Terraform module which creates AWS MWAA resources and connects them together.
Use this code to create a basic MWAA environment (using all default parameters, see Inputs):
module "airflow" {
source = "idealo/mwaa/aws"
version = "x.x.x"
account_id = "12345679"
environment_name = "MyEnvironment"
internet_gateway_id = "ig-12345"
private_subnet_cidrs = ["10.0.1.0/24","10.0.2.0/24"] # depending on your vpc ip range
public_subnet_cidrs = ["10.0.3.0/24","10.0.4.0/24"] # depending on your vpc ip range
region = "us-west-1"
source_bucket_arn = "arn:aws:s3:::MyMwaaBucket"
vpc_id = "vpc-12345"
}
To give additional permissions to your airflow executions role (e.g. elasticmapreduce:CreateJobFlow to start an EMR cluster), create a Policy document containing the permissions you need:
data aws_iam_policy_document "additional_execution_policy_doc" {
statement {
effect = "Allow"
actions = [
"<Your permissions>"
]
resources = [
"<YourResource>"]
}
}
and pass the document json to the module:
module "airflow" {
...
additional_execution_role_policy_document_json = data.aws_iam_policy_document.additional_execution_policy_doc.json
...
}
Simply upload the plugins.zip to s3 and pass the relative path inside the MWAA bucket to the plugins_s3_path
parameter.
If you zip and upload it via terraform, this would look like this:
module "airflow" {
...
plugins_s3_path = aws_s3_bucket_object.your_plugin.key
...
}
If you set create_network_config = false
no subnets, eip, NAT gateway and route tables will be created.
Be aware that you still need the networking resources to get your environment running, follow the official documentation to create them properly.
Name | Version |
---|---|
terraform | ~>1.0.0 |
aws | ~> 3.0 |
Name | Version |
---|---|
aws | 3.60.0 |
No modules.
Name | Type |
---|---|
aws_eip.this | resource |
aws_iam_role.this | resource |
aws_iam_role_policy.this | resource |
aws_mwaa_environment.this | resource |
aws_nat_gateway.this | resource |
aws_route_table.private | resource |
aws_route_table.public | resource |
aws_route_table_association.private | resource |
aws_route_table_association.public | resource |
aws_security_group.this | resource |
aws_subnet.private | resource |
aws_subnet.public | resource |
aws_iam_policy_document.assume | data source |
aws_iam_policy_document.base | data source |
aws_iam_policy_document.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_id | Account ID of the account in which MWAA will be started | string |
n/a | yes |
additional_execution_role_policy_document_json | Additional permissions to attach to the base mwaa execution role | string |
"{}" |
no |
airflow_configuration_options | additional configuration to overwrite airflows standard config | map(string) |
{} |
no |
airflow_version | Airflow version to be used | string |
"2.0.2" |
no |
create_networking_config | true if networking resources (subnets, eip, NAT gateway and route table) should be created. | bool |
true |
no |
dag_s3_path | Relative path of the dags folder within the source bucket | string |
"/dags" |
no |
environment_class | n/a | string |
"mw1.small" |
no |
environment_name | Name of the MWAA environment | string |
n/a | yes |
internet_gateway_id | ID of the internet gateway to the VPC | any |
n/a | yes |
max_workers | n/a | string |
"10" |
no |
min_workers | n/a | string |
"1" |
no |
plugins_s3_object_version | n/a | any |
null |
no |
plugins_s3_path | relative path of the plugins.zip within the source bucket | string |
null |
no |
private_subnet_cidrs | CIDR blocks for the private subnets MWAA uses. Must be at least 2 if create_network_config=true | list(string) |
[] |
no |
private_subnet_ids | Subnet Ids of the existing private subnets that should be used if create_network_config=false | list(string) |
[] |
no |
public_subnet_cidrs | CIDR blocks for the public subnets MWAA uses. Must be at least 2 if create_network_config=true | list(string) |
[] |
no |
region | AWS Region where the environment and its resources will be created | string |
n/a | yes |
requirements_s3_object_version | n/a | any |
null |
no |
requirements_s3_path | relative path of the requirements.txt (incl. filename) within the source bucket | string |
null |
no |
source_bucket_arn | ARN of the bucket in which DAGs, Plugin and Requirements are put | string |
n/a | yes |
tags | n/a | map(string) |
{} |
no |
vpc_id | VPC id of the VPC in which the environments resources are created | any |
n/a | yes |
webserver_access_mode | Default: PRIVATE_ONLY | string |
null |
no |
Name | Description |
---|---|
mwaa_arn | n/a |