs
Frequently asked questions
What is AWS Amazon MQ Broker?
AWS Amazon MQ Broker is a resource for Amazon MQ of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon MQ Broker?
For Terraform, the SonarSource/sonar-iac, snyk-labs/infrastructure-as-code-goof and gilyas/infracost source code examples are useful. See the Terraform Example section for further details.