In a previous post, we walked through setting up an AWS MSK cluster manually using the AWS Console. While that's great for learning, it's not repeatable, scalable, or easy to manage. Today, we're taking it to the next level with Infrastructure as Code (IaC).
We'll use Terraform to define our entire MSK environment—VPC, subnets, security groups, IAM roles, the MSK cluster, and even a client EC2 instance—in a single set of configuration files. With a few simple commands, you can create, update, or destroy the whole setup.
What We'll Build:
- A new VPC with public subnets across three Availability Zones.
- All necessary networking (Internet Gateway, Route Tables).
- A secure MSK Kafka cluster.
- An EC2 instance pre-configured with Kafka tools and the correct authentication settings.
- IAM roles and security groups that allow the EC2 instance to securely communicate with the MSK cluster.
Let's get started!
🛠️ Prerequisites
Before you begin, make sure you have the following:
-
An AWS Account: You'll need an AWS account with programmatic access. If you haven't already, configure your credentials locally using the AWS CLI:
aws configure
Terraform Installed: You'll need the Terraform CLI installed on your machine.
How to Install Terraform
Terraform is easy to install. Here are instructions for common operating systems.
On macOS (using Homebrew):
brew tap hashicorp/tap
brew install hashicorp/tap/terraform
On Windows (using Chocolatey):
choco install terraform
On Linux (Debian/Ubuntu):
wget -O- [https://apt.releases.hashicorp.com/gpg](https://apt.releases.hashicorp.com/gpg) | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] [https://apt.releases.hashicorp.com](https://apt.releases.hashicorp.com) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install terraform
After installation, verify it's working by running:
terraform --version
📜 Understanding the Terraform Code
Save the code from the prompt into a file named main.tf
. Let's break down what each section of our Terraform configuration does.
1. Networking (VPC, Subnets, IGW)
This section builds the foundational network for our resources. We create a new VPC and then provision three public subnets, one in each available AWS Availability Zone for high availability. The Internet Gateway and Route Tables ensure our EC2 instance can reach the internet.
2. Security (Security Groups & SSH Key)
-
SSH Key: Terraform dynamically generates an RSA key pair. The public key is uploaded to AWS (
aws_key_pair
), and the private key is saved locally asmsk-client-key.pem
so you can SSH into the EC2 instance. - Security Groups: We create two security groups: one for the MSK cluster and one for the EC2 client. The rules are configured to allow the EC2 instance and the MSK cluster to communicate freely with each other on any port, while the EC2 instance only accepts incoming SSH traffic from the internet.
3. IAM Role for EC2
Instead of hardcoding AWS keys, we use an IAM Role. This block creates an aws_iam_role
that the EC2 instance can "assume." The attached aws_iam_policy
grants the instance specific permissions to connect, describe, read from, and write to the MSK cluster topics. This is the most secure way to grant AWS permissions to services.
4. The MSK Cluster
This is the core resource. We define an aws_msk_cluster
with three small broker nodes (kafka.t3.small
). Critically, the client_authentication
block is configured to use IAM (iam = true
), which allows our EC2 instance to authenticate using its assigned IAM role.
5. The EC2 Client Instance
This is where the magic happens! We launch a t2.micro
EC2 instance. The user_data
script is a powerful feature that runs automatically on the first boot. This script:
- Installs Java.
- Downloads and extracts the correct version of Kafka.
- Downloads the AWS MSK IAM Auth library, which is required for IAM authentication.
- Creates the
client.properties
file with the exact configuration needed for our Kafka tools to authenticate with MSK via IAM.
This means that as soon as the instance is ready, it's already fully configured to act as a Kafka client!
🚀 Deploying the Infrastructure
Note: You can find the complete terraform script here: https://github.com/yeshwanthlm/AWS-MSK-Crash-Course/blob/main/terraform/msk-cluster-with-vpc-ec2-client.tf
With the msk-cluster-with-vpc-ec2-client.tf
file saved, running the deployment is as simple as three commands.
Initialize Terraform
This command downloads the necessary AWS provider plugin.
terraform init
Plan the Deployment
This is a dry run. Terraform shows you exactly what resources it will create, change, or destroy.
terraform plan
Apply the Configuration
This command executes the plan and builds everything in your AWS account. Type yes when prompted.
terraform apply
Grab a coffee! ☕ The MSK cluster creation is the longest step and will take around 20-30 minutes. Once finished, Terraform will display the outputs, including the public IP of your EC2 instance.
✅ Connecting and Testing Your Cluster
Once terraform apply is complete, let's verify everything works.
Get the EC2 Public IP
Find the public IP from the Terraform output. You can also run terraform output ec2_public_ip.
SSH into the EC2 Instance
The private key msk-client-key.pem was saved in your project directory.
# Make sure to set correct permissions if needed
chmod 400 msk-client-key.pem
ssh -i "msk-client-key.pem" ec2-user@<YOUR_EC2_PUBLIC_IP>
Get Your Bootstrap Brokers String
In your local terminal (not the SSH session), get the connection string from the Terraform outputs.
terraform output bootstrap_brokers
Copy this long string. You'll need it for the next steps.
Create a Kafka Topic
Inside your EC2 SSH session, navigate to the Kafka bin directory and create a topic.
bin/kafka-topics.sh --create \
--bootstrap-server <bootstrapServerString> \
--command-config /home/ec2-user/kafka_2.13-3.6.0/bin/client.properties \
--replication-factor 3 \
--partitions 1 \
--topic my-first-topic
Start a Producer
In the same terminal, start the console producer. This will give you a > prompt.
bin/kafka-console-producer.sh \
--broker-list <bootstrapServerString> \
--producer.config /home/ec2-user/kafka_2.13-3.6.0/bin/client.properties \
--topic my-first-topic
Type a message like Hello from Terraform! and press Enter.
Start a Consumer (in a new terminal)
Open a second terminal window and SSH into your EC2 instance again. Navigate to the same bin directory and run the consumer:
bin/kafka-console-consumer.sh \
--bootstrap-server <bootstrapServerString> \
--consumer.config /home/ec2-user/kafka_2.13-3.6.0/bin/client.properties \
--topic my-first-topic \
--from-beginning
You should instantly see Hello from Terraform! appear in your consumer window. Success! 🎉
🧹 Cleaning Up
Don't forget to tear down your infrastructure to avoid ongoing AWS charges! The beauty of Terraform is that this is a single, simple command.
terraform destroy
Type yes when prompted, and Terraform will neatly remove all the resources it created.
Conclusion
You've successfully automated a complete AWS MSK environment using Terraform. With Infrastructure as Code, you now have a repeatable, version-controlled, and reliable way to manage your Kafka clusters on AWS. This is the foundation for building powerful, event-driven applications at scale.
Top comments (0)