39 | > Watch demo of using Atmos with Terraform
40 | > 
41 | > Example of running atmos to manage infrastructure from our Quick Start tutorial.
42 | >
43 |
44 |
45 | ## Introduction
46 |
47 | This module provisions the following resources:
48 | - ActiveMQ broker
49 | - RabbitMQ broker
50 | - Security group rules to allow access to the broker
51 |
52 | Admin and application users are created and credentials written to SSM if not passed in as variables.
53 |
54 |
55 |
56 |
57 | ## Usage
58 |
59 | For a complete example, see [examples/complete](examples/complete).
60 |
61 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
62 | (which tests and deploys the example on AWS), see [test](test).
63 |
64 | ```hcl
65 | module "mq_broker" {
66 | source = "cloudposse/mq-broker/aws"
67 | # Cloud Posse recommends pinning every module to a specific version
68 | # version = "x.x.x"
69 |
70 | namespace = "eg"
71 | stage = "test"
72 | name = "mq-broker"
73 | apply_immediately = true
74 | auto_minor_version_upgrade = true
75 | deployment_mode = "ACTIVE_STANDBY_MULTI_AZ"
76 | engine_type = "ActiveMQ"
77 | engine_version = "5.15.14"
78 | host_instance_type = "mq.t3.micro"
79 | publicly_accessible = false
80 | general_log_enabled = true
81 | audit_log_enabled = true
82 | encryption_enabled = true
83 | use_aws_owned_key = true
84 | vpc_id = var.vpc_id
85 | subnet_ids = var.subnet_ids
86 | security_groups = var.security_groups
87 | }
88 | ```
89 |
90 | > [!IMPORTANT]
91 | > In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation
92 | > and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version
93 | > you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic
94 | > approach for updating versions to avoid unexpected changes.
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 | ## Requirements
105 |
106 | | Name | Version |
107 | |------|---------|
108 | | [terraform](#requirement\_terraform) | >= 1.0.0 |
109 | | [aws](#requirement\_aws) | >= 3.0 |
110 | | [random](#requirement\_random) | >= 3.0 |
111 |
112 | ## Providers
113 |
114 | | Name | Version |
115 | |------|---------|
116 | | [aws](#provider\_aws) | >= 3.0 |
117 | | [random](#provider\_random) | >= 3.0 |
118 |
119 | ## Modules
120 |
121 | | Name | Source | Version |
122 | |------|--------|---------|
123 | | [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.2.0 |
124 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 |
125 |
126 | ## Resources
127 |
128 | | Name | Type |
129 | |------|------|
130 | | [aws_mq_broker.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker) | resource |
131 | | [aws_mq_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_configuration) | resource |
132 | | [aws_ssm_parameter.mq_application_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
133 | | [aws_ssm_parameter.mq_application_username](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
134 | | [aws_ssm_parameter.mq_master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
135 | | [aws_ssm_parameter.mq_master_username](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
136 | | [random_password.mq_admin_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
137 | | [random_password.mq_application_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
138 | | [random_pet.mq_admin_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
139 | | [random_pet.mq_application_user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
140 |
141 | ## Inputs
142 |
143 | | Name | Description | Type | Default | Required |
144 | |------|-------------|------|---------|:--------:|
145 | | [additional\_security\_group\_rules](#input\_additional\_security\_group\_rules) | A list of Security Group rule objects to add to the created security group, in addition to the ones
this module normally creates. (To suppress the module's rules, set `create_security_group` to false
and supply your own security group(s) via `associated_security_group_ids`.)
The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
For more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
and https://github.com/cloudposse/terraform-aws-security-group. | `list(any)` | `[]` | no |
146 | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
147 | | [allow\_all\_egress](#input\_allow\_all\_egress) | If `true`, the created security group will allow egress on all ports and protocols to all IP addresses.
If this is false and no egress rules are otherwise specified, then no egress will be allowed. | `bool` | `true` | no |
148 | | [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | A list of IPv4 CIDRs to allow access to the security group created by this module.
The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
149 | | [allowed\_ingress\_ports](#input\_allowed\_ingress\_ports) | List of TCP ports to allow access to in the created security group.
Default is to allow access to all ports. Set `create_security_group` to `false` to disable.
Note: List of ports must be known at "plan" time. | `list(number)` | `[]` | no |
150 | | [allowed\_ipv6\_cidr\_blocks](#input\_allowed\_ipv6\_cidr\_blocks) | A list of IPv6 CIDRs to allow access to the security group created by this module.
The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
151 | | [allowed\_ipv6\_prefix\_list\_ids](#input\_allowed\_ipv6\_prefix\_list\_ids) | A list of IPv6 Prefix Lists IDs to allow access to the security group created by this module.
The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
152 | | [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the security group created by this module.
The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
153 | | [allowed\_security\_groups](#input\_allowed\_security\_groups) | DEPRECATED: Use `allowed_security_group_ids` instead.
A list of Security Group IDs to to be allowed to connect to the broker instance. | `list(string)` | `[]` | no |
154 | | [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window | `bool` | `false` | no |
155 | | [associated\_security\_group\_ids](#input\_associated\_security\_group\_ids) | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
These security groups will not be modified and, if `create_security_group` is `false`, must have rules providing the desired access. | `list(string)` | `[]` | no |
156 | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
157 | | [audit\_log\_enabled](#input\_audit\_log\_enabled) | Enables audit logging. User management action made using JMX or the ActiveMQ Web Console is logged | `bool` | `true` | no |
158 | | [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Enables automatic upgrades to new minor versions for brokers, as Apache releases the versions | `bool` | `false` | no |
159 | | [configuration\_data](#input\_configuration\_data) | data value for configuration | `string` | `null` | no |
160 | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
161 | | [create\_security\_group](#input\_create\_security\_group) | Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided. | `bool` | `true` | no |
162 | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
163 | | [deployment\_mode](#input\_deployment\_mode) | The deployment mode of the broker. Supported: SINGLE\_INSTANCE and ACTIVE\_STANDBY\_MULTI\_AZ | `string` | `"ACTIVE_STANDBY_MULTI_AZ"` | no |
164 | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
165 | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
166 | | [encryption\_enabled](#input\_encryption\_enabled) | Flag to enable/disable Amazon MQ encryption at rest | `bool` | `true` | no |
167 | | [engine\_type](#input\_engine\_type) | Type of broker engine, `ActiveMQ` or `RabbitMQ` | `string` | `"ActiveMQ"` | no |
168 | | [engine\_version](#input\_engine\_version) | The version of the broker engine. See https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html for more details | `string` | `"5.17.6"` | no |
169 | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
170 | | [existing\_security\_groups](#input\_existing\_security\_groups) | DEPRECATED: Use `associated_security_group_ids` instead.
List of existing Security Group IDs to place the broker into. | `list(string)` | `[]` | no |
171 | | [general\_log\_enabled](#input\_general\_log\_enabled) | Enables general logging via CloudWatch | `bool` | `true` | no |
172 | | [host\_instance\_type](#input\_host\_instance\_type) | The broker's instance type. e.g. mq.t2.micro or mq.m4.large | `string` | `"mq.t3.micro"` | no |
173 | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
174 | | [kms\_mq\_key\_arn](#input\_kms\_mq\_key\_arn) | ARN of the AWS KMS key used for Amazon MQ encryption | `string` | `null` | no |
175 | | [kms\_ssm\_key\_arn](#input\_kms\_ssm\_key\_arn) | ARN of the AWS KMS key used for SSM encryption | `string` | `"alias/aws/ssm"` | no |
176 | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
177 | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
178 | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
179 | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | [
"default"
]
| no |
180 | | [maintenance\_day\_of\_week](#input\_maintenance\_day\_of\_week) | The maintenance day of the week. e.g. MONDAY, TUESDAY, or WEDNESDAY | `string` | `"SUNDAY"` | no |
181 | | [maintenance\_time\_of\_day](#input\_maintenance\_time\_of\_day) | The maintenance time, in 24-hour format. e.g. 02:00 | `string` | `"03:00"` | no |
182 | | [maintenance\_time\_zone](#input\_maintenance\_time\_zone) | The maintenance time zone, in either the Country/City format, or the UTC offset format. e.g. CET | `string` | `"UTC"` | no |
183 | | [mq\_admin\_password](#input\_mq\_admin\_password) | Admin password | `list(string)` | `[]` | no |
184 | | [mq\_admin\_password\_ssm\_parameter\_name](#input\_mq\_admin\_password\_ssm\_parameter\_name) | SSM parameter name for Admin password | `string` | `"mq_admin_password"` | no |
185 | | [mq\_admin\_user](#input\_mq\_admin\_user) | Admin username | `list(string)` | `[]` | no |
186 | | [mq\_admin\_user\_ssm\_parameter\_name](#input\_mq\_admin\_user\_ssm\_parameter\_name) | SSM parameter name for Admin username | `string` | `"mq_admin_username"` | no |
187 | | [mq\_application\_password](#input\_mq\_application\_password) | Application password | `list(string)` | `[]` | no |
188 | | [mq\_application\_password\_ssm\_parameter\_name](#input\_mq\_application\_password\_ssm\_parameter\_name) | SSM parameter name for Application password | `string` | `"mq_application_password"` | no |
189 | | [mq\_application\_user](#input\_mq\_application\_user) | Application username | `list(string)` | `[]` | no |
190 | | [mq\_application\_user\_ssm\_parameter\_name](#input\_mq\_application\_user\_ssm\_parameter\_name) | SSM parameter name for Application username | `string` | `"mq_application_username"` | no |
191 | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
192 | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
193 | | [preserve\_security\_group\_id](#input\_preserve\_security\_group\_id) | When `false` and `security_group_create_before_destroy` is `true`, changes to security group rules
cause a new security group to be created with the new rules, and the existing security group is then
replaced with the new one, eliminating any service interruption.
When `true` or when changing the value (from `false` to `true` or from `true` to `false`),
existing security group rules will be deleted before new ones are created, resulting in a service interruption,
but preserving the security group itself.
**NOTE:** Setting this to `true` does not guarantee the security group will never be replaced,
it only keeps changes to the security group rules from triggering a replacement.
See the [terraform-aws-security-group README](https://github.com/cloudposse/terraform-aws-security-group) for further discussion. | `bool` | `false` | no |
194 | | [publicly\_accessible](#input\_publicly\_accessible) | Whether to enable connections from applications outside of the VPC that hosts the broker's subnets | `bool` | `false` | no |
195 | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
196 | | [security\_group\_create\_before\_destroy](#input\_security\_group\_create\_before\_destroy) | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are importing an existing security group
that you do not want replaced and therefore need full control over its name.
Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no |
197 | | [security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no |
198 | | [security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion from
lingering ENIs left by certain AWS services such as Elastic Load Balancing. | `string` | `"15m"` | no |
199 | | [security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced. | `string` | `"Managed by Terraform"` | no |
200 | | [security\_group\_name](#input\_security\_group\_name) | The name to assign to the created security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no |
201 | | [ssm\_parameter\_name\_format](#input\_ssm\_parameter\_name\_format) | SSM parameter name format | `string` | `"/%s/%s"` | no |
202 | | [ssm\_path](#input\_ssm\_path) | The first parameter to substitute in `ssm_parameter_name_format` | `string` | `"mq"` | no |
203 | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
204 | | [subnet\_ids](#input\_subnet\_ids) | List of VPC subnet IDs | `list(string)` | n/a | yes |
205 | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
206 | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
207 | | [use\_aws\_owned\_key](#input\_use\_aws\_owned\_key) | Boolean to enable an AWS owned Key Management Service (KMS) Customer Master Key (CMK) for Amazon MQ encryption that is not in your account | `bool` | `true` | no |
208 | | [use\_existing\_security\_groups](#input\_use\_existing\_security\_groups) | DEPRECATED: Use `create_security_group` instead.
Historical description: Set to `true` to disable Security Group creation | `bool` | `null` | no |
209 | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC to create the broker in | `string` | n/a | yes |
210 |
211 | ## Outputs
212 |
213 | | Name | Description |
214 | |------|-------------|
215 | | [admin\_username](#output\_admin\_username) | AmazonMQ admin username |
216 | | [application\_password](#output\_application\_password) | AmazonMQ application password |
217 | | [application\_username](#output\_application\_username) | AmazonMQ application username |
218 | | [broker\_arn](#output\_broker\_arn) | AmazonMQ broker ARN |
219 | | [broker\_id](#output\_broker\_id) | AmazonMQ broker ID |
220 | | [primary\_amqp\_ssl\_endpoint](#output\_primary\_amqp\_ssl\_endpoint) | AmazonMQ primary AMQP+SSL endpoint |
221 | | [primary\_console\_url](#output\_primary\_console\_url) | AmazonMQ active web console URL |
222 | | [primary\_ip\_address](#output\_primary\_ip\_address) | AmazonMQ primary IP address |
223 | | [primary\_mqtt\_ssl\_endpoint](#output\_primary\_mqtt\_ssl\_endpoint) | AmazonMQ primary MQTT+SSL endpoint |
224 | | [primary\_ssl\_endpoint](#output\_primary\_ssl\_endpoint) | AmazonMQ primary SSL endpoint |
225 | | [primary\_stomp\_ssl\_endpoint](#output\_primary\_stomp\_ssl\_endpoint) | AmazonMQ primary STOMP+SSL endpoint |
226 | | [primary\_wss\_endpoint](#output\_primary\_wss\_endpoint) | AmazonMQ primary WSS endpoint |
227 | | [secondary\_amqp\_ssl\_endpoint](#output\_secondary\_amqp\_ssl\_endpoint) | AmazonMQ secondary AMQP+SSL endpoint |
228 | | [secondary\_console\_url](#output\_secondary\_console\_url) | AmazonMQ secondary web console URL |
229 | | [secondary\_ip\_address](#output\_secondary\_ip\_address) | AmazonMQ secondary IP address |
230 | | [secondary\_mqtt\_ssl\_endpoint](#output\_secondary\_mqtt\_ssl\_endpoint) | AmazonMQ secondary MQTT+SSL endpoint |
231 | | [secondary\_ssl\_endpoint](#output\_secondary\_ssl\_endpoint) | AmazonMQ secondary SSL endpoint |
232 | | [secondary\_stomp\_ssl\_endpoint](#output\_secondary\_stomp\_ssl\_endpoint) | AmazonMQ secondary STOMP+SSL endpoint |
233 | | [secondary\_wss\_endpoint](#output\_secondary\_wss\_endpoint) | AmazonMQ secondary WSS endpoint |
234 | | [security\_group\_arn](#output\_security\_group\_arn) | The ARN of the created security group |
235 | | [security\_group\_id](#output\_security\_group\_id) | The ID of the created security group |
236 | | [security\_group\_name](#output\_security\_group\_name) | The name of the created security group |
237 |
238 |
239 |
240 |
241 |
242 |
243 |
244 |
245 | ## Related Projects
246 |
247 | Check out these related projects.
248 |
249 | - [terraform-aws-codefresh-backing-services](https://github.com/cloudposse/terraform-aws-codefresh-backing-services) - Terraform module to provision CodeFresh Enterprise backing services
250 |
251 |
252 | > [!TIP]
253 | > #### Use Terraform Reference Architectures for AWS
254 | >
255 | > Use Cloud Posse's ready-to-go [terraform architecture blueprints](https://cloudposse.com/reference-architecture/) for AWS to get up and running quickly.
256 | >
257 | > ✅ We build it together with your team.
258 | > ✅ Your team owns everything.
259 | > ✅ 100% Open Source and backed by fanatical support.
260 | >
261 | > 
262 | > 📚 Learn More
263 | >
264 | >
265 | >
266 | > Cloud Posse is the leading [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-mq-broker&utm_content=commercial_support) for funded startups and enterprises.
267 | >
268 | > *Your team can operate like a pro today.*
269 | >
270 | > Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.
271 | > #### Day-0: Your Foundation for Success
272 | > - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code.
273 | > - **Deployment Strategy.** Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
274 | > - **Site Reliability Engineering.** Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
275 | > - **Security Baseline.** Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
276 | > - **GitOps.** Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.
277 | >
278 | >
279 | >
280 | > #### Day-2: Your Operational Mastery
281 | > - **Training.** Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
282 | > - **Support.** Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
283 | > - **Troubleshooting.** Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
284 | > - **Code Reviews.** Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
285 | > - **Bug Fixes.** Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
286 | > - **Migration Assistance.** Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
287 | > - **Customer Workshops.** Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.
288 | >
289 | >
290 | > 
302 |
303 |
304 | For 🐛 bug reports & feature requests, please use the [issue tracker](https://github.com/cloudposse/terraform-aws-mq-broker/issues).
305 |
306 | In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
307 | 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-mq-broker/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md).
308 | 2. **Fork** the repo on GitHub
309 | 3. **Clone** the project to your own machine
310 | 4. **Commit** changes to your own branch
311 | 5. **Push** your work back up to your fork
312 | 6. Submit a **Pull Request** so that we can review your changes
313 |
314 | **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request!
315 |
316 | ### 🌎 Slack Community
317 |
318 | Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-mq-broker&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.
319 |
320 | ### 📰 Newsletter
321 |
322 | Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-mq-broker&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know.
323 | Dropped straight into your Inbox every week — and usually a 5-minute read.
324 |
325 | ### 📆 Office Hours 
326 |
327 | [Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-mq-broker&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else.
328 | It's **FREE** for everyone!
329 | ## License
330 |
331 | 
332 |
333 |
334 | Preamble to the Apache License, Version 2.0
335 |
336 |
337 |
338 | Complete license is available in the [`LICENSE`](LICENSE) file.
339 |
340 | ```text
341 | Licensed to the Apache Software Foundation (ASF) under one
342 | or more contributor license agreements. See the NOTICE file
343 | distributed with this work for additional information
344 | regarding copyright ownership. The ASF licenses this file
345 | to you under the Apache License, Version 2.0 (the
346 | "License"); you may not use this file except in compliance
347 | with the License. You may obtain a copy of the License at
348 |
349 | https://www.apache.org/licenses/LICENSE-2.0
350 |
351 | Unless required by applicable law or agreed to in writing,
352 | software distributed under the License is distributed on an
353 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
354 | KIND, either express or implied. See the License for the
355 | specific language governing permissions and limitations
356 | under the License.
357 | ```
358 |
359 |
360 | ## Trademarks
361 |
362 | All other trademarks referenced herein are the property of their respective owners.
363 |
364 |
365 | ---
366 | Copyright © 2017-2025 [Cloud Posse, LLC](https://cpco.io/copyright)
367 |
368 |
369 | 
370 |
371 | 
372 |
--------------------------------------------------------------------------------
/README.yaml:
--------------------------------------------------------------------------------
1 | #
2 | # This is the canonical configuration for the `README.md`
3 | # Run `make readme` to rebuild the `README.md`
4 | #
5 |
6 | # Name of this project
7 | name: terraform-aws-mq-broker
8 |
9 | tags:
10 | - aws
11 | - terraform
12 | - terraform-modules
13 | - broker
14 | - message-broker
15 | - amazonmq
16 | - amazon-mq
17 | - activemq
18 | - active-mq
19 | - rabbitmq
20 | - rabbit-mq
21 |
22 | categories:
23 | - terraform-modules/message-brokers
24 |
25 | # Logo for this project
26 | #logo: docs/logo.png
27 |
28 | # License of this project
29 | license: "APACHE2"
30 |
31 | # Canonical GitHub repo
32 | github_repo: cloudposse/terraform-aws-mq-broker
33 |
34 | # Badges to display
35 | badges:
36 | - name: Latest Release
37 | image: https://img.shields.io/github/release/cloudposse/terraform-aws-mq-broker.svg?style=for-the-badge
38 | url: https://github.com/cloudposse/terraform-aws-mq-broker/releases/latest
39 | - name: Last Updated
40 | image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-mq-broker.svg?style=for-the-badge
41 | url: https://github.com/cloudposse/terraform-aws-mq-broker/commits
42 | - name: Slack Community
43 | image: https://slack.cloudposse.com/for-the-badge.svg
44 | url: https://cloudposse.com/slack
45 |
46 | # List any related terraform modules that this module may be used with or that this module depends on.
47 | related:
48 | - name: "terraform-aws-codefresh-backing-services"
49 | description: "Terraform module to provision CodeFresh Enterprise backing services"
50 | url: "https://github.com/cloudposse/terraform-aws-codefresh-backing-services"
51 |
52 | # Short description of this project
53 | description: |-
54 | Terraform module to provision AmazonMQ resources on AWS
55 |
56 | introduction: |-
57 | This module provisions the following resources:
58 | - ActiveMQ broker
59 | - RabbitMQ broker
60 | - Security group rules to allow access to the broker
61 |
62 | Admin and application users are created and credentials written to SSM if not passed in as variables.
63 |
64 | # How to use this project
65 | usage: |2-
66 |
67 | For a complete example, see [examples/complete](examples/complete).
68 |
69 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
70 | (which tests and deploys the example on AWS), see [test](test).
71 |
72 | ```hcl
73 | module "mq_broker" {
74 | source = "cloudposse/mq-broker/aws"
75 | # Cloud Posse recommends pinning every module to a specific version
76 | # version = "x.x.x"
77 |
78 | namespace = "eg"
79 | stage = "test"
80 | name = "mq-broker"
81 | apply_immediately = true
82 | auto_minor_version_upgrade = true
83 | deployment_mode = "ACTIVE_STANDBY_MULTI_AZ"
84 | engine_type = "ActiveMQ"
85 | engine_version = "5.15.14"
86 | host_instance_type = "mq.t3.micro"
87 | publicly_accessible = false
88 | general_log_enabled = true
89 | audit_log_enabled = true
90 | encryption_enabled = true
91 | use_aws_owned_key = true
92 | vpc_id = var.vpc_id
93 | subnet_ids = var.subnet_ids
94 | security_groups = var.security_groups
95 | }
96 | ```
97 |
98 | include: []
99 | contributors: []
100 |
--------------------------------------------------------------------------------
/atmos.yaml:
--------------------------------------------------------------------------------
1 | # Atmos Configuration — powered by https://atmos.tools
2 | #
3 | # This configuration enables centralized, DRY, and consistent project scaffolding using Atmos.
4 | #
5 | # Included features:
6 | # - Organizational custom commands: https://atmos.tools/core-concepts/custom-commands
7 | # - Automated README generation: https://atmos.tools/cli/commands/docs/generate
8 | #
9 |
10 | # Import shared configuration used by all modules
11 | import:
12 | - https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml
13 |
--------------------------------------------------------------------------------
/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/docs/migration-v1-v2.md:
--------------------------------------------------------------------------------
1 | # Migration From v1 to v2
2 |
3 | NOTE: v1.0.0 is functionally equivalent to v0.14.0.
4 | This is not a migration guide from the pre-release versions 0.15.0 and 0.15.1
5 | and we do not plan to provide one.
6 |
7 | Version 2.0.0 of this module introduces changes that will cause a
8 | direct update to fail to apply, and without additional steps will also cause
9 | the security group, MQ users, and passwords created by this module to be
10 | destroyed and replaced with new ones.
11 |
12 | ### Simple migration
13 |
14 | The simplest migration path is to update to the new version, allowing
15 | the new defaults to take effect, and then moving the existing
16 | security group to the new "resource address". (More difficult but
17 | less disruptive migration is detailed below under ["Migration With Minimal Disruption"](#migration-with-minimal-disruption).)
18 |
19 | - Modify your module reference to refer to the new version
20 | - Run `terraform plan`
21 | - Note the Terraform addresses of the security group Terraform will destroy and the one it will create
22 | - Use `terraform state mv` to move the former to the latter, something like
23 | ```
24 | terraform state mv 'module.mq_broker.aws_security_group.default[0]' 'module.mq_broker.module.security_group.aws_security_group.cbd[0]'
25 | ```
26 | - Run `terraform plan` again and verify that no security groups will be destroyed, but rather the `cbd[0]` group will be replaced
27 | - Finish by applying the plan
28 |
29 | In this migration, the security group, MQ users, and MQ passwords created by this module will be destroyed and replaced with new ones.
30 | We recommend allowing this and treating it as part of your password rotation practice, however
31 | be warned that it will cause an outage while you update clients to use the new username and password.
32 |
33 | Using `mv` to move the security group resource and enabling "create before destroy" (the new default) are required,
34 | otherwise Terraform cannot delete the existing security group because it is still in use. The
35 | Terraform 1.1.0 `moved` feature cannot be used because the resource is being
36 | moved to a non-local module.
37 |
38 | Version `2.0.0` of this module introduces changes that, without taking additional precautions,
39 | will cause the security group created by this module to be replaced with a new one.
40 | This is because of the newer version's reliance on the [terraform-aws-security-group](https://github.com/cloudposse/terraform-aws-security-group)
41 | module for managing the module's security group. This changes the Terraform resource address.
42 |
43 | If this is acceptable (which it could be if no other resource uses or references it),
44 | then the easiest thing to do is just to allow Terraform to do it.
45 | To preserve the existing security group, after bumping the module version to the newer version,
46 | run `terraform plan` and make note of the proposed changes.
47 |
48 | ### Migration With Minimal Disruption
49 |
50 | Avoiding a service outage when upgrading to version 2 of this module is difficult
51 | and may not be worth the effort. We recommend performing the simple migration
52 | described above, allowing the broker's credentials to be rotated. In order
53 | to avoid rotating the credentials, you must supply them as inputs to the
54 | upgraded module (the generated user names have been made user-friendly and the
55 | generated passwords have been lengthened for security), which is a security breach
56 | if your configuration is available for others to read, which is normally the case.
57 | If you rotate the credentials, that service interruption will cover the
58 | minimal network connectivity interruption that comes from performing the
59 | simple migration.
60 |
61 | If you want to attempt a zero downtime migration, follow these steps.
62 |
63 | To start:
64 | - Set `security_group_create_before_destroy = false` to prevent using `name_prefix` on the SG resource
65 | - Modify your module reference to refer to the new version of `cloudposse/mq-broker/aws`
66 | - Run `terraform plan`
67 |
68 | Note the Terraform resource addresses of the Security Group that Terraform plans to destroy,
69 | and the resource address of the SG which Terraform plans to create. Use
70 | `terraform state mv` to move the old address to the new address.
71 |
72 | Use the output of `terraform plan` to find the correct addresses to
73 | use in the following command:
74 | ```bash
75 | # required - move the security group resource
76 | terraform state mv \
77 | 'module.mq_broker.aws_security_group.default[0]' \
78 | 'module.mq_broker.module.security_group.aws_security_group.default[0]'
79 | ```
80 |
81 | #### Move/update/import the Security Group Rules
82 |
83 | You have the option to move the security group rules, too.
84 | If you do not move them, they will be deleted
85 | and recreated, causing a brief outage. If you do move them, then because
86 | of [a bug in the Terraform AWS provider](https://github.com/hashicorp/terraform-provider-aws/issues/25173)
87 | you will need to manually add a rule to the security group and then import it.
88 |
89 | Get the addresses of the source and destination resources, and the ID of the
90 | security group, from the `terraform plan` output of the previous step.
91 |
92 | Move the ingress rule:
93 |
94 | ```bash
95 | terraform state mv \
96 | 'module.mq_broker.aws_security_group_rule.ingress_security_groups[0]'\
97 | 'module.mq_broker.module.security_group.aws_security_group_rule.keyed["_allowed_ingress#_all_ingress#sg#0"]'
98 | ```
99 |
100 | Remove the old egress rule (which Terraform plans to destroy) from the Terraform state:
101 |
102 | ```bash
103 | terraform state rm 'module.mq_broker.aws_security_group_rule.egress[0]'
104 | ```
105 |
106 | Add the IPv6 egress rule to the security group (replace `sg-1234567890abcdef0`)
107 | with the ID of your security group:
108 |
109 | ```bash
110 | SECURITY_GROUP_ID=sg-1234567890abcdef0
111 | aws ec2 authorize-security-group-egress \
112 | --group-id $SECURITY_GROUP_ID \
113 | --ip-permissions IpProtocol=-1,FromPort=0,ToPort=0,Ipv6Ranges='[{CidrIpv6=::/0}]'
114 | ```
115 |
116 | Import the newly created rule into Terraform state at the address where
117 | Terraform planned to create it (again, replace `sg-1234567890abcdef0`
118 | with your actual security group ID):
119 |
120 | ```bash
121 | SECURITY_GROUP_ID=sg-1234567890abcdef0
122 | terraform import 'module.mq_broker.module.security_group.aws_security_group_rule.keyed["_allow_all_egress_"]' \
123 | ${SECURITY_GROUP_ID}_egress_all_0_65536_0.0.0.0/0_::/0
124 | ```
125 |
126 | This will result in a plan that will only update security group rules' descriptions, but not the security group itself.
127 | However, at this point, the plan will still be replacing all the user names and passwords.
128 | Your only option for preserving the old usernames and passwords is to
129 | pass the old values as inputs.
130 |
131 | Please run a `terraform plan` to make sure there aren't other unexpected breaking changes.
132 |
133 | ## Changes to inputs
134 |
135 | In addition to new inputs with new functionality (not covered in this document),
136 | you may want or need to update your code in order to adapt to changed or deprecated inputs.
137 |
138 | * `allowed_security_groups` is deprecated. Use `allowed_security_group_ids` instead.
139 | * `existing_security_groups` is deprecated. Use `associated_security_group_ids` instead
140 | * `use_existing_security_groups` is deprecated. Use `create_security_group` instead.
141 | * The MQ User configuration variables
142 | - `mq_admin_user`
143 | - `mq_admin_password`
144 | - `mq_application_user`
145 | - `mq_application_password`
146 |
147 | have changed from `string` to `list(string)`. Furthermore, the length of the
148 | generated passwords has changed, and user names are now human-friendly "pet"
149 | names instead of random strings. If you were not setting them before but want
150 | to preserve the old values, you need to set to the old values explicitly.
151 | If you were setting them before, you need to put brackets around the values
152 | to convert them from `string` to `list(string)`. For example, change:
153 |
154 | ```hcl
155 | mq_admin_user = "admin"
156 | ```
157 |
158 | to:
159 |
160 | ```hcl
161 | mq_admin_user = ["admin"]
162 | ```
163 |
164 | ## References
165 |
166 | * `terraform-aws-security-group` [v0.4.0 Release Notes](https://github.com/cloudposse/terraform-aws-security-group/releases/tag/0.4.0)
167 | * https://github.com/hashicorp/terraform-provider-aws/issues/25173
168 |
--------------------------------------------------------------------------------
/examples/complete/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/complete/fixtures.us-east-2.tfvars:
--------------------------------------------------------------------------------
1 | region = "us-east-2"
2 |
3 | availability_zones = ["us-east-2a", "us-east-2b"]
4 |
5 | namespace = "eg"
6 |
7 | stage = "test"
8 |
9 | name = "mq-broker"
10 |
11 | apply_immediately = true
12 |
13 | auto_minor_version_upgrade = true
14 |
15 | deployment_mode = "ACTIVE_STANDBY_MULTI_AZ"
16 |
17 | engine_type = "ActiveMQ"
18 |
19 | engine_version = "5.17.6"
20 |
21 | # https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-instance-types.html
22 |
23 | host_instance_type = "mq.t3.micro"
24 |
25 | publicly_accessible = false
26 |
27 | general_log_enabled = true
28 |
29 | audit_log_enabled = true
30 |
31 | use_existing_security_groups = false
32 |
33 | encryption_enabled = true
34 |
35 | use_aws_owned_key = true
36 |
--------------------------------------------------------------------------------
/examples/complete/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | module "vpc" {
6 | source = "cloudposse/vpc/aws"
7 | version = "2.1.1"
8 |
9 | ipv4_primary_cidr_block = "172.16.0.0/16"
10 |
11 | context = module.this.context
12 | }
13 |
14 | module "subnets" {
15 | source = "cloudposse/dynamic-subnets/aws"
16 | version = "1.0.0"
17 |
18 | availability_zones = var.availability_zones
19 | vpc_id = module.vpc.vpc_id
20 | igw_id = module.vpc.igw_id
21 | cidr_block = module.vpc.vpc_cidr_block
22 | nat_gateway_enabled = false
23 | nat_instance_enabled = false
24 |
25 | context = module.this.context
26 | }
27 |
28 | module "mq_broker" {
29 | source = "../../"
30 |
31 | vpc_id = module.vpc.vpc_id
32 | subnet_ids = module.subnets.private_subnet_ids
33 |
34 | allowed_security_group_ids = [module.vpc.vpc_default_security_group_id]
35 | allowed_ingress_ports = [8162, 5671]
36 |
37 | apply_immediately = var.apply_immediately
38 | auto_minor_version_upgrade = var.auto_minor_version_upgrade
39 | deployment_mode = var.deployment_mode
40 | engine_type = var.engine_type
41 | engine_version = var.engine_version
42 | host_instance_type = var.host_instance_type
43 | publicly_accessible = var.publicly_accessible
44 | general_log_enabled = var.general_log_enabled
45 | audit_log_enabled = var.audit_log_enabled
46 | kms_ssm_key_arn = var.kms_ssm_key_arn
47 | encryption_enabled = var.encryption_enabled
48 | kms_mq_key_arn = var.kms_mq_key_arn
49 | use_aws_owned_key = var.use_aws_owned_key
50 |
51 | ssm_path = "eg/mq/${var.attributes[0]}"
52 |
53 | security_group_create_before_destroy = true
54 |
55 | context = module.this.context
56 | }
57 |
--------------------------------------------------------------------------------
/examples/complete/outputs.tf:
--------------------------------------------------------------------------------
1 | output "public_subnet_cidrs" {
2 | value = module.subnets.public_subnet_cidrs
3 | description = "Public subnet CIDR blocks"
4 | }
5 |
6 | output "private_subnet_cidrs" {
7 | value = module.subnets.private_subnet_cidrs
8 | description = "Private subnet CIDR blocks"
9 | }
10 |
11 | output "vpc_cidr" {
12 | value = module.vpc.vpc_cidr_block
13 | description = "VPC CIDR"
14 | }
15 |
16 | output "broker_id" {
17 | value = module.mq_broker.broker_id
18 | description = "AmazonMQ broker ID"
19 | }
20 |
21 | output "broker_arn" {
22 | value = module.mq_broker.broker_arn
23 | description = "AmazonMQ broker ARN"
24 | }
25 |
26 | output "primary_console_url" {
27 | value = module.mq_broker.primary_console_url
28 | description = "AmazonMQ active web console URL"
29 | }
30 |
31 | output "primary_ssl_endpoint" {
32 | value = module.mq_broker.primary_ssl_endpoint
33 | description = "AmazonMQ primary SSL endpoint"
34 | }
35 |
36 | output "primary_amqp_ssl_endpoint" {
37 | value = module.mq_broker.primary_amqp_ssl_endpoint
38 | description = "AmazonMQ primary AMQP+SSL endpoint"
39 | }
40 |
41 | output "primary_stomp_ssl_endpoint" {
42 | value = module.mq_broker.primary_stomp_ssl_endpoint
43 | description = "AmazonMQ primary STOMP+SSL endpoint"
44 | }
45 |
46 | output "primary_mqtt_ssl_endpoint" {
47 | value = module.mq_broker.primary_mqtt_ssl_endpoint
48 | description = "AmazonMQ primary MQTT+SSL endpoint"
49 | }
50 |
51 | output "primary_wss_endpoint" {
52 | value = module.mq_broker.primary_wss_endpoint
53 | description = "AmazonMQ primary WSS endpoint"
54 | }
55 |
56 | output "primary_ip_address" {
57 | value = module.mq_broker.primary_ip_address
58 | description = "AmazonMQ primary IP address"
59 | }
60 |
61 | output "secondary_console_url" {
62 | value = module.mq_broker.secondary_console_url
63 | description = "AmazonMQ secondary web console URL"
64 | }
65 |
66 | output "secondary_ssl_endpoint" {
67 | value = module.mq_broker.secondary_ssl_endpoint
68 | description = "AmazonMQ secondary SSL endpoint"
69 | }
70 |
71 | output "secondary_amqp_ssl_endpoint" {
72 | value = module.mq_broker.secondary_amqp_ssl_endpoint
73 | description = "AmazonMQ secondary AMQP+SSL endpoint"
74 | }
75 |
76 | output "secondary_stomp_ssl_endpoint" {
77 | value = module.mq_broker.secondary_stomp_ssl_endpoint
78 | description = "AmazonMQ secondary STOMP+SSL endpoint"
79 | }
80 |
81 | output "secondary_mqtt_ssl_endpoint" {
82 | value = module.mq_broker.secondary_mqtt_ssl_endpoint
83 | description = "AmazonMQ secondary MQTT+SSL endpoint"
84 | }
85 |
86 | output "secondary_wss_endpoint" {
87 | value = module.mq_broker.secondary_wss_endpoint
88 | description = "AmazonMQ secondary WSS endpoint"
89 | }
90 |
91 | output "secondary_ip_address" {
92 | value = module.mq_broker.secondary_ip_address
93 | description = "AmazonMQ secondary IP address"
94 | }
95 |
96 | output "security_group_id" {
97 | value = module.mq_broker.security_group_id
98 | description = "AmazonMQ Security Group ID"
99 | }
100 |
101 | output "security_group_arn" {
102 | value = module.mq_broker.security_group_arn
103 | description = "AmazonMQ Security Group ARN"
104 | }
105 |
106 | output "security_group_name" {
107 | value = module.mq_broker.security_group_name
108 | description = "AmazonMQ Security Group name"
109 | }
110 |
--------------------------------------------------------------------------------
/examples/complete/variables.tf:
--------------------------------------------------------------------------------
1 | variable "region" {
2 | type = string
3 | description = "AWS region"
4 | }
5 |
6 | variable "availability_zones" {
7 | type = list(string)
8 | description = "List of Availability Zones"
9 | }
10 |
11 | variable "apply_immediately" {
12 | type = bool
13 | default = false
14 | description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window"
15 | }
16 |
17 | variable "auto_minor_version_upgrade" {
18 | type = bool
19 | default = false
20 | description = "Enables automatic upgrades to new minor versions for brokers, as Apache releases the versions"
21 | }
22 |
23 | variable "deployment_mode" {
24 | type = string
25 | default = "ACTIVE_STANDBY_MULTI_AZ"
26 | description = "The deployment mode of the broker. Supported: SINGLE_INSTANCE and ACTIVE_STANDBY_MULTI_AZ"
27 | }
28 |
29 | variable "engine_type" {
30 | type = string
31 | default = "ActiveMQ"
32 | description = "Type of broker engine, `ActiveMQ` or `RabbitMQ`"
33 | }
34 |
35 | variable "engine_version" {
36 | type = string
37 | default = "5.15.14"
38 | description = "The version of the broker engine. See https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html for more details"
39 | }
40 |
41 | variable "host_instance_type" {
42 | type = string
43 | default = "mq.t3.micro"
44 | description = "The broker's instance type. e.g. mq.t2.micro or mq.m4.large"
45 | }
46 |
47 | variable "publicly_accessible" {
48 | type = bool
49 | default = false
50 | description = "Whether to enable connections from applications outside of the VPC that hosts the broker's subnets"
51 | }
52 |
53 | variable "general_log_enabled" {
54 | type = bool
55 | default = true
56 | description = "Enables general logging via CloudWatch"
57 | }
58 |
59 | variable "audit_log_enabled" {
60 | type = bool
61 | default = true
62 | description = "Enables audit logging. User management action made using JMX or the ActiveMQ Web Console is logged"
63 | }
64 |
65 | variable "maintenance_day_of_week" {
66 | type = string
67 | default = "SUNDAY"
68 | description = "The maintenance day of the week. e.g. MONDAY, TUESDAY, or WEDNESDAY"
69 | }
70 |
71 | variable "maintenance_time_of_day" {
72 | type = string
73 | default = "03:00"
74 | description = "The maintenance time, in 24-hour format. e.g. 02:00"
75 | }
76 |
77 | variable "maintenance_time_zone" {
78 | type = string
79 | default = "UTC"
80 | description = "The maintenance time zone, in either the Country/City format, or the UTC offset format. e.g. CET"
81 | }
82 |
83 | variable "mq_admin_user" {
84 | type = string
85 | default = null
86 | description = "Admin username"
87 | }
88 |
89 | variable "mq_admin_password" {
90 | type = string
91 | default = null
92 | description = "Admin password"
93 | }
94 |
95 | variable "mq_application_user" {
96 | type = string
97 | default = null
98 | description = "Application username"
99 | }
100 |
101 | variable "mq_application_password" {
102 | type = string
103 | default = null
104 | description = "Application password"
105 | }
106 |
107 | variable "allowed_security_groups" {
108 | type = list(string)
109 | default = []
110 | description = "List of security groups to be allowed to connect to the broker instance"
111 | }
112 |
113 | variable "allowed_cidr_blocks" {
114 | type = list(string)
115 | default = []
116 | description = "List of CIDR blocks that are allowed ingress to the broker's Security Group created in the module"
117 | }
118 |
119 | variable "overwrite_ssm_parameter" {
120 | type = bool
121 | default = true
122 | description = "Whether to overwrite an existing SSM parameter"
123 | }
124 |
125 | variable "use_existing_security_groups" {
126 | type = bool
127 | default = false
128 | description = "Flag to enable/disable creation of Security Group in the module. Set to `true` to disable Security Group creation and provide a list of existing security Group IDs in `existing_security_groups` to place the broker into"
129 | }
130 |
131 | variable "existing_security_groups" {
132 | type = list(string)
133 | default = []
134 | description = "List of existing Security Group IDs to place the broker into. Set `use_existing_security_groups` to `true` to enable using `existing_security_groups` as Security Groups for the broker"
135 | }
136 |
137 | variable "ssm_parameter_name_format" {
138 | type = string
139 | default = "/%s/%s"
140 | description = "SSM parameter name format"
141 | }
142 |
143 | variable "ssm_path" {
144 | type = string
145 | default = "mq"
146 | description = "SSM path"
147 | }
148 |
149 | variable "kms_ssm_key_arn" {
150 | type = string
151 | default = "alias/aws/ssm"
152 | description = "ARN of the AWS KMS key used for SSM encryption"
153 | }
154 |
155 | variable "encryption_enabled" {
156 | type = bool
157 | default = true
158 | description = "Flag to enable/disable Amazon MQ encryption at rest"
159 | }
160 |
161 | variable "kms_mq_key_arn" {
162 | type = string
163 | default = null
164 | description = "ARN of the AWS KMS key used for Amazon MQ encryption"
165 | }
166 |
167 | variable "use_aws_owned_key" {
168 | type = bool
169 | default = true
170 | description = "Boolean to enable an AWS owned Key Management Service (KMS) Customer Master Key (CMK) for Amazon MQ encryption that is not in your account"
171 | }
172 |
--------------------------------------------------------------------------------
/examples/complete/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.0.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 4.0"
8 | }
9 | random = {
10 | source = "hashicorp/random"
11 | version = ">= 3.0"
12 | }
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | enabled = module.this.enabled
3 |
4 | mq_admin_user_enabled = local.enabled && var.engine_type == "ActiveMQ"
5 |
6 | mq_admin_user_needed = local.mq_admin_user_enabled && length(var.mq_admin_user) == 0
7 | mq_admin_user = local.mq_admin_user_needed ? random_pet.mq_admin_user[0].id : try(var.mq_admin_user[0], "")
8 |
9 | mq_admin_password_needed = local.mq_admin_user_enabled && length(var.mq_admin_password) == 0
10 | mq_admin_password = local.mq_admin_password_needed ? random_password.mq_admin_password[0].result : try(var.mq_admin_password[0], "")
11 |
12 | mq_application_user_needed = local.enabled && length(var.mq_application_user) == 0
13 | mq_application_user = local.mq_application_user_needed ? random_pet.mq_application_user[0].id : try(var.mq_application_user[0], "")
14 |
15 | mq_application_password_needed = local.enabled && length(var.mq_application_password) == 0
16 | mq_application_password = local.mq_application_password_needed ? random_password.mq_application_password[0].result : try(var.mq_application_password[0], "")
17 |
18 | mq_logs = { logs = { "general_log_enabled" : var.general_log_enabled, "audit_log_enabled" : var.audit_log_enabled } }
19 |
20 | broker_security_groups = try(sort(compact(concat([module.security_group.id], local.additional_security_group_ids))), [])
21 | }
22 |
23 | resource "random_pet" "mq_admin_user" {
24 | count = local.mq_admin_user_needed ? 1 : 0
25 | length = 2
26 | separator = "-"
27 | }
28 |
29 | resource "random_password" "mq_admin_password" {
30 | count = local.mq_admin_password_needed ? 1 : 0
31 | length = 24
32 | special = false
33 | }
34 |
35 | resource "random_pet" "mq_application_user" {
36 | count = local.mq_application_user_needed ? 1 : 0
37 | length = 2
38 | separator = "-"
39 | }
40 |
41 | resource "random_password" "mq_application_password" {
42 | count = local.mq_application_password_needed ? 1 : 0
43 | length = 24
44 | special = false
45 | }
46 |
47 | resource "aws_ssm_parameter" "mq_master_username" {
48 | count = local.mq_admin_user_enabled ? 1 : 0
49 | name = format(var.ssm_parameter_name_format, var.ssm_path, var.mq_admin_user_ssm_parameter_name)
50 | value = local.mq_admin_user
51 | description = "MQ Username for the admin user"
52 | type = "String"
53 | tags = module.this.tags
54 | }
55 |
56 | resource "aws_ssm_parameter" "mq_master_password" {
57 | count = local.mq_admin_user_enabled ? 1 : 0
58 | name = format(var.ssm_parameter_name_format, var.ssm_path, var.mq_admin_password_ssm_parameter_name)
59 | value = local.mq_admin_password
60 | description = "MQ Password for the admin user"
61 | type = "SecureString"
62 | key_id = var.kms_ssm_key_arn
63 | tags = module.this.tags
64 | }
65 |
66 | resource "aws_ssm_parameter" "mq_application_username" {
67 | count = local.enabled ? 1 : 0
68 | name = format(var.ssm_parameter_name_format, var.ssm_path, var.mq_application_user_ssm_parameter_name)
69 | value = local.mq_application_user
70 | description = "AMQ username for the application user"
71 | type = "String"
72 | tags = module.this.tags
73 | }
74 |
75 | resource "aws_ssm_parameter" "mq_application_password" {
76 | count = local.enabled ? 1 : 0
77 | name = format(var.ssm_parameter_name_format, var.ssm_path, var.mq_application_password_ssm_parameter_name)
78 | value = local.mq_application_password
79 | description = "AMQ password for the application user"
80 | type = "SecureString"
81 | key_id = var.kms_ssm_key_arn
82 | tags = module.this.tags
83 | }
84 |
85 | locals {
86 | configuration_data_create = var.configuration_data == null ? [] : [1]
87 | }
88 |
89 | resource "aws_mq_configuration" "default" {
90 | count = local.enabled ? length(local.configuration_data_create) : 0
91 | description = "Rabbitmq Configuration for ${module.this.id}"
92 | name = "${module.this.id}_default_config"
93 | engine_type = var.engine_type
94 | engine_version = var.engine_version
95 | data = var.configuration_data
96 | }
97 |
98 | resource "aws_mq_broker" "default" {
99 | count = local.enabled ? 1 : 0
100 | broker_name = module.this.id
101 | deployment_mode = var.deployment_mode
102 | engine_type = var.engine_type
103 | engine_version = var.engine_version
104 | host_instance_type = var.host_instance_type
105 | auto_minor_version_upgrade = var.auto_minor_version_upgrade
106 | apply_immediately = var.apply_immediately
107 | publicly_accessible = var.publicly_accessible
108 | subnet_ids = var.subnet_ids
109 | tags = module.this.tags
110 |
111 | security_groups = local.broker_security_groups
112 |
113 | dynamic "configuration" {
114 | for_each = local.configuration_data_create
115 | content {
116 | id = aws_mq_configuration.default[0].id
117 | revision = aws_mq_configuration.default[0].latest_revision
118 | }
119 | }
120 |
121 | dynamic "encryption_options" {
122 | for_each = var.encryption_enabled ? ["true"] : []
123 | content {
124 | kms_key_id = var.kms_mq_key_arn
125 | use_aws_owned_key = var.use_aws_owned_key
126 | }
127 | }
128 |
129 | # NOTE: Omit logs block if both general and audit logs disabled:
130 | # https://github.com/hashicorp/terraform-provider-aws/issues/18067
131 | dynamic "logs" {
132 | for_each = {
133 | for logs, type in local.mq_logs : logs => type
134 | if type.general_log_enabled || type.audit_log_enabled
135 | }
136 | content {
137 | general = logs.value["general_log_enabled"]
138 | audit = logs.value["audit_log_enabled"]
139 | }
140 | }
141 |
142 | maintenance_window_start_time {
143 | day_of_week = var.maintenance_day_of_week
144 | time_of_day = var.maintenance_time_of_day
145 | time_zone = var.maintenance_time_zone
146 | }
147 |
148 | dynamic "user" {
149 | for_each = local.mq_admin_user_enabled ? ["true"] : []
150 | content {
151 | username = local.mq_admin_user
152 | password = local.mq_admin_password
153 | groups = ["admin"]
154 | console_access = true
155 | }
156 | }
157 |
158 | user {
159 | username = local.mq_application_user
160 | password = local.mq_application_password
161 | }
162 | }
163 |
--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | output "broker_id" {
2 | value = join("", aws_mq_broker.default.*.id)
3 | description = "AmazonMQ broker ID"
4 | }
5 |
6 | output "broker_arn" {
7 | value = join("", aws_mq_broker.default.*.arn)
8 | description = "AmazonMQ broker ARN"
9 | }
10 |
11 | output "primary_console_url" {
12 | value = try(aws_mq_broker.default[0].instances[0].console_url, "")
13 | description = "AmazonMQ active web console URL"
14 | }
15 |
16 | output "primary_ssl_endpoint" {
17 | value = try(aws_mq_broker.default[0].instances[0].endpoints[0], "")
18 | description = "AmazonMQ primary SSL endpoint"
19 | }
20 |
21 | output "primary_amqp_ssl_endpoint" {
22 | value = try(aws_mq_broker.default[0].instances[0].endpoints[1], "")
23 | description = "AmazonMQ primary AMQP+SSL endpoint"
24 | }
25 |
26 | output "primary_stomp_ssl_endpoint" {
27 | value = try(aws_mq_broker.default[0].instances[0].endpoints[2], "")
28 | description = "AmazonMQ primary STOMP+SSL endpoint"
29 | }
30 |
31 | output "primary_mqtt_ssl_endpoint" {
32 | value = try(aws_mq_broker.default[0].instances[0].endpoints[3], "")
33 | description = "AmazonMQ primary MQTT+SSL endpoint"
34 | }
35 |
36 | output "primary_wss_endpoint" {
37 | value = try(aws_mq_broker.default[0].instances[0].endpoints[4], "")
38 | description = "AmazonMQ primary WSS endpoint"
39 | }
40 |
41 | output "primary_ip_address" {
42 | value = try(aws_mq_broker.default[0].instances[0].ip_address, "")
43 | description = "AmazonMQ primary IP address"
44 | }
45 |
46 | output "secondary_console_url" {
47 | value = try(aws_mq_broker.default[0].instances[1].console_url, "")
48 | description = "AmazonMQ secondary web console URL"
49 | }
50 |
51 | output "secondary_ssl_endpoint" {
52 | value = try(aws_mq_broker.default[0].instances[1].endpoints[0], "")
53 | description = "AmazonMQ secondary SSL endpoint"
54 | }
55 |
56 | output "secondary_amqp_ssl_endpoint" {
57 | value = try(aws_mq_broker.default[0].instances[1].endpoints[1], "")
58 | description = "AmazonMQ secondary AMQP+SSL endpoint"
59 | }
60 |
61 | output "secondary_stomp_ssl_endpoint" {
62 | value = try(aws_mq_broker.default[0].instances[1].endpoints[2], "")
63 | description = "AmazonMQ secondary STOMP+SSL endpoint"
64 | }
65 |
66 | output "secondary_mqtt_ssl_endpoint" {
67 | value = try(aws_mq_broker.default[0].instances[1].endpoints[3], "")
68 | description = "AmazonMQ secondary MQTT+SSL endpoint"
69 | }
70 |
71 | output "secondary_wss_endpoint" {
72 | value = try(aws_mq_broker.default[0].instances[1].endpoints[4], "")
73 | description = "AmazonMQ secondary WSS endpoint"
74 | }
75 |
76 | output "secondary_ip_address" {
77 | value = try(aws_mq_broker.default[0].instances[1].ip_address, "")
78 | description = "AmazonMQ secondary IP address"
79 | }
80 |
81 | output "admin_username" {
82 | value = local.mq_admin_user
83 | description = "AmazonMQ admin username"
84 | }
85 |
86 | output "application_username" {
87 | value = local.mq_application_user
88 | description = "AmazonMQ application username"
89 | }
90 |
91 | output "application_password" {
92 | value = local.mq_application_password
93 | description = "AmazonMQ application password"
94 | sensitive = true
95 | }
96 |
97 | output "security_group_id" {
98 | value = module.security_group.id
99 | description = "The ID of the created security group"
100 | }
101 |
102 | output "security_group_arn" {
103 | value = module.security_group.arn
104 | description = "The ARN of the created security group"
105 | }
106 |
107 | output "security_group_name" {
108 | value = module.security_group.name
109 | description = "The name of the created security group"
110 | }
111 |
--------------------------------------------------------------------------------
/security-group-variables.tf:
--------------------------------------------------------------------------------
1 | # security-group-variables Version: 2
2 | #
3 |
4 | variable "create_security_group" {
5 | type = bool
6 | default = true
7 | description = "Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided."
8 | }
9 |
10 | variable "associated_security_group_ids" {
11 | type = list(string)
12 | default = []
13 | description = <<-EOT
14 | A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
15 | These security groups will not be modified and, if `create_security_group` is `false`, must have rules providing the desired access.
16 | EOT
17 | }
18 |
19 | variable "allowed_security_group_ids" {
20 | type = list(string)
21 | default = []
22 | description = <<-EOT
23 | A list of IDs of Security Groups to allow access to the security group created by this module.
24 | The length of this list must be known at "plan" time.
25 | EOT
26 | }
27 |
28 | variable "allowed_cidr_blocks" {
29 | type = list(string)
30 | default = []
31 | description = <<-EOT
32 | A list of IPv4 CIDRs to allow access to the security group created by this module.
33 | The length of this list must be known at "plan" time.
34 | EOT
35 | }
36 |
37 | variable "allowed_ipv6_cidr_blocks" {
38 | type = list(string)
39 | default = []
40 | description = <<-EOT
41 | A list of IPv6 CIDRs to allow access to the security group created by this module.
42 | The length of this list must be known at "plan" time.
43 | EOT
44 | }
45 |
46 | variable "allowed_ipv6_prefix_list_ids" {
47 | type = list(string)
48 | default = []
49 | description = <<-EOT
50 | A list of IPv6 Prefix Lists IDs to allow access to the security group created by this module.
51 | The length of this list must be known at "plan" time.
52 | EOT
53 | }
54 |
55 | variable "security_group_name" {
56 | type = list(string)
57 | default = []
58 | description = <<-EOT
59 | The name to assign to the created security group. Must be unique within the VPC.
60 | If not provided, will be derived from the `null-label.context` passed in.
61 | If `create_before_destroy` is true, will be used as a name prefix.
62 | EOT
63 | }
64 |
65 | variable "security_group_description" {
66 | type = string
67 | default = "Managed by Terraform"
68 | description = <<-EOT
69 | The description to assign to the created Security Group.
70 | Warning: Changing the description causes the security group to be replaced.
71 | EOT
72 | }
73 |
74 | variable "security_group_create_before_destroy" {
75 | type = bool
76 | default = true
77 | description = <<-EOT
78 | Set `true` to enable Terraform `create_before_destroy` behavior on the created security group.
79 | We only recommend setting this `false` if you are importing an existing security group
80 | that you do not want replaced and therefore need full control over its name.
81 | Note that changing this value will always cause the security group to be replaced.
82 | EOT
83 | }
84 |
85 | variable "preserve_security_group_id" {
86 | type = bool
87 | description = <<-EOT
88 | When `false` and `security_group_create_before_destroy` is `true`, changes to security group rules
89 | cause a new security group to be created with the new rules, and the existing security group is then
90 | replaced with the new one, eliminating any service interruption.
91 | When `true` or when changing the value (from `false` to `true` or from `true` to `false`),
92 | existing security group rules will be deleted before new ones are created, resulting in a service interruption,
93 | but preserving the security group itself.
94 | **NOTE:** Setting this to `true` does not guarantee the security group will never be replaced,
95 | it only keeps changes to the security group rules from triggering a replacement.
96 | See the [terraform-aws-security-group README](https://github.com/cloudposse/terraform-aws-security-group) for further discussion.
97 | EOT
98 | default = false
99 | }
100 |
101 | variable "security_group_create_timeout" {
102 | type = string
103 | default = "10m"
104 | description = "How long to wait for the security group to be created."
105 | }
106 |
107 | variable "security_group_delete_timeout" {
108 | type = string
109 | default = "15m"
110 | description = <<-EOT
111 | How long to retry on `DependencyViolation` errors during security group deletion from
112 | lingering ENIs left by certain AWS services such as Elastic Load Balancing.
113 | EOT
114 | }
115 |
116 | variable "allow_all_egress" {
117 | type = bool
118 | default = true
119 | description = <<-EOT
120 | If `true`, the created security group will allow egress on all ports and protocols to all IP addresses.
121 | If this is false and no egress rules are otherwise specified, then no egress will be allowed.
122 | EOT
123 | }
124 |
125 | variable "additional_security_group_rules" {
126 | type = list(any)
127 | default = []
128 | description = <<-EOT
129 | A list of Security Group rule objects to add to the created security group, in addition to the ones
130 | this module normally creates. (To suppress the module's rules, set `create_security_group` to false
131 | and supply your own security group(s) via `associated_security_group_ids`.)
132 | The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except
133 | for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time.
134 | For more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
135 | and https://github.com/cloudposse/terraform-aws-security-group.
136 | EOT
137 | }
138 |
139 | #### We do not expose an `additional_security_group_rule_matrix` input for a few reasons:
140 | # - It is a convenience and ultimately provides no rules that cannot be provided via `additional_security_group_rules`
141 | # - It is complicated and can, in some situations, create problems for Terraform `for_each`
142 | # - It is difficult to document and easy to make mistakes using it
143 |
--------------------------------------------------------------------------------
/sg.tf:
--------------------------------------------------------------------------------
1 | locals {
2 |
3 | ## Support deprecated variables, normalize new ones to locals
4 | create_security_group = local.enabled && (var.use_existing_security_groups != null ? !var.use_existing_security_groups : var.create_security_group)
5 | additional_security_group_ids = sort(compact(concat(var.existing_security_groups, var.associated_security_group_ids)))
6 |
7 | # Cannot use `compact` or `sort` for module.security_group inputs.
8 | allowed_security_group_ids = concat(var.allowed_security_groups, var.allowed_security_group_ids)
9 | allowed_cidr_blocks = var.allowed_cidr_blocks
10 | allowed_ipv6_cidr_blocks = var.allowed_ipv6_cidr_blocks
11 | allowed_ipv6_prefix_list_ids = var.allowed_ipv6_prefix_list_ids
12 |
13 | allowed_ingress_ports = var.allowed_ingress_ports
14 |
15 | sg_allowed_rule_enabled = local.create_security_group && (
16 | length(local.allowed_security_group_ids) > 0 ||
17 | length(local.allowed_cidr_blocks) > 0 ||
18 | length(local.allowed_ipv6_cidr_blocks) > 0 ||
19 | length(local.allowed_ipv6_prefix_list_ids) > 0
20 | )
21 |
22 | sg_allow_all_ports = [
23 | {
24 | key = "_all_ingress"
25 | type = "ingress"
26 | from_port = 0
27 | to_port = 65535
28 | protocol = "tcp"
29 | description = "Allow all ports"
30 | }
31 | ]
32 |
33 | sg_allow_specific_ports = [
34 | for port in local.allowed_ingress_ports : {
35 | key = tostring(port)
36 | type = "ingress"
37 | from_port = port
38 | to_port = port
39 | protocol = "tcp"
40 | description = "Allow port ${port}"
41 | }
42 | ]
43 |
44 | sg_rule_matrix = local.sg_allowed_rule_enabled ? [{
45 | key = "_allowed_ingress"
46 | source_security_group_ids = local.allowed_security_group_ids
47 | cidr_blocks = local.allowed_cidr_blocks
48 | ipv6_cidr_blocks = local.allowed_ipv6_cidr_blocks
49 | prefix_list_ids = local.allowed_ipv6_prefix_list_ids
50 | rules = length(local.sg_allow_specific_ports) == 0 ? local.sg_allow_all_ports : local.sg_allow_specific_ports
51 | }] : []
52 | }
53 |
54 | module "security_group" {
55 | source = "cloudposse/security-group/aws"
56 | version = "2.2.0"
57 |
58 | enabled = local.create_security_group
59 | security_group_name = var.security_group_name
60 | create_before_destroy = var.security_group_create_before_destroy
61 | preserve_security_group_id = var.preserve_security_group_id
62 | security_group_create_timeout = var.security_group_create_timeout
63 | security_group_delete_timeout = var.security_group_delete_timeout
64 |
65 | security_group_description = var.security_group_description
66 | allow_all_egress = var.allow_all_egress
67 | rules = var.additional_security_group_rules
68 | rule_matrix = local.sg_rule_matrix
69 | vpc_id = var.vpc_id
70 |
71 | context = module.this.context
72 | }
73 |
--------------------------------------------------------------------------------
/test/.gitignore:
--------------------------------------------------------------------------------
1 | .test-harness
2 |
--------------------------------------------------------------------------------
/test/Makefile:
--------------------------------------------------------------------------------
1 | TEST_HARNESS ?= https://github.com/cloudposse/test-harness.git
2 | TEST_HARNESS_BRANCH ?= master
3 | TEST_HARNESS_PATH = $(realpath .test-harness)
4 | BATS_ARGS ?= --tap
5 | BATS_LOG ?= test.log
6 |
7 | # Define a macro to run the tests
8 | define RUN_TESTS
9 | @echo "Running tests in $(1)"
10 | @cd $(1) && bats $(BATS_ARGS) $(addsuffix .bats,$(addprefix $(TEST_HARNESS_PATH)/test/terraform/,$(TESTS)))
11 | endef
12 |
13 | default: all
14 |
15 | -include Makefile.*
16 |
17 | ## Provision the test-harnesss
18 | .test-harness:
19 | [ -d $@ ] || git clone --depth=1 -b $(TEST_HARNESS_BRANCH) $(TEST_HARNESS) $@
20 |
21 | ## Initialize the tests
22 | init: .test-harness
23 |
24 | ## Install all dependencies (OS specific)
25 | deps::
26 | @exit 0
27 |
28 | ## Clean up the test harness
29 | clean:
30 | [ "$(TEST_HARNESS_PATH)" == "/" ] || rm -rf $(TEST_HARNESS_PATH)
31 |
32 | ## Run all tests
33 | all: module examples/complete
34 |
35 | ## Run basic sanity checks against the module itself
36 | module: export TESTS ?= installed lint module-pinning provider-pinning validate terraform-docs input-descriptions output-descriptions
37 | module: deps
38 | $(call RUN_TESTS, ../)
39 |
40 | ## Run tests against example
41 | examples/complete: export TESTS ?= installed lint validate
42 | examples/complete: deps
43 | $(call RUN_TESTS, ../$@)
44 |
--------------------------------------------------------------------------------
/test/Makefile.alpine:
--------------------------------------------------------------------------------
1 | ifneq (,$(wildcard /sbin/apk))
2 | ## Install all dependencies for alpine
3 | deps:: init
4 | @apk add --update terraform-docs@cloudposse json2hcl@cloudposse
5 | endif
6 |
--------------------------------------------------------------------------------
/test/src/.gitignore:
--------------------------------------------------------------------------------
1 | .gopath
2 | vendor/
3 |
--------------------------------------------------------------------------------
/test/src/Makefile:
--------------------------------------------------------------------------------
1 | export TERRAFORM_VERSION ?= $(shell curl -s https://checkpoint-api.hashicorp.com/v1/check/terraform | jq -r -M '.current_version' | cut -d. -f1)
2 |
3 | .DEFAULT_GOAL : all
4 | .PHONY: all
5 |
6 | ## Default target
7 | all: test
8 |
9 | .PHONY : init
10 | ## Initialize tests
11 | init:
12 | @exit 0
13 |
14 | .PHONY : test
15 | ## Run tests
16 | test: init
17 | go mod download
18 | go test -v -timeout 60m
19 |
20 | ## Run tests in docker container
21 | docker/test:
22 | docker run --name terratest --rm -it -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e GITHUB_TOKEN \
23 | -e PATH="/usr/local/terraform/$(TERRAFORM_VERSION)/bin:/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
24 | -v $(CURDIR)/../../:/module/ cloudposse/test-harness:latest -C /module/test/src test
25 |
26 | .PHONY : clean
27 | ## Clean up files
28 | clean:
29 | rm -rf ../../examples/complete/*.tfstate*
30 |
--------------------------------------------------------------------------------
/test/src/examples_complete_test.go:
--------------------------------------------------------------------------------
1 | package test
2 |
3 | import (
4 | "os"
5 | "strings"
6 | "testing"
7 |
8 | "github.com/gruntwork-io/terratest/modules/random"
9 | "github.com/gruntwork-io/terratest/modules/terraform"
10 | test_structure "github.com/gruntwork-io/terratest/modules/test-structure"
11 | "github.com/stretchr/testify/assert"
12 | )
13 |
14 | func cleanup(t *testing.T, terraformOptions *terraform.Options, tempTestFolder string) {
15 | terraform.Destroy(t, terraformOptions)
16 | os.RemoveAll(tempTestFolder)
17 | }
18 |
19 | // Test the Terraform module in examples/complete using Terratest.
20 | func TestExamplesComplete(t *testing.T) {
21 | t.Parallel()
22 | randID := strings.ToLower(random.UniqueId())
23 | attributes := []string{randID}
24 |
25 | rootFolder := "../../"
26 | terraformFolderRelativeToRoot := "examples/complete"
27 | varFiles := []string{"fixtures.us-east-2.tfvars"}
28 |
29 | tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot)
30 |
31 | terraformOptions := &terraform.Options{
32 | // The path to where our Terraform code is located
33 | TerraformDir: tempTestFolder,
34 | Upgrade: true,
35 | // Variables to pass to our Terraform code using -var-file options
36 | VarFiles: varFiles,
37 | Vars: map[string]interface{}{
38 | "attributes": attributes,
39 | },
40 | }
41 |
42 | // At the end of the test, run `terraform destroy` to clean up any resources that were created
43 | defer cleanup(t, terraformOptions, tempTestFolder)
44 |
45 | // This will run `terraform init` and `terraform apply` and fail the test if there are any errors
46 | terraform.InitAndApply(t, terraformOptions)
47 |
48 | // Run `terraform output` to get the value of an output variable
49 | vpcCidr := terraform.Output(t, terraformOptions, "vpc_cidr")
50 | // Verify we're getting back the outputs we expect
51 | assert.Equal(t, "172.16.0.0/16", vpcCidr)
52 |
53 | // Run `terraform output` to get the value of an output variable
54 | privateSubnetCidrs := terraform.OutputList(t, terraformOptions, "private_subnet_cidrs")
55 | // Verify we're getting back the outputs we expect
56 | assert.Equal(t, []string{"172.16.0.0/19", "172.16.32.0/19"}, privateSubnetCidrs)
57 |
58 | // Run `terraform output` to get the value of an output variable
59 | publicSubnetCidrs := terraform.OutputList(t, terraformOptions, "public_subnet_cidrs")
60 | // Verify we're getting back the outputs we expect
61 | assert.Equal(t, []string{"172.16.96.0/19", "172.16.128.0/19"}, publicSubnetCidrs)
62 |
63 | // Run `terraform output` to get the value of an output variable
64 | brokerId := terraform.Output(t, terraformOptions, "broker_id")
65 | // Verify we're getting back the outputs we expect
66 | assert.NotEmpty(t, brokerId)
67 |
68 | // Run `terraform output` to get the value of an output variable
69 | brokerArn := terraform.Output(t, terraformOptions, "broker_arn")
70 | // Verify we're getting back the outputs we expect
71 | assert.Contains(t, brokerArn, "broker:eg-test-mq-broker-"+randID)
72 | assert.Contains(t, brokerArn, brokerId)
73 |
74 | // Run `terraform output` to get the value of an output variable
75 | securityGroupName := terraform.Output(t, terraformOptions, "security_group_name")
76 | expectedSecurityGroupName := "eg-test-mq-broker-" + randID
77 | // Verify the security group starts with the name we expect.
78 | // We expect it to have an autogenerated suffix
79 | assert.Contains(t, securityGroupName, expectedSecurityGroupName)
80 |
81 | // Run `terraform output` to get the value of an output variable
82 | securityGroupID := terraform.Output(t, terraformOptions, "security_group_id")
83 | // Verify we're getting back the outputs we expect
84 | assert.Contains(t, securityGroupID, "sg-", "SG ID should contains substring 'sg-'")
85 |
86 | // Run `terraform output` to get the value of an output variable
87 | securityGroupARN := terraform.Output(t, terraformOptions, "security_group_arn")
88 | // Verify we're getting back the outputs we expect
89 | assert.Contains(t, securityGroupARN, "arn:aws:ec2", "SG ID should contains substring 'arn:aws:ec2'")
90 | }
91 |
92 | func TestExamplesCompleteDisabled(t *testing.T) {
93 | t.Parallel()
94 | randID := strings.ToLower(random.UniqueId())
95 | attributes := []string{randID}
96 |
97 | rootFolder := "../../"
98 | terraformFolderRelativeToRoot := "examples/complete"
99 | varFiles := []string{"fixtures.us-east-2.tfvars"}
100 |
101 | tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot)
102 |
103 | terraformOptions := &terraform.Options{
104 | // The path to where our Terraform code is located
105 | TerraformDir: tempTestFolder,
106 | Upgrade: true,
107 | // Variables to pass to our Terraform code using -var-file options
108 | VarFiles: varFiles,
109 | Vars: map[string]interface{}{
110 | "attributes": attributes,
111 | "enabled": "false",
112 | },
113 | }
114 |
115 | // At the end of the test, run `terraform destroy` to clean up any resources that were created
116 | defer cleanup(t, terraformOptions, tempTestFolder)
117 |
118 | // This will run `terraform init` and `terraform apply` and fail the test if there are any errors
119 | results := terraform.InitAndApply(t, terraformOptions)
120 |
121 | // Should complete successfully without creating or changing any resources
122 | assert.Contains(t, results, "Resources: 0 added, 0 changed, 0 destroyed.")
123 | }
124 |
--------------------------------------------------------------------------------
/test/src/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/cloudposse/terraform-aws-mq-broker
2 |
3 | go 1.17
4 |
5 | require (
6 | github.com/gruntwork-io/terratest v0.39.0
7 | github.com/stretchr/testify v1.7.0
8 | )
9 |
10 | require (
11 | cloud.google.com/go v0.104.0 // indirect
12 | cloud.google.com/go/compute v1.10.0 // indirect
13 | cloud.google.com/go/iam v0.5.0 // indirect
14 | cloud.google.com/go/storage v1.27.0 // indirect
15 | github.com/agext/levenshtein v1.2.3 // indirect
16 | github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
17 | github.com/aws/aws-sdk-go v1.44.122 // indirect
18 | github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
19 | github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
20 | github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
21 | github.com/davecgh/go-spew v1.1.1 // indirect
22 | github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c // indirect
23 | github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
24 | github.com/go-logr/logr v0.2.0 // indirect
25 | github.com/go-sql-driver/mysql v1.4.1 // indirect
26 | github.com/gogo/protobuf v1.3.2 // indirect
27 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
28 | github.com/golang/protobuf v1.5.2 // indirect
29 | github.com/google/go-cmp v0.5.9 // indirect
30 | github.com/google/gofuzz v1.1.0 // indirect
31 | github.com/google/uuid v1.3.0 // indirect
32 | github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect
33 | github.com/googleapis/gax-go/v2 v2.6.0 // indirect
34 | github.com/googleapis/gnostic v0.4.1 // indirect
35 | github.com/gruntwork-io/go-commons v0.8.0 // indirect
36 | github.com/hashicorp/errwrap v1.0.0 // indirect
37 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
38 | github.com/hashicorp/go-getter v1.7.0 // indirect
39 | github.com/hashicorp/go-multierror v1.1.0 // indirect
40 | github.com/hashicorp/go-safetemp v1.0.0 // indirect
41 | github.com/hashicorp/go-version v1.6.0 // indirect
42 | github.com/hashicorp/hcl/v2 v2.9.1 // indirect
43 | github.com/hashicorp/terraform-json v0.13.0 // indirect
44 | github.com/imdario/mergo v0.3.11 // indirect
45 | github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect
46 | github.com/jmespath/go-jmespath v0.4.0 // indirect
47 | github.com/json-iterator/go v1.1.11 // indirect
48 | github.com/klauspost/compress v1.15.11 // indirect
49 | github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
50 | github.com/mitchellh/go-homedir v1.1.0 // indirect
51 | github.com/mitchellh/go-testing-interface v1.14.1 // indirect
52 | github.com/mitchellh/go-wordwrap v1.0.1 // indirect
53 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
54 | github.com/modern-go/reflect2 v1.0.1 // indirect
55 | github.com/pmezard/go-difflib v1.0.0 // indirect
56 | github.com/pquerna/otp v1.2.0 // indirect
57 | github.com/russross/blackfriday/v2 v2.1.0 // indirect
58 | github.com/spf13/pflag v1.0.5 // indirect
59 | github.com/tmccombs/hcl2json v0.3.3 // indirect
60 | github.com/ulikunitz/xz v0.5.10 // indirect
61 | github.com/urfave/cli v1.22.2 // indirect
62 | github.com/zclconf/go-cty v1.9.1 // indirect
63 | go.opencensus.io v0.23.0 // indirect
64 | golang.org/x/crypto v0.17.0 // indirect
65 | golang.org/x/net v0.10.0 // indirect
66 | golang.org/x/oauth2 v0.1.0 // indirect
67 | golang.org/x/sys v0.15.0 // indirect
68 | golang.org/x/term v0.15.0 // indirect
69 | golang.org/x/text v0.14.0 // indirect
70 | golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e // indirect
71 | golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
72 | google.golang.org/api v0.100.0 // indirect
73 | google.golang.org/appengine v1.6.7 // indirect
74 | google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71 // indirect
75 | google.golang.org/grpc v1.50.1 // indirect
76 | google.golang.org/protobuf v1.28.1 // indirect
77 | gopkg.in/inf.v0 v0.9.1 // indirect
78 | gopkg.in/yaml.v2 v2.4.0 // indirect
79 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
80 | k8s.io/api v0.20.6 // indirect
81 | k8s.io/apimachinery v0.20.6 // indirect
82 | k8s.io/client-go v0.20.6 // indirect
83 | k8s.io/klog/v2 v2.4.0 // indirect
84 | k8s.io/utils v0.0.0-20201110183641-67b214c5f920 // indirect
85 | sigs.k8s.io/structured-merge-diff/v4 v4.0.3 // indirect
86 | sigs.k8s.io/yaml v1.2.0 // indirect
87 | )
88 |
--------------------------------------------------------------------------------
/variables-deprecated.tf:
--------------------------------------------------------------------------------
1 | variable "allowed_security_groups" {
2 | type = list(string)
3 | default = []
4 | description = <<-EOT
5 | DEPRECATED: Use `allowed_security_group_ids` instead.
6 | A list of Security Group IDs to to be allowed to connect to the broker instance.
7 | EOT
8 | }
9 |
10 |
11 | variable "use_existing_security_groups" {
12 | type = bool
13 | description = <<-EOT
14 | DEPRECATED: Use `create_security_group` instead.
15 | Historical description: Set to `true` to disable Security Group creation
16 | EOT
17 | default = null
18 | }
19 |
20 | variable "existing_security_groups" {
21 | type = list(string)
22 | default = []
23 | description = <<-EOT
24 | DEPRECATED: Use `associated_security_group_ids` instead.
25 | List of existing Security Group IDs to place the broker into.
26 | EOT
27 | }
28 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "apply_immediately" {
2 | type = bool
3 | description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window"
4 | default = false
5 | }
6 |
7 | variable "auto_minor_version_upgrade" {
8 | type = bool
9 | description = "Enables automatic upgrades to new minor versions for brokers, as Apache releases the versions"
10 | default = false
11 | }
12 |
13 | variable "deployment_mode" {
14 | type = string
15 | description = "The deployment mode of the broker. Supported: SINGLE_INSTANCE and ACTIVE_STANDBY_MULTI_AZ"
16 | default = "ACTIVE_STANDBY_MULTI_AZ"
17 | }
18 |
19 | variable "engine_type" {
20 | type = string
21 | description = "Type of broker engine, `ActiveMQ` or `RabbitMQ`"
22 | default = "ActiveMQ"
23 | }
24 |
25 | variable "engine_version" {
26 | type = string
27 | description = "The version of the broker engine. See https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html for more details"
28 | default = "5.17.6"
29 | }
30 |
31 | variable "host_instance_type" {
32 | type = string
33 | description = "The broker's instance type. e.g. mq.t2.micro or mq.m4.large"
34 | default = "mq.t3.micro"
35 | }
36 |
37 | variable "publicly_accessible" {
38 | type = bool
39 | description = "Whether to enable connections from applications outside of the VPC that hosts the broker's subnets"
40 | default = false
41 | }
42 |
43 | variable "general_log_enabled" {
44 | type = bool
45 | description = "Enables general logging via CloudWatch"
46 | default = true
47 | }
48 |
49 | variable "audit_log_enabled" {
50 | type = bool
51 | description = "Enables audit logging. User management action made using JMX or the ActiveMQ Web Console is logged"
52 | default = true
53 | }
54 |
55 | variable "maintenance_day_of_week" {
56 | type = string
57 | description = "The maintenance day of the week. e.g. MONDAY, TUESDAY, or WEDNESDAY"
58 | default = "SUNDAY"
59 | }
60 |
61 | variable "maintenance_time_of_day" {
62 | type = string
63 | description = "The maintenance time, in 24-hour format. e.g. 02:00"
64 | default = "03:00"
65 | }
66 |
67 | variable "maintenance_time_zone" {
68 | type = string
69 | description = "The maintenance time zone, in either the Country/City format, or the UTC offset format. e.g. CET"
70 | default = "UTC"
71 | }
72 |
73 | variable "mq_admin_user" {
74 | type = list(string)
75 | description = "Admin username"
76 | default = []
77 | }
78 |
79 | variable "mq_admin_password" {
80 | type = list(string)
81 | description = "Admin password"
82 | default = []
83 | sensitive = true
84 | }
85 |
86 | variable "mq_application_user" {
87 | type = list(string)
88 | description = "Application username"
89 | default = []
90 | }
91 |
92 | variable "mq_application_password" {
93 | type = list(string)
94 | description = "Application password"
95 | default = []
96 | sensitive = true
97 | }
98 |
99 | variable "vpc_id" {
100 | type = string
101 | description = "The ID of the VPC to create the broker in"
102 | }
103 |
104 | variable "subnet_ids" {
105 | type = list(string)
106 | description = "List of VPC subnet IDs"
107 | }
108 |
109 | variable "ssm_parameter_name_format" {
110 | type = string
111 | description = "SSM parameter name format"
112 | default = "/%s/%s"
113 | }
114 |
115 | variable "ssm_path" {
116 | type = string
117 | description = "The first parameter to substitute in `ssm_parameter_name_format`"
118 | default = "mq"
119 | }
120 |
121 | variable "mq_admin_user_ssm_parameter_name" {
122 | type = string
123 | description = "SSM parameter name for Admin username"
124 | default = "mq_admin_username"
125 | }
126 |
127 | variable "mq_admin_password_ssm_parameter_name" {
128 | type = string
129 | description = "SSM parameter name for Admin password"
130 | default = "mq_admin_password"
131 | }
132 |
133 | variable "mq_application_user_ssm_parameter_name" {
134 | type = string
135 | description = "SSM parameter name for Application username"
136 | default = "mq_application_username"
137 | }
138 |
139 | variable "mq_application_password_ssm_parameter_name" {
140 | type = string
141 | description = "SSM parameter name for Application password"
142 | default = "mq_application_password"
143 | }
144 |
145 |
146 |
147 | variable "kms_ssm_key_arn" {
148 | type = string
149 | description = "ARN of the AWS KMS key used for SSM encryption"
150 | default = "alias/aws/ssm"
151 | }
152 |
153 | variable "encryption_enabled" {
154 | type = bool
155 | description = "Flag to enable/disable Amazon MQ encryption at rest"
156 | default = true
157 | }
158 |
159 | variable "kms_mq_key_arn" {
160 | type = string
161 | description = "ARN of the AWS KMS key used for Amazon MQ encryption"
162 | default = null
163 | }
164 |
165 | variable "use_aws_owned_key" {
166 | type = bool
167 | description = "Boolean to enable an AWS owned Key Management Service (KMS) Customer Master Key (CMK) for Amazon MQ encryption that is not in your account"
168 | default = true
169 | }
170 |
171 | variable "allowed_ingress_ports" {
172 | type = list(number)
173 | description = <<-EOT
174 | List of TCP ports to allow access to in the created security group.
175 | Default is to allow access to all ports. Set `create_security_group` to `false` to disable.
176 | Note: List of ports must be known at "plan" time.
177 | EOT
178 | default = []
179 | }
180 |
181 | variable "configuration_data" {
182 | type = string
183 | description = "data value for configuration"
184 | default = null
185 | }
186 |
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.0.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 3.0"
8 | }
9 | random = {
10 | source = "hashicorp/random"
11 | version = ">= 3.0"
12 | }
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
