> For the complete documentation index, see [llms.txt](https://docs.bluerock.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bluerock.io/deployment-guides/aws-deployments/aws-deployment-using-terraform-template.md).

# AWS Deployment Using Terraform Template

### High-Level Architecture Overview

This section provides a conceptual overview of how the BlueRock Secure MCP Server is deployed on AWS EC2 and how its core components interact.

#### End-to-End Flow

Deployment scripts are executed from a user desktop or client environment where AWS CLI is configured. The script uses AWS APIs to provision the required AWS Resources and deploy BlueRock Secure MCP Server.

#### BlueRock EC2 Architecture Components

#### Architecture Diagram

<figure><img src="/files/bpwkrmdKTR2oywh8VX2f" alt=""><figcaption></figcaption></figure>

#### **BlueRock EC2 Architecture Components**

A typical BlueRock Secure MCP Server EC2 deployment consists of the following AWS Resources/Services:

<table><thead><tr><th width="316.65625">AWS Resources/Services</th><th>Description</th></tr></thead><tbody><tr><td><strong>Virtual Private Cloud (VPC)</strong></td><td>Provides an isolated networking environment in AWS where all BlueRock deployment resources are created.</td></tr><tr><td><strong>Amazon VPC Gateway</strong></td><td>Enables controlled inbound and outbound internet access for resources deployed inside the VPC.</td></tr><tr><td><strong>Amazon EC2 (BlueRock Node)</strong></td><td>Runs the BlueRock MCP Server using a hardened BlueRock AMI and hosts all runtime services.</td></tr><tr><td><strong>Amazon Elastic Block Store (EBS)</strong></td><td>Provides persistent block storage attached to the EC2 instance for operating system and application data.</td></tr><tr><td><strong>Amazon S3 (BlueRock Config)</strong></td><td>Stores BlueRock configuration files such as <code>config.toml</code> that are retrieved by the BlueRock control plane during runtime.</td></tr><tr><td><strong>AWS Identity and Access Management (IAM) Role</strong></td><td>Grants the EC2 instance permission to access required AWS services such as Amazon S3 and Amazon CloudWatch.</td></tr><tr><td><strong>Amazon CloudWatc</strong></td><td>Receives telemetry and monitoring data generated by the BlueRock MCP Server.</td></tr><tr><td><strong>Amazon CloudWatch Logs</strong></td><td>Stores runtime logs and security events generated by the BlueRock MCP Server for analysis and auditing.</td></tr><tr><td><strong>User / Administrator</strong></td><td>Manages and monitors the BlueRock deployment through AWS services such as CloudWatch and AWS Systems Manager (SSM).</td></tr></tbody></table>

***

#### Deployment types

BlueRock EC2 deployments support multiple deployment modes depending on networking and telemetry requirements:

<table data-header-hidden><thead><tr><th width="176.95703125">Deployment Mode</th><th>Description</th></tr></thead><tbody><tr><td><strong>External OTEL</strong></td><td>Deploys a single BlueRock EC2 instance configured to send telemetry data directly to an external Amazon CloudWatch Logs endpoint, without using internal CloudWatch resources.</td></tr><tr><td><strong>Private</strong></td><td>Deploys a single BlueRock EC2 instance into a private subnet, with outbound access via a NAT Gateway and management access enabled through AWS Systems Manager (SSM).</td></tr><tr><td><strong>Public</strong></td><td>Deploys a single BlueRock EC2 instance into a public subnet, allowing management access through SSH (if configured) and AWS Systems Manager (SSM).</td></tr></tbody></table>

***

### Supported AMI Distributions

BlueRock Secure MCP Server supports the following Linux distributions. Each distribution has a corresponding AMI with specific kernel version:

| **Name**              | **Kernel Version** | **AMI NAME**                                         |
| --------------------- | ------------------ | ---------------------------------------------------- |
| **Amazon Linux 2023** | 6.12.51            | bluerock-release-25-50-0-amzlnx2023-6.12.52-free-ami |
| **Ubuntu 24.04**      | 6.12.51            | bluerock-release-25-50-0-ubuntu2404-6.12.52-free-ami |

Note: The AMI name includes the **BlueRock release version**, **Linux distribution**, and **Kernel version**, allowing users to identify compatibility directly from the AMI name

***

### &#x20;Prerequisites

#### AWS Requirements

* Active AWS account
* API key credentials configured in local environment
* AWS CLI should be installed and key credentials should be configured

#### Required Packages

The BlueRock Deployment Package for EC2 is provided by BlueRock as part of customer onboarding.\
This package includes Terraform infrastructure-as-code (IaC) scripts required to deploy the BlueRock Secure MCP Server on AWS EC2.

#### Deployment Method

The following tools must be installed and configured on the local environment before running the deployment:

* **Terraform**\
  Required to execute the BlueRock Terraform deployment scripts.

  Terraform installation guide:\
  <https://developer.hashicorp.com/terraform/downloads>
* **AWS CLI**\
  Required for authentication, resource validation, and post-deployment verification.

  AWS CLI installation and configuration guide:\
  <https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html>

```shellscript
Configuration file location: ~/.aws/credentials

File Content:
AWS_ACCESS_KEY_ID=[your_access_key]
AWS_SECRET_ACCESS_KEY=[your_secret_key]
AWS_SESSION_TOKEN=[your_session_token]
```

#### AWS Permissions Required

**User permissions:** The user executing the deployment script requires permissions to create the following AWS objects:

* VPC, Subnets, Internet Gateway, Route Tables
* EC2 instance
* Security Group
* IAM Profile
* S3 bucket

**Note:** The IAM instance profile required for BlueRock instance is automatically created by the deployment script.&#x20;

***

### Deployment Package Overview

#### Download and Extract Package

Download the BlueRock deployment package and extract it on your local environment.

```bash
terraform.tar.gz

$ tar -xzf terraform.tar.gz

$ ls -l
cloudformation.tar.gz
terraform/
terraform.tar.gz

```

***

### **Directory Structure**

#### Public Deployment

```shellscript
terraform/
└── ec2/
    └── freemium/
        ├── al2023/
        │   └── PublicDeployment/
        │       ├── README.md
        │       ├── main.tf
        │       ├── outputs.tf
        │       ├── terraform.tfvars
        │       ├── terraform.tfvars.example
        │       └── variables.tf
        └── ubuntu/
            └── PublicDeployment/
                ├── README.md
                ├── main.tf
                ├── outputs.tf
                ├── terraform.tfvars
                ├── terraform.tfvars.example
                └── variables.tf
```

#### Private/ External OTEL Deployment&#x20;

```shellscript
terraform/
└── ec2/
    └── freemium/
        ├── al2023/
        │   └── ExternalOtel/
        │       ├── README.md
        │       ├── main.tf
        │       ├── outputs.tf
        │       ├── terraform.tfvars
        │       ├── terraform.tfvars.example
        │       ├── user_data.sh.tpl
        │       └── variables.tf
        └── ubuntu/
            └── ExternalOtel/
                ├── README.md
                ├── main.tf
                ├── outputs.tf
                ├── terraform.tfvars
                ├── terraform.tfvars.example
                ├── user_data.sh.tpl
                └── variables.tf

```

***

### Terraform Deployment

#### Configuration Parameters

Navigate to the Terraform deployment directory, copy the example variables file, and update the deployment parameters by editing the Terraform variables file:

```shellscript
Amazon Linux:
cd terraform/ec2/freemium/al2023/ExternalOtel

Ubuntu:
cd terraform/ec2/freemium/ubuntu/ExternalOtel

cp terraform.tfvars.example terraform.tfvars
vi terraform.tfvars
```

### Parameter Reference

| Parameter            | Description                                                       | Required                            | Example / Default Value   |
| -------------------- | ----------------------------------------------------------------- | ----------------------------------- | ------------------------- |
| region               | AWS region where resources will be deployed                       | Yes                                 | us-east-1                 |
| prefix               | Prefix used for naming all AWS resources                          | Yes                                 | bluerock-freemium         |
| ami\_id              | BlueRock AMI ID selected from the supported AMI list              | Yes                                 | ami-0251e1dd3708aab50     |
| node\_instance\_type | EC2 instance type for the BlueRock node                           | Yes                                 | t3.large                  |
| allow\_ip            | CIDR block allowed for SSH access to the EC2 instance             | Optional                            | 203.0.113.10/32           |
| ssh\_key\_name       | AWS EC2 key pair name for SSH access                              | Optional (SSM used if not provided) | bluerock-keypair          |
| vpc\_id              | Existing VPC ID where the instance will be deployed               | Optional                            | vpc-0abc1234def567890     |
| subnet\_id           | Existing subnet ID for EC2 deployment                             | Optional                            | subnet-0123abcd4567efgh   |
| target\_aws\_account | AWS account ID where resources are created                        | Yes                                 | 123456789012              |
| s3\_bucket\_name     | S3 bucket used to store Ultra Control configuration (config.toml) | Yes                                 | bluerock-uc-config-bucket |

**Note:**

* Deployment on existing VPC: Provide both vpc\_id and subnet\_id values
* Deployment on new VPC: Leave both values empty (null)<br>

#### Running the Deployment Script

Navigate to the Terraform deployment directory, initialize Terraform, review the execution plan, and apply the configuration to provision the BlueRock Secure MCP Server:

```shellscript
cd terraform/ec2/freemium/al2023/ExternalOtel
terraform init
terraform plan
terraform apply
```

**Capture outputs**

The deployment will output critical information including:

* EC2 instance Public IP
* S3 bucket name
* CloudWatch log group name

```bash
Output:
instance_id         = "i-09d31837043f8b71d"
instance_private_ip = "172.31.134.24"
instance_public_ip  = "3.85.120.175"

log_group_name  = "bluerock-al2023-test-TelemetryLogGroup"
log_stream_name = "bluerock-al2023-test-TelemetryLogStream"

policy_bucket_name = "bluerock-al2023-test-policybucket"
s3_bucket_name     = "bluerock-al2023-test-policybucket"
s3_bucket_url      = "https://bluerock-al2023-test-policybucket.s3.us-east-1.amazonaws.com"

subnet_id = "subnet-029f43a448c03aafe"
```

***

### Post-Deployment Validation

This section verifies that the BlueRock Secure MCP Server has been deployed successfully and is functioning as expected.

#### Check Bluerock Instance

Check the instance status to confirm that the EC2 instance is running and has a public IP address assigned (for public deployments):

<pre class="language-shellscript"><code class="lang-shellscript">aws ec2 describe-instances\ --filters "Name=tag:Name,Values=bluerock*"

Output:
<strong>{
</strong>  "Reservations": [
    {
      "Instances": [
        {
          "InstanceId": "i-09d31837043f8b71d",
          "InstanceType": "t3.xlarge",
          "State": {
            "Code": 16,
            "Name": "running"
          },
          "PublicIpAddress": "3.85.120.175",
          "PrivateIpAddress": "172.31.134.24",
          "Placement": {
            "AvailabilityZone": "us-east-1b"
          },
          "Tags": [
            {
              "Key": "Name",
              "Value": "bluerock-freemium-ec2"
            }
          ]
        }
      ]
    }
  ]
}

</code></pre>

#### Check Instance Access

**SSH Access**&#x20;

Check instance access to confirm SSH connectivity for public deployments by running the appropriate command for the selected AMI:

```shellscript
Amazon Linux:
ssh -i /path/to/key.pem ec2-user@<PUBLIC_IP>

Ubuntu:
ssh -i /path/to/key.pem ubuntu@<PUBLIC_IP>
```

#### Verify BlueRock Control Plane Service

Verify that the BlueRock Control Plane service is running by checking that the Ultra Control service is in the **active (running)** state.

```shellscript
sudo systemctl status uc-docker.service

Output:
uc-docker.service - Manage the Ultracontrol Docker Service
     Loaded: loaded (/etc/systemd/system/uc-docker.service; enabled; preset: disabled)
     Active: active (running) since Tue 2026-01-20 05:55:04 UTC; 3 days ago
   Main PID: 2544 (uc-docker.sh)
      Tasks: 2 (limit: 18942)
     Memory: 24.0M
        CPU: 1min 51.561s
     CGroup: /system.slice/uc-docker.service
             ├─2544 /usr/bin/bash /opt/bluerock/bin/uc-docker.sh start
             └─179431 sleep 5

Jan 20 05:55:04 ip-172-31-22-123 systemd[1]: Started uc-docker.service - Manage the Ultracontrol Docker Service.
Jan 20 05:55:04 ip-172-31-22-123 uc-docker.sh[2544]: starting uc container with ultracontrol:latest image
Jan 20 05:55:04 ip-172-31-22-123 uc-docker.sh[2544]: To check logs run: /opt/bluerock/bin/uc-docker.sh logs
Jan 20 05:55:06 ip-172-31-22-123 uc-docker.sh[2544]: uc container started successfully.

```

**Check Otel Collector:**

Check the OpenTelemetry Collector and Ultra Control containers to verify that both services are running.

```shellscript
docker ps

Output:
CONTAINER ID   IMAGE                        COMMAND                  CREATED        STATUS        PORTS     NAMES
7f307a339f89   ultracontrol:latest          "/opt/bluerock/sbin/…"   3 days ago     Up 3 days               uc
a9f4c2b8e112   otel/opentelemetry-collector "/otelcontribcol"        3 days ago     Up 3 days               otel-collector

View logs:
/opt/bluerock/bin/uc-docker.sh logs
docker logs otel-collector

```

Logs should show normal startup messages with no repeated errors or crash loops.

#### &#x20;Verify Telemetry Events in AWS CloudWatch&#x20;

**Check CloudWatch logs:**

1. Navigate to **CloudWatch Console**

<figure><img src="/files/DogcPf1CuTVvPPes5obD" alt=""><figcaption></figcaption></figure>

2. Go to **Log Groups**

<figure><img src="/files/vZkQGhh6hLiQHdGL554N" alt=""><figcaption></figcaption></figure>

3. Find the BlueRock Log Group

<figure><img src="/files/OplUxNxFLmc2Tw4cQctx" alt=""><figcaption></figcaption></figure>

3. **Verify:**

* Log entries are present
* Events originate from the EC2 instance
* Timestamps align with instance startup activity

<figure><img src="/files/rc7GHh69mKkQk73waxoF" alt=""><figcaption></figcaption></figure>

Expected logs include runtime events emitted by the BlueRock Secure MCP Server.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bluerock.io/deployment-guides/aws-deployments/aws-deployment-using-terraform-template.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.