Deploy Your First AWS Resource
In this tutorial, you will deploy an S3 bucket to AWS using OpenMCF. You will write a manifest, preview the deployment plan, apply it, modify the bucket configuration, and tear it down — experiencing the full lifecycle of an OpenMCF-managed resource.
By the end, you will have a working understanding of how OpenMCF deploys cloud resources and how the manifest-driven workflow operates end to end.
What You Will Build
An S3 bucket with:
- Server-side encryption (SSE-S3)
- Versioning enabled for object protection
- Tags for resource governance
- A lifecycle rule to transition old objects to cheaper storage
Prerequisites
Before starting, ensure you have:
- OpenMCF CLI installed (
openmcf versionshould print a version). See Getting Started for installation. - AWS credentials configured. OpenMCF needs permission to create S3 buckets in your AWS account. See AWS Provider Setup for detailed instructions.
- Pulumi CLI installed (
brew install pulumi) with a backend configured (pulumi login --localfor local state), or OpenTofu CLI installed (brew install opentofu). This tutorial uses Pulumi, but you can substitute OpenTofu by changing the provisioner label.
Step 1: Write the Manifest
Create a file named s3-bucket.yaml:
apiVersion: aws.openmcf.org/v1
kind: AwsS3Bucket
metadata:
name: my-first-bucket
labels:
openmcf.org/provisioner: pulumi
spec:
awsRegion: us-east-1
versioningEnabled: true
encryptionType: ENCRYPTION_TYPE_SSE_S3
tags:
environment: tutorial
managed-by: openmcf
Every OpenMCF manifest follows the Kubernetes Resource Model: apiVersion, kind, metadata, and spec. The spec fields are defined by the component's Protocol Buffer schema — in this case, AwsS3BucketSpec.
Here is what each field does:
| Field | Purpose |
|---|---|
apiVersion | Identifies the provider and API version (aws.openmcf.org/v1) |
kind | The deployment component type (AwsS3Bucket) |
metadata.name | A unique name for this resource instance |
metadata.labels | The openmcf.org/provisioner label tells OpenMCF which IaC engine to use |
spec.awsRegion | AWS region where the bucket will be created (required) |
spec.versioningEnabled | Keeps all versions of objects, protecting against accidental deletes |
spec.encryptionType | Server-side encryption method. ENCRYPTION_TYPE_SSE_S3 uses AWS-managed AES-256 keys |
spec.tags | Key-value pairs applied to the AWS resource for cost tracking and governance |
Step 2: Preview the Deployment
Before deploying, preview what OpenMCF will create:
openmcf plan -f s3-bucket.yaml
OpenMCF reads the manifest, resolves the AwsS3Bucket deployment component module, and delegates to Pulumi to generate an execution plan. You will see output describing the resources that will be created — an S3 bucket with the configuration you specified.
Review the plan to confirm it matches your expectations before proceeding.
Step 3: Deploy
Apply the manifest to create the bucket:
openmcf apply -f s3-bucket.yaml
OpenMCF performs the same steps as plan, then executes the deployment. Pulumi provisions the S3 bucket in your AWS account with versioning, encryption, and tags configured.
The deployment outputs include:
| Output | Description |
|---|---|
bucket_id | The name of the S3 bucket created on AWS |
bucket_arn | The ARN, used in IAM policies and cross-account access |
region | The AWS region where the bucket was created |
bucket_regional_domain_name | The regional endpoint for accessing the bucket |
Step 4: Verify
Confirm the bucket exists using the AWS CLI:
aws s3 ls | grep my-first-bucket
Check that versioning is enabled:
aws s3api get-bucket-versioning --bucket <bucket_id from outputs>
You should see "Status": "Enabled".
Check encryption:
aws s3api get-bucket-encryption --bucket <bucket_id from outputs>
The output should show AES256 as the SSE algorithm.
Step 5: Modify the Resource
One of OpenMCF's strengths is idempotent updates. You can modify your manifest and re-apply — OpenMCF will compute the diff and apply only the changes.
Add a lifecycle rule that transitions objects older than 30 days to Infrequent Access storage. Update s3-bucket.yaml:
apiVersion: aws.openmcf.org/v1
kind: AwsS3Bucket
metadata:
name: my-first-bucket
labels:
openmcf.org/provisioner: pulumi
spec:
awsRegion: us-east-1
versioningEnabled: true
encryptionType: ENCRYPTION_TYPE_SSE_S3
tags:
environment: tutorial
managed-by: openmcf
lifecycleRules:
- id: move-to-ia
enabled: true
prefix: ""
transitionDays: 30
transitionStorageClass: STORAGE_CLASS_STANDARD_IA
abortIncompleteMultipartUploadDays: 7
Preview the change:
openmcf plan -f s3-bucket.yaml
The plan will show that the bucket is being updated (not replaced) — only the lifecycle rule is being added. Apply it:
openmcf apply -f s3-bucket.yaml
This demonstrates the declarative workflow: you describe the desired state, and OpenMCF computes and applies the delta.
Step 6: Clean Up
Destroy the resource when you are done:
openmcf destroy -f s3-bucket.yaml
OpenMCF reads the manifest, identifies the managed resources, and removes them from AWS. The bucket and its configuration are deleted.
What You Learned
- How to write an OpenMCF manifest for an AWS resource, with fields defined by the component's Protocol Buffer schema
- The
plan->apply->destroylifecycle that applies to every OpenMCF deployment - How to modify a deployed resource by updating the manifest and re-applying
- How manifest labels (
openmcf.org/provisioner) control which IaC engine OpenMCF uses
What's Next
- Deploy Your First Kubernetes Resource — deploy PostgreSQL on Kubernetes with custom databases and users
- Writing Manifests — practical guide to writing manifests for any component
- Deployment Components — understand the anatomy of the component you just deployed
- CLI Reference — full reference for all flags available on
apply,plan, anddestroy
Next article