Skip to main content

Component: mq-broker

This component is responsible for provisioning an AmazonMQ broker and corresponding security group.


Stack Level: Regional

Here's an example snippet for how to use this component.

enabled: true
apply_immediately: true
auto_minor_version_upgrade: true
deployment_mode: "ACTIVE_STANDBY_MULTI_AZ"
engine_type: "ActiveMQ"
engine_version: "5.15.14"
host_instance_type: "mq.t3.micro"
publicly_accessible: false
general_log_enabled: true
audit_log_enabled: true
encryption_enabled: true
use_aws_owned_key: true


terraform>= 0.13.0
aws>= 3.0
local>= 1.3
template>= 2.2
utils>= 0.3.0


No providers.




No resources.


additional_tag_mapAdditional tags for appending to tags_as_list_of_maps. Not added to{}no
allowed_cidr_blocksList of CIDR blocks that are allowed ingress to the broker's Security Group created in the modulelist(string)[]no
allowed_security_groupsList of security groups to be allowed to connect to the broker instancelist(string)[]no
apply_immediatelySpecifies whether any cluster modifications are applied immediately, or during the next maintenance windowboolfalseno
attributesAdditional attributes (e.g. 1)list(string)[]no
audit_log_enabledEnables audit logging. User management action made using JMX or the ActiveMQ Web Console is loggedbooltrueno
auto_minor_version_upgradeEnables automatic upgrades to new minor versions for brokers, as Apache releases the versionsboolfalseno
contextSingle object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
delimiterDelimiter to be used between namespace, environment, stage, name and attributes.
Defaults to - (hyphen). Set to "" to use no delimiter at all.
deployment_modeThe deployment mode of the broker. Supported: SINGLE_INSTANCE and ACTIVE_STANDBY_MULTI_AZstring"ACTIVE_STANDBY_MULTI_AZ"no
enabledSet to false to prevent the module from creating any resourcesboolnullno
encryption_enabledFlag to enable/disable Amazon MQ encryption at restbooltrueno
engine_typeType of broker engine, ActiveMQ or RabbitMQstring"ActiveMQ"no
engine_versionThe version of the broker engine. See for more detailsstring"5.15.14"no
environmentEnvironment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT'stringnullno
existing_security_groupsList of existing Security Group IDs to place the broker into. Set use_existing_security_groups to true to enable using existing_security_groups as Security Groups for the brokerlist(string)[]no
general_log_enabledEnables general logging via CloudWatchbooltrueno
host_instance_typeThe broker's instance type. e.g. mq.t2.micro or mq.m4.largestring"mq.t3.micro"no
id_length_limitLimit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for default, which is 0.
Does not affect id_full.
import_profile_nameAWS Profile name to use when importing a resourcestringnullno
kms_mq_key_arnARN of the AWS KMS key used for Amazon MQ encryptionstringnullno
kms_ssm_key_arnARN of the AWS KMS key used for SSM encryptionstring"alias/aws/ssm"no
label_key_caseThe letter case of label keys (tag names) (i.e. name, namespace, environment, stage, attributes) to use in tags.
Possible values: lower, title, upper.
Default value: title.
label_orderThe naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present.
label_value_caseThe letter case of output label values (also used in tags and id).
Possible values: lower, title, upper and none (no transformation).
Default value: lower.
maintenance_day_of_weekThe maintenance day of the week. e.g. MONDAY, TUESDAY, or WEDNESDAYstring"SUNDAY"no
maintenance_time_of_dayThe maintenance time, in 24-hour format. e.g. 02:00string"03:00"no
maintenance_time_zoneThe maintenance time zone, in either the Country/City format, or the UTC offset format. e.g. CETstring"UTC"no
mq_admin_passwordAdmin passwordstringnullno
mq_admin_userAdmin usernamestringnullno
mq_application_passwordApplication passwordstringnullno
mq_application_userApplication usernamestringnullno
nameSolution name, e.g. 'app' or 'jenkins'stringnullno
namespaceNamespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp'stringnullno
overwrite_ssm_parameterWhether to overwrite an existing SSM parameterbooltrueno
publicly_accessibleWhether to enable connections from applications outside of the VPC that hosts the broker's subnetsboolfalseno
regex_replace_charsRegex to replace chars with empty string in namespace, environment, stage and name.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.
regionAWS Regionstringn/ayes
ssm_parameter_name_formatSSM parameter name formatstring"/%s/%s"no
ssm_pathSSM pathstring"mq"no
stageStage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release'stringnullno
tagsAdditional tags (e.g. map('BusinessUnit','XYZ')map(string){}no
use_aws_owned_keyBoolean to enable an AWS owned Key Management Service (KMS) Customer Master Key (CMK) for Amazon MQ encryption that is not in your accountbooltrueno
use_existing_security_groupsFlag to enable/disable creation of Security Group in the module. Set to true to disable Security Group creation and provide a list of existing security Group IDs in existing_security_groups to place the broker intoboolfalseno


broker_arnAmazonMQ broker ARN
broker_idAmazonMQ broker ID
primary_amqp_ssl_endpointAmazonMQ primary AMQP+SSL endpoint
primary_console_urlAmazonMQ active web console URL
primary_ip_addressAmazonMQ primary IP address
primary_mqtt_ssl_endpointAmazonMQ primary MQTT+SSL endpoint
primary_ssl_endpointAmazonMQ primary SSL endpoint
primary_stomp_ssl_endpointAmazonMQ primary STOMP+SSL endpoint
primary_wss_endpointAmazonMQ primary WSS endpoint
secondary_amqp_ssl_endpointAmazonMQ secondary AMQP+SSL endpoint
secondary_console_urlAmazonMQ secondary web console URL
secondary_ip_addressAmazonMQ secondary IP address
secondary_mqtt_ssl_endpointAmazonMQ secondary MQTT+SSL endpoint
secondary_ssl_endpointAmazonMQ secondary SSL endpoint
secondary_stomp_ssl_endpointAmazonMQ secondary STOMP+SSL endpoint
secondary_wss_endpointAmazonMQ secondary WSS endpoint