# Install on AWS Install Materialize on AWS using the new Terraform module. Materialize provides a set of modular [Terraform modules](https://github.com/MaterializeInc/materialize-terraform-self-managed/tree/main) that can be used to deploy all services required for Materialize to run on AWS. These modules serve as composable building blocks that you can integrate into existing DevOps workflows, either as a full set or individually. Self-managed Materialize requires: a Kubernetes (v1.31+) cluster; PostgreSQL as a metadata database; blob storage; and a license key. The example on this page deploys a complete Materialize environment on AWS using the modular Terraform setup from this repository. > **Note:** We recommend pinning your module sources to specific tags to avoid unexpected breaking > changes in future versions. > We recommend updating your module source tags when updating Materialize versions, > taking care to follow any instructions in the release notes. ## What Gets Created This example provisions the following infrastructure: ### Networking | Resource | Description | |----------|-------------| | VPC | 10.0.0.0/16 with DNS hostnames and support enabled | | Subnets | 3 private subnets (10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24) and 3 public subnets (10.0.101.0/24, 10.0.102.0/24, 10.0.103.0/24) across availability zones us-east-1a, us-east-1b, us-east-1c | | NAT Gateway | Single NAT Gateway for all private subnets | | Internet Gateway | For public subnet connectivity | ### Compute | Resource | Description | |----------|-------------| | EKS Cluster | Version 1.32 with CloudWatch logging (API, audit) | | Base Node Group | 2 nodes (t4g.medium) for Karpenter and CoreDNS | | Karpenter | Auto-scaling controller with two node classes: Generic nodepool (t4g.xlarge instances for general workloads) and Materialize nodepool (r7gd.2xlarge instances with swap enabled and dedicated taints to run materialize instance workloads) | ### Database | Resource | Description | |----------|-------------| | RDS PostgreSQL | Version 15, db.t3.large instance | | Storage | 50GB allocated, autoscaling up to 100GB | | Deployment | Single-AZ (non-production configuration) | | Backups | 7-day retention | | Security | Dedicated security group with access from EKS cluster and nodes | ### Storage | Resource | Description | |----------|-------------| | S3 Bucket | Dedicated bucket for Materialize persistence | | Encryption | Disabled (for testing; enable in production) | | Versioning | Disabled (for testing; enable in production) | | IAM Role | IRSA role for Kubernetes service account access | ### Kubernetes Add-ons | Resource | Description | |----------|-------------| | AWS Load Balancer Controller | For managing Network Load Balancers | | cert-manager | Certificate management controller for Kubernetes that automates TLS certificate provisioning and renewal | | Self-signed ClusterIssuer | Provides self-signed TLS certificates for Materialize instance internal communication (balancerd, console). Used by the Materialize instance for secure inter-component communication. | ### Materialize | Resource | Description | |----------|-------------| | Operator | Materialize Kubernetes operator in the `materialize` namespace | | Instance | Single Materialize instance in the `materialize-environment` namespace | | Network Load Balancer | Dedicated NLB for access to Materialize | Port | Description | | --- | --- | | 6875 | For SQL connections to the database | | 6876 | For HTTP(S) connections to the database | | 8080 | For HTTP(S) connections to Materialize Console | | ## Prerequisites ### AWS Account Requirements An active AWS account with appropriate permissions to create: - EKS clusters - RDS instances - S3 buckets - VPCs and networking resources - IAM roles and policies ### Required Tools - [Terraform](https://developer.hashicorp.com/terraform/install?product_intent=terraform) - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) - [kubectl](https://docs.aws.amazon.com/eks/latest/userguide/install-kubectl.html) - [Helm 3.2.0+](https://helm.sh/docs/intro/install/) ### License Key | License key type | Deployment type | Action | | --- | --- | --- | | Community | New deployments |

To get a license key:

| | Community | Existing deployments | Contact Materialize support. | | Enterprise | New deployments | Visit https://materialize.com/self-managed/enterprise-license/ to purchase an Enterprise license. | | Enterprise | Existing deployments | Contact Materialize support. | ## Getting started: Simple example > **Note:** We recommend pinning your module sources to specific tags to avoid unexpected breaking > changes in future versions. > We recommend updating your module source tags when updating Materialize versions, > taking care to follow any instructions in the release notes. > **Tip:** * The `examples/simple` example, used in this tutorial, is provided for illustration and to help you get started. In practice, we recommend instantiating these modules within your own Terraform code rather than relying on the example configuration directly. > * The simple example used in this tutorial enables [Password > authentication](https://github.com/MaterializeInc/materialize-terraform-self-managed/blob/main/aws/examples/simple/main.tf#L380) > for the Materialize instance. To use a different authentication method, update > [`authenticator_kind`](https://github.com/MaterializeInc/materialize-terraform-self-managed/blob/main/kubernetes/modules/materialize-instance/README.md#input_authenticator_kind). > See [Authentication](/security/self-managed/authentication/) for the supported > authentication mechanisms. ### Step 1: Set Up the Environment 1. Open a terminal window. 1. Clone the Materialize Terraform repository and go to the `aws/examples/simple` directory. ```bash git clone https://github.com/MaterializeInc/materialize-terraform-self-managed.git cd materialize-terraform-self-managed/aws/examples/simple ``` 1. Ensure your AWS CLI is configured with the appropriate profile, substitute `` with the profile to use: ```bash # Set your AWS profile for the session export AWS_PROFILE= ``` ### Step 2: Configure Terraform Variables 1. Create a `terraform.tfvars` file with the following variables: - `name_prefix`: Prefix for all resource names (e.g., `simple-demo`) - `aws_region`: AWS region for deployment (e.g., `us-east-1`) - `aws_profile`: AWS CLI profile to use - `license_key`: Materialize license key - `tags`: Map of tags to apply to resources ```hcl name_prefix = "simple-demo" aws_region = "us-east-1" aws_profile = "your-aws-profile" license_key = "your-materialize-license-key" tags = { environment = "demo" } # internal_load_balancer = false # default = true (internal load balancer). You can set to false = public load balancer. # ingress_cidr_blocks = ["x.x.x.x/n", ...] # k8s_apiserver_authorized_networks = ["x.x.x.x/n", ...] ```

Optional variables:

> **Note:** Refer to your organization's security practices to set these values accordingly. ### Step 3: Apply the Terraform 1. Initialize the Terraform directory to download the required providers and modules: ```bash terraform init ``` 1. Apply the Terraform configuration to create the infrastructure. ```bash terraform apply ``` If you are satisfied with the planned changes, type `yes` when prompted to proceed. > **Tip:** If you previously logged in to Amazon ECR Public, a cached auth token may cause 403 errors even when pulling public images. To remove the token, run: > ```bash > docker logout public.ecr.aws > ``` > Then, re-apply the Terraform configuration. 1. From the output, you will need the following fields to connect using the Materialize Console and PostgreSQL-compatible clients/drivers: - `nlb_dns_name` - `external_login_password_mz_system`. ```bash terraform output -raw ``` > **Tip:** Your shell may show an ending marker (such as `%`) because the > output did not end with a newline. Do not include the marker when using the value. 1. Configure `kubectl` to connect to your cluster, replacing: - `` with the your cluster name; i.e., the `eks_cluster_name` in the Terraform output. For the sample example, your cluster name has the form `{prefix_name}-eks`; e.g., `simple-demo-eks`. - `` with the region of your cluster. Your region can be found in your `terraform.tfvars` file; e.g., `us-east-1`. ```bash # aws eks update-kubeconfig --name --region aws eks update-kubeconfig --name $(terraform output -raw eks_cluster_name) --region ``` ### Step 4. Optional. Verify the deployment. 1. Check the status of your deployment: **Operator:** To check the status of the Materialize operator, which runs in the `materialize` namespace: ```bash kubectl -n materialize get all ``` **Materialize instance:** To check the status of the Materialize instance, which runs in the `materialize-environment` namespace: ```bash kubectl -n materialize-environment get all ```

If you run into an error during deployment, refer to the Troubleshooting.

### Step 5: Connect to Materialize Using the `nlb_dns_name` and `external_login_password_mz_system` from the Terraform output, you can connect to Materialize via the Materialize Console or PostgreSQL-compatible tools/drivers using the following ports: | Port | Description | | --- | --- | | 6875 | For SQL connections to the database | | 6876 | For HTTP(S) connections to the database | | 8080 | For HTTP(S) connections to Materialize Console | #### Connect to the Materialize Console > **Note:** - **If using a public NLB:** Both SQL and Console are available via the > public NLB. You can connect directly using the NLB's DNS name from anywhere > on the internet (subject to your `ingress_cidr_blocks` configuration). > - **If using a private (internal) NLB:** You can connect from inside the same VPC or from networks that are privately connected to it. Alternatively, use Kubernetes port-forwarding for both SQL and Console. 1. To connect to the Materialize Console, open a browser to `https://:8080`, substituting your ``. From the terminal, you can type: ```sh open "https://$(terraform output -raw nlb_dns_name):8080/materialize" ``` > **Tip:** The example uses a self-signed ClusterIssuer. As such, you may encounter a > warning with regards to the certificate. In production, run with > certificates from an official Certificate Authority (CA) rather than > self-signed certificates. 1. Log in as `mz_system`, using `external_login_password_mz_system` as the password. 1. Create new users and log out. In general, other than the initial login to create new users for new deployments, avoid using `mz_system` since `mz_system` also used by the Materialize Operator for upgrades and maintenance tasks. For more information on authentication and authorization for Self-Managed Materialize, see: - [Authentication](/security/self-managed/authentication/) - [Access Control](/security/self-managed/access-control/) 1. Login as one of the created user. #### Connect using `psql` > **Note:** - **If using a public NLB:** Both SQL and Console are available via the > public NLB. You can connect directly using the NLB's DNS name from anywhere > on the internet (subject to your `ingress_cidr_blocks` configuration). > - **If using a private (internal) NLB:** You can connect from inside the same VPC or from networks that are privately connected to it. Alternatively, use Kubernetes port-forwarding for both SQL and Console. 1. To connect using `psql`, in the connection string, specify: - `mz_system` as the user - Your `` as the host - `6875` as the port: ```sh psql "postgres://mz_system@$(terraform output -raw nlb_dns_name):6875/materialize" ``` When prompted for the password, enter the `external_login_password_mz_system` value. 1. Create new users and log out. In general, other than the initial login to create new users for new deployments, avoid using `mz_system` since `mz_system` also used by the Materialize Operator for upgrades and maintenance tasks. For more information on authentication and authorization for Self-Managed Materialize, see: - [Authentication](/security/self-managed/authentication/) - [Access Control](/security/self-managed/access-control/) 1. Login as one of the created user. ## Customizing Your Deployment > **Tip:** To reduce cost in your demo environment, you can tweak subnet CIDRs > and instance types in `main.tf`. You can customize each Terraform module independently. - For details on the Terraform modules, see both the [top level](https://github.com/MaterializeInc/materialize-terraform-self-managed/tree/main) and [AWS specific](https://github.com/MaterializeInc/materialize-terraform-self-managed/tree/main/aws) READMEs. - For details on recommended instance sizing and configuration, see the [AWS deployment guide](/self-managed-deployments/deployment-guidelines/aws-deployment-guidelines/). See also: - [Configuring System Parameters](/self-managed-deployments/configuration-system-parameters/) - [Materialize Operator Configuration](/self-managed-deployments/operator-configuration/) - [Materialize CRD Field Descriptions](/self-managed-deployments/materialize-crd-field-descriptions/) ## Cleanup To delete the whole sample infrastructure and deployment (including the Materialize operator and Materialize instances and data), run from the Terraform directory: ```bash terraform destroy ``` When prompted to proceed, type `yes` to confirm the deletion. ## See Also - [Troubleshooting](/self-managed-deployments/troubleshooting/) - [Security](/security/self-managed/)