AWS Deployment Using Terraform Template

High-Level Architecture Overview

This section provides a conceptual overview of how the BlueRock Secure MCP Server is deployed on AWS EC2 and how its core components interact.

End-to-End Flow

Deployment scripts are executed from a user desktop or client environment where AWS CLI is configured. The script uses AWS APIs to provision the required AWS Resources and deploy BlueRock Secure MCP Server.

BlueRock EC2 Architecture Components

Architecture Diagram

BlueRock EC2 Architecture Components

A typical BlueRock Secure MCP Server EC2 deployment consists of the following AWS Resources/Services:

AWS Resources/Services

Description

Virtual Private Cloud (VPC)

Provides an isolated networking environment in AWS where all BlueRock deployment resources are created.

Amazon VPC Gateway

Enables controlled inbound and outbound internet access for resources deployed inside the VPC.

Amazon EC2 (BlueRock Node)

Runs the BlueRock MCP Server using a hardened BlueRock AMI and hosts all runtime services.

Amazon Elastic Block Store (EBS)

Provides persistent block storage attached to the EC2 instance for operating system and application data.

Amazon S3 (BlueRock Config)

Stores BlueRock configuration files such as config.toml that are retrieved by the BlueRock control plane during runtime.

AWS Identity and Access Management (IAM) Role

Grants the EC2 instance permission to access required AWS services such as Amazon S3 and Amazon CloudWatch.

Amazon CloudWatc

Receives telemetry and monitoring data generated by the BlueRock MCP Server.

Amazon CloudWatch Logs

Stores runtime logs and security events generated by the BlueRock MCP Server for analysis and auditing.

User / Administrator

Manages and monitors the BlueRock deployment through AWS services such as CloudWatch and AWS Systems Manager (SSM).

Deployment types

BlueRock EC2 deployments support multiple deployment modes depending on networking and telemetry requirements:

External OTEL

Deploys a single BlueRock EC2 instance configured to send telemetry data directly to an external Amazon CloudWatch Logs endpoint, without using internal CloudWatch resources.

Private

Deploys a single BlueRock EC2 instance into a private subnet, with outbound access via a NAT Gateway and management access enabled through AWS Systems Manager (SSM).

Public

Deploys a single BlueRock EC2 instance into a public subnet, allowing management access through SSH (if configured) and AWS Systems Manager (SSM).

Supported AMI Distributions

BlueRock Secure MCP Server supports the following Linux distributions. Each distribution has a corresponding AMI with specific kernel version:

Name

Kernel Version

AMI NAME

Amazon Linux 2023

6.12.51

bluerock-release-25-50-0-amzlnx2023-6.12.52-free-ami

Ubuntu 24.04

6.12.51

bluerock-release-25-50-0-ubuntu2404-6.12.52-free-ami

Note: The AMI name includes the BlueRock release version, Linux distribution, and Kernel version, allowing users to identify compatibility directly from the AMI name

Prerequisites

AWS Requirements

Active AWS account
API key credentials configured in local environment
AWS CLI should be installed and key credentials should be configured

Required Packages

The BlueRock Deployment Package for EC2 is provided by BlueRock as part of customer onboarding. This package includes Terraform infrastructure-as-code (IaC) scripts required to deploy the BlueRock Secure MCP Server on AWS EC2.

Deployment Method

The following tools must be installed and configured on the local environment before running the deployment:

Terraform Required to execute the BlueRock Terraform deployment scripts.
Terraform installation guide: https://developer.hashicorp.com/terraform/downloads
AWS CLI Required for authentication, resource validation, and post-deployment verification.
AWS CLI installation and configuration guide: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Configuration file location: ~/.aws/credentials

File Content:
AWS_ACCESS_KEY_ID=[your_access_key]
AWS_SECRET_ACCESS_KEY=[your_secret_key]
AWS_SESSION_TOKEN=[your_session_token]

AWS Permissions Required

User permissions: The user executing the deployment script requires permissions to create the following AWS objects:

VPC, Subnets, Internet Gateway, Route Tables
EC2 instance
Security Group
IAM Profile
S3 bucket

Note: The IAM instance profile required for BlueRock instance is automatically created by the deployment script.

Deployment Package Overview

Download and Extract Package

Download the BlueRock deployment package and extract it on your local environment.

terraform.tar.gz

$ tar -xzf terraform.tar.gz

$ ls -l
cloudformation.tar.gz
terraform/
terraform.tar.gz

Directory Structure

Public Deployment

terraform/
└── ec2/
    └── freemium/
        ├── al2023/
        │   └── PublicDeployment/
        │       ├── README.md
        │       ├── main.tf
        │       ├── outputs.tf
        │       ├── terraform.tfvars
        │       ├── terraform.tfvars.example
        │       └── variables.tf
        └── ubuntu/
            └── PublicDeployment/
                ├── README.md
                ├── main.tf
                ├── outputs.tf
                ├── terraform.tfvars
                ├── terraform.tfvars.example
                └── variables.tf

Private/ External OTEL Deployment

terraform/
└── ec2/
    └── freemium/
        ├── al2023/
        │   └── ExternalOtel/
        │       ├── README.md
        │       ├── main.tf
        │       ├── outputs.tf
        │       ├── terraform.tfvars
        │       ├── terraform.tfvars.example
        │       ├── user_data.sh.tpl
        │       └── variables.tf
        └── ubuntu/
            └── ExternalOtel/
                ├── README.md
                ├── main.tf
                ├── outputs.tf
                ├── terraform.tfvars
                ├── terraform.tfvars.example
                ├── user_data.sh.tpl
                └── variables.tf

Terraform Deployment

Configuration Parameters

Navigate to the Terraform deployment directory, copy the example variables file, and update the deployment parameters by editing the Terraform variables file:

Amazon Linux:
cd terraform/ec2/freemium/al2023/ExternalOtel

Ubuntu:
cd terraform/ec2/freemium/ubuntu/ExternalOtel

cp terraform.tfvars.example terraform.tfvars
vi terraform.tfvars

Parameter Reference

Parameter

Description

Required

Example / Default Value

region

AWS region where resources will be deployed

Yes

us-east-1

prefix

Prefix used for naming all AWS resources

Yes

bluerock-freemium

ami_id

BlueRock AMI ID selected from the supported AMI list

Yes

ami-0251e1dd3708aab50

node_instance_type

EC2 instance type for the BlueRock node

Yes

t3.large

allow_ip

CIDR block allowed for SSH access to the EC2 instance

Optional

203.0.113.10/32

ssh_key_name

AWS EC2 key pair name for SSH access

Optional (SSM used if not provided)

bluerock-keypair

vpc_id

Existing VPC ID where the instance will be deployed

Optional

vpc-0abc1234def567890

subnet_id

Existing subnet ID for EC2 deployment

Optional

subnet-0123abcd4567efgh

target_aws_account

AWS account ID where resources are created

Yes

123456789012

s3_bucket_name

S3 bucket used to store Ultra Control configuration (config.toml)

Yes

bluerock-uc-config-bucket

Note:

Deployment on existing VPC: Provide both vpc_id and subnet_id values
Deployment on new VPC: Leave both values empty (null)

Running the Deployment Script

Navigate to the Terraform deployment directory, initialize Terraform, review the execution plan, and apply the configuration to provision the BlueRock Secure MCP Server:

cd terraform/ec2/freemium/al2023/ExternalOtel
terraform init
terraform plan
terraform apply

Capture outputs

The deployment will output critical information including:

EC2 instance Public IP
S3 bucket name
CloudWatch log group name

Output:
instance_id         = "i-09d31837043f8b71d"
instance_private_ip = "172.31.134.24"
instance_public_ip  = "3.85.120.175"

log_group_name  = "bluerock-al2023-test-TelemetryLogGroup"
log_stream_name = "bluerock-al2023-test-TelemetryLogStream"

policy_bucket_name = "bluerock-al2023-test-policybucket"
s3_bucket_name     = "bluerock-al2023-test-policybucket"
s3_bucket_url      = "https://bluerock-al2023-test-policybucket.s3.us-east-1.amazonaws.com"

subnet_id = "subnet-029f43a448c03aafe"

Post-Deployment Validation

This section verifies that the BlueRock Secure MCP Server has been deployed successfully and is functioning as expected.

Check Bluerock Instance

Check the instance status to confirm that the EC2 instance is running and has a public IP address assigned (for public deployments):

aws ec2 describe-instances\ --filters "Name=tag:Name,Values=bluerock*"

Output:
{
  "Reservations": [
    {
      "Instances": [
        {
          "InstanceId": "i-09d31837043f8b71d",
          "InstanceType": "t3.xlarge",
          "State": {
            "Code": 16,
            "Name": "running"
          },
          "PublicIpAddress": "3.85.120.175",
          "PrivateIpAddress": "172.31.134.24",
          "Placement": {
            "AvailabilityZone": "us-east-1b"
          },
          "Tags": [
            {
              "Key": "Name",
              "Value": "bluerock-freemium-ec2"
            }
          ]
        }
      ]
    }
  ]
}

Check Instance Access

SSH Access

Check instance access to confirm SSH connectivity for public deployments by running the appropriate command for the selected AMI:

Amazon Linux:
ssh -i /path/to/key.pem ec2-user@<PUBLIC_IP>

Ubuntu:
ssh -i /path/to/key.pem ubuntu@<PUBLIC_IP>

Verify BlueRock Control Plane Service

Verify that the BlueRock Control Plane service is running by checking that the Ultra Control service is in the active (running) state.

sudo systemctl status uc-docker.service

Output:
uc-docker.service - Manage the Ultracontrol Docker Service
     Loaded: loaded (/etc/systemd/system/uc-docker.service; enabled; preset: disabled)
     Active: active (running) since Tue 2026-01-20 05:55:04 UTC; 3 days ago
   Main PID: 2544 (uc-docker.sh)
      Tasks: 2 (limit: 18942)
     Memory: 24.0M
        CPU: 1min 51.561s
     CGroup: /system.slice/uc-docker.service
             ├─2544 /usr/bin/bash /opt/bluerock/bin/uc-docker.sh start
             └─179431 sleep 5

Jan 20 05:55:04 ip-172-31-22-123 systemd[1]: Started uc-docker.service - Manage the Ultracontrol Docker Service.
Jan 20 05:55:04 ip-172-31-22-123 uc-docker.sh[2544]: starting uc container with ultracontrol:latest image
Jan 20 05:55:04 ip-172-31-22-123 uc-docker.sh[2544]: To check logs run: /opt/bluerock/bin/uc-docker.sh logs
Jan 20 05:55:06 ip-172-31-22-123 uc-docker.sh[2544]: uc container started successfully.

Check Otel Collector:

Check the OpenTelemetry Collector and Ultra Control containers to verify that both services are running.

docker ps

Output:
CONTAINER ID   IMAGE                        COMMAND                  CREATED        STATUS        PORTS     NAMES
7f307a339f89   ultracontrol:latest          "/opt/bluerock/sbin/…"   3 days ago     Up 3 days               uc
a9f4c2b8e112   otel/opentelemetry-collector "/otelcontribcol"        3 days ago     Up 3 days               otel-collector

View logs:
/opt/bluerock/bin/uc-docker.sh logs
docker logs otel-collector