Skip to content

Resource: awsMqBroker

Provides an Amazon MQ broker resource. This resources also manages users for the broker.

-> For more information on Amazon MQ, see Amazon MQ documentation.

\~> NOTE: Amazon MQ currently places limits on RabbitMQ brokers. For example, a RabbitMQ broker cannot have: instances with an associated IP address of an ENI attached to the broker, an associated LDAP server to authenticate and authorize broker connections, storage type efs, audit logging, or configuration blocks. Although this resource allows you to create RabbitMQ users, RabbitMQ users cannot have console access or groups. Also, Amazon MQ does not return information about RabbitMQ users so drift detection is not possible.

\~> NOTE: Changes to an MQ Broker can occur when you change a parameter, such as configuration or user, and are reflected in the next maintenance window. Because of this, Terraform may report a difference in its planning phase because a modification has not yet taken place. You can use the applyImmediately flag to instruct the service to apply the change immediately (see documentation below). Using applyImmediately can result in a brief downtime as the broker reboots.

\~> NOTE: All arguments including the username and password will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

Basic Example

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.mqBroker.MqBroker(this, "example", {
  brokerName: "example",
  configuration: {
    id: "${aws_mq_configuration.test.id}",
    revision: "${aws_mq_configuration.test.latest_revision}",
  },
  engineType: "ActiveMQ",
  engineVersion: "5.15.9",
  hostInstanceType: "mq.t2.micro",
  securityGroups: ["${aws_security_group.test.id}"],
  user: [
    {
      password: "MindTheGap",
      username: "ExampleUser",
    },
  ],
});

High-throughput Optimized Example

This example shows the use of EBS storage for high-throughput optimized performance.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.mqBroker.MqBroker(this, "example", {
  brokerName: "example",
  configuration: {
    id: "${aws_mq_configuration.test.id}",
    revision: "${aws_mq_configuration.test.latest_revision}",
  },
  engineType: "ActiveMQ",
  engineVersion: "5.15.9",
  hostInstanceType: "mq.m5.large",
  securityGroups: ["${aws_security_group.test.id}"],
  storageType: "ebs",
  user: [
    {
      password: "MindTheGap",
      username: "ExampleUser",
    },
  ],
});

Argument Reference

The following arguments are required:

  • brokerName - (Required) Name of the broker.
  • engineType - (Required) Type of broker engine. Valid values are activeMq and rabbitMq.
  • engineVersion - (Required) Version of the broker engine. See the AmazonMQ Broker Engine docs for supported versions. For example, 5150.
  • hostInstanceType - (Required) Broker's instance type. For example, mqT3Micro, mqM5Large.
  • user - (Required) Configuration block for broker users. For engineType of rabbitMq, Amazon MQ does not return broker users preventing this resource from making user updates and drift detection. Detailed below.

The following arguments are optional:

  • applyImmediately - (Optional) Specifies whether any broker modifications are applied immediately, or during the next maintenance window. Default is false.
  • authenticationStrategy - (Optional) Authentication strategy used to secure the broker. Valid values are simple and ldap. ldap is not supported for engineType rabbitMq.
  • autoMinorVersionUpgrade - (Optional) Whether to automatically upgrade to new minor versions of brokers as Amazon MQ makes releases available.
  • configuration - (Optional) Configuration block for broker configuration. Applies to engineType of activeMq only. Detailed below.
  • deploymentMode - (Optional) Deployment mode of the broker. Valid values are SINGLE_INSTANCE, ACTIVE_STANDBY_MULTI_AZ, and CLUSTER_MULTI_AZ. Default is SINGLE_INSTANCE.
  • encryptionOptions - (Optional) Configuration block containing encryption options. Detailed below.
  • ldapServerMetadata - (Optional) Configuration block for the LDAP server used to authenticate and authorize connections to the broker. Not supported for engineType rabbitMq. Detailed below. (Currently, AWS may not process changes to LDAP server metadata.)
  • logs - (Optional) Configuration block for the logging configuration of the broker. Detailed below.
  • maintenanceWindowStartTime - (Optional) Configuration block for the maintenance window start time. Detailed below.
  • publiclyAccessible - (Optional) Whether to enable connections from applications outside of the VPC that hosts the broker's subnets.
  • securityGroups - (Optional) List of security group IDs assigned to the broker.
  • storageType - (Optional) Storage type of the broker. For engineType activeMq, the valid values are efs and ebs, and the AWS-default is efs. For engineType rabbitMq, only ebs is supported. When using ebs, only the mqM5 broker instance type family is supported.
  • subnetIds - (Optional) List of subnet IDs in which to launch the broker. A SINGLE_INSTANCE deployment requires one subnet. An ACTIVE_STANDBY_MULTI_AZ deployment requires multiple subnets.
  • tags - (Optional) Map of tags to assign to the broker. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

configuration

The following arguments are optional:

  • id - (Optional) The Configuration ID.
  • revision - (Optional) Revision of the Configuration.

encryptionOptions

The following arguments are optional:

  • kmsKeyId - (Optional) Amazon Resource Name (ARN) of Key Management Service (KMS) Customer Master Key (CMK) to use for encryption at rest. Requires setting useAwsOwnedKey to false. To perform drift detection when AWS-managed CMKs or customer-managed CMKs are in use, this value must be configured.
  • useAwsOwnedKey - (Optional) Whether to enable an AWS-owned KMS CMK that is not in your account. Defaults to true. Setting to false without configuring kmsKeyId will create an AWS-managed CMK aliased to aws/mq in your account.

ldapServerMetadata

The following arguments are optional:

  • hosts - (Optional) List of a fully qualified domain name of the LDAP server and an optional failover server.
  • roleBase - (Optional) Fully qualified name of the directory to search for a user’s groups.
  • roleName - (Optional) Specifies the LDAP attribute that identifies the group name attribute in the object returned from the group membership query.
  • roleSearchMatching - (Optional) Search criteria for groups.
  • roleSearchSubtree - (Optional) Whether the directory search scope is the entire sub-tree.
  • serviceAccountPassword - (Optional) Service account password.
  • serviceAccountUsername - (Optional) Service account username.
  • userBase - (Optional) Fully qualified name of the directory where you want to search for users.
  • userRoleName - (Optional) Specifies the name of the LDAP attribute for the user group membership.
  • userSearchMatching - (Optional) Search criteria for users.
  • userSearchSubtree - (Optional) Whether the directory search scope is the entire sub-tree.

logs

The following arguments are optional:

  • audit - (Optional) Enables audit logging. Auditing is only possible for engineType of activeMq. User management action made using JMX or the ActiveMQ Web Console is logged. Defaults to false.
  • general - (Optional) Enables general logging via CloudWatch. Defaults to false.

maintenanceWindowStartTime

The following arguments are required:

  • dayOfWeek - (Required) Day of the week, e.g., monday, tuesday, or wednesday.
  • timeOfDay - (Required) Time, in 24-hour format, e.g., 02:00.
  • timeZone - (Required) Time zone in either the Country/City format or the UTC offset format, e.g., cet.

user

  • consoleAccess - (Optional) Whether to enable access to the ActiveMQ Web Console for the user. Applies to engineType of activeMq only.
  • groups - (Optional) List of groups (20 maximum) to which the ActiveMQ user belongs. Applies to engineType of activeMq only.
  • password - (Required) Password of the user. It must be 12 to 250 characters long, at least 4 unique characters, and must not contain commas.
  • username - (Required) Username of the user.

\~> NOTE: AWS currently does not support updating RabbitMQ users. Updates to users can only be in the RabbitMQ UI.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - ARN of the broker.
  • id - Unique ID that Amazon MQ generates for the broker.
  • instances - List of information about allocated brokers (both active & standby).
  • instances0ConsoleUrl - The URL of the ActiveMQ Web Console or the RabbitMQ Management UI depending on engineType.
  • instances0IpAddress - IP Address of the broker.
  • instances0Endpoints - Broker's wire-level protocol endpoints in the following order & format referenceable e.g., as instances0Endpoints0 (SSL):
    • For activeMq:
    • ssl://brokerIdMqUsWest2AmazonawsCom:61617
    • amqp+ssl://brokerIdMqUsWest2AmazonawsCom:5671
    • stomp+ssl://brokerIdMqUsWest2AmazonawsCom:61614
    • mqtt+ssl://brokerIdMqUsWest2AmazonawsCom:8883
    • wss://brokerIdMqUsWest2AmazonawsCom:61619
    • For rabbitMq:
    • amqps://brokerIdMqUsWest2AmazonawsCom:5671
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Timeouts

Configuration options:

  • create - (Default 30M)
  • update - (Default 30M)
  • delete - (Default 30M)

Import

MQ Brokers can be imported using their broker id, e.g.,

$ terraform import aws_mq_broker.example a1b2c3d4-d5f6-7777-8888-9999aaaabbbbcccc