NTC Account Factory
NTC Account Factory v2 introduces major improvements including AWS Provider v6 support, AWS European Sovereign Cloud compatibility, and simplified multi-region configuration.
📖 Read the Migration Guide for step-by-step instructions.
Description​
NTC Account Factory simplifies the creation and management of AWS accounts, providing a robust foundation for scalable, secure, and compliant multi-account environments. This building block automates account provisioning, integrates with your organizational structure, and applies a consistent account baseline to ensure governance at scale. The account baseline enforces guardrails, security configurations, and can be completely customized, ensuring every account aligns with organizational standards.
With NTC Account Factory, you can rapidly deploy accounts tailored to specific workloads, environments, or business units, streamlining your AWS Landing Zone setup and accelerating cloud adoption.
NTC Account Lifecycle Templates provide a set of account lifecycle automation actions (e.g. delete default VPC, enable opt-in region) that can be easily customized and then applied via account_lifecycle_customization_steps.
NTC Account Baseline Templates provide a set of account baseline definitions (e.g. create iam roles, configure openid connect, enable aws config) that can be easily customized and then applied via account_baseline_scopes.
Usage​
| Latest Release | 2.2.1 |
|---|
Requirements​
The following requirements are needed by this module:
-
terraform (>= 1.6.5)
-
archive (>= 2.4.0)
-
aws (>= 6.0)
-
time (>= 0.9.0)
Providers​
The following providers are used by this module:
-
archive (>= 2.4.0)
-
aws (>= 6.0)
-
time (>= 0.9.0)
Modules​
The following Modules are called:
account_factory_cloudtrail​
Source: ./modules/cloudtrail
Version:
baseline_artifacts_bucket​
Source: ./modules/bucket
Version:
baseline_bucket​
Source: ./modules/bucket
Version:
lambda_pretty_notifications​
Source: ./modules/lambda
Version:
lambda_step_function​
Source: ./modules/lambda
Version:
lambda_user_defined_event_triggers​
Source: ./modules/lambda
Version:
ou_path​
Source: ./modules/ou-path
Version:
Resources​
The following resources are used by this module:
- aws_account_alternate_contact.ntc_factory_account (resource)
- aws_cloudwatch_event_rule.ntc_baseline_pipeline_schedule (resource)
- aws_cloudwatch_event_rule.ntc_baseline_pipeline_trigger (resource)
- aws_cloudwatch_event_rule.ntc_pipeline_notification (resource)
- aws_cloudwatch_event_rule.ntc_state_machine_notification (resource)
- aws_cloudwatch_event_rule.ntc_state_machine_trigger (resource)
- aws_cloudwatch_event_target.ntc_baseline_pipeline_schedule (resource)
- aws_cloudwatch_event_target.ntc_baseline_pipeline_trigger (resource)
- aws_cloudwatch_event_target.ntc_pipeline_notification (resource)
- aws_cloudwatch_event_target.ntc_state_machine_notification (resource)
- aws_cloudwatch_event_target.ntc_state_machine_trigger (resource)
- aws_codebuild_project.ntc_baseline_project (resource)
- aws_codepipeline.ntc_baseline_pipeline (resource)
- aws_dynamodb_table.ntc_account_baseline_delete_protection (resource)
- aws_iam_role.ntc_baseline_pipeline_event_rule_role (resource)
- aws_iam_role.ntc_baseline_pipeline_role (resource)
- aws_iam_role.ntc_lambda_execution_role (resource)
- aws_iam_role.ntc_org_member_role (resource)
- aws_iam_role.ntc_state_machine_event_rule_role (resource)
- aws_iam_role_policy.ntc_baseline_pipeline_event_rule_policy (resource)
- aws_iam_role_policy.ntc_baseline_pipeline_policy (resource)
- aws_iam_role_policy.ntc_lambda_policy (resource)
- aws_iam_role_policy.ntc_state_machine_event_rule_policy (resource)
- aws_iam_role_policy_attachment.ntc_org_member_role (resource)
- aws_kms_alias.ntc_account_factory_encryption (resource)
- aws_kms_key.ntc_account_factory_encryption (resource)
- aws_kms_key_policy.ntc_account_factory_encryption (resource)
- aws_lambda_invocation.ntc_user_defined_trigger_events (resource)
- aws_organizations_account.ntc_factory_account (resource)
- aws_s3_bucket_notification.ntc_baseline_pipeline_trigger (resource)
- aws_s3_object.ntc_account_baseline_zip (resource)
- aws_secretsmanager_secret.ntc_baseline_git_ssh_key (resource)
- aws_secretsmanager_secret.ntc_baseline_github_access_token (resource)
- aws_secretsmanager_secret.ntc_baseline_terraform_registry_token (resource)
- aws_secretsmanager_secret_version.ntc_baseline_git_ssh_key (resource)
- aws_secretsmanager_secret_version.ntc_baseline_github_access_token (resource)
- aws_secretsmanager_secret_version.ntc_baseline_terraform_registry_token (resource)
- aws_servicequotas_service_quota.ntc_servicequotas (resource)
- aws_sfn_state_machine.ntc_lifecycle_customization_state_machine (resource)
- aws_sns_topic.ntc_account_factory_notification (resource)
- aws_sns_topic_policy.ntc_account_factory_notification (resource)
- aws_sns_topic_subscription.ntc_account_factory_notification (resource)
- time_sleep.ntc_wait_for_iam_propagation (resource)
- archive_file.ntc_account_baseline_zip (data source)
- aws_caller_identity.current (data source)
- aws_iam_policy_document.ntc_account_factory_encryption_policy (data source)
- aws_iam_policy_document.ntc_account_factory_notification (data source)
- aws_iam_policy_document.ntc_baseline_artifacts_bucket_policy (data source)
- aws_iam_policy_document.ntc_baseline_bucket_policy (data source)
- aws_iam_policy_document.ntc_baseline_pipeline_assume_role (data source)
- aws_iam_policy_document.ntc_baseline_pipeline_event_rule_assume_role (data source)
- aws_iam_policy_document.ntc_baseline_pipeline_event_rule_policy (data source)
- aws_iam_policy_document.ntc_baseline_pipeline_policy (data source)
- aws_iam_policy_document.ntc_baseline_secrets_manager (data source)
- aws_iam_policy_document.ntc_lambda_assume_role (data source)
- aws_iam_policy_document.ntc_lambda_policy (data source)
- aws_iam_policy_document.ntc_org_member_role (data source)
- aws_iam_policy_document.ntc_state_machine_event_rule_assume_role (data source)
- aws_iam_policy_document.ntc_state_machine_event_rule_policy (data source)
- aws_organizations_organization.org (data source)
- aws_partition.current (data source)
- aws_region.current (data source)
- aws_regions.available (data source)
- aws_servicequotas_service_quota.ntc_servicequotas (data source)
Required Inputs​
The following input variables are required:
account_factory_baseline_bucket_name​
Description: The name for account factory S3 bucket which stores account baseline files.
Type: string
account_factory_cloudtrail_bucket_name​
Description: The name for NTC Account Factory cloudtrail logging bucket.
Type: string
Optional Inputs​
The following input variables are optional (have default values):
account_baseline_git_ssh_key​
Description: SSH key for Git. Required if you want to reference Terraform modules in your account baseline which are hosted in Git (via SSH). Git must be reachable via Internet.
Type: string
Default: ""
account_baseline_git_ssh_key_secret_name​
Description: Name of the secrets manager secret where the 'account_baseline_git_ssh_key' will be stored so that the baseline pipeline can access it.
Type: string
Default: "git_ssh_key"
account_baseline_github_access_token​
Description: Personal Access Token for Github. Required if you want to reference Terraform modules in your account baseline which are hosted in Github. Github must be reachable via Internet.
Type: string
Default: ""
account_baseline_github_access_token_secret_name​
Description: Name of the secrets manager secret where the 'account_baseline_github_access_token' will be stored so that the baseline pipeline can access it.
Type: string
Default: "github_access_token"
account_baseline_pipeline_event_rule_iam_role_name​
Description: The name of the IAM role that will be created for baseline pipeline triggers via cloudwatch event rules.
Type: string
Default: "ntc-af-pipeline-trigger-role"
account_baseline_pipeline_iam_role_name​
Description: The name of the IAM role that will be created for baseline pipelines.
Type: string
Default: "ntc-af-pipeline-role"
account_baseline_pipeline_logs_enabled​
Description: Set to false to disable cloudwatch logs for account baseline pipelines.
Type: bool
Default: true
account_baseline_pipeline_name_prefix​
Description: The prefix name for baseline pipelines.
Type: string
Default: "ntc-af"
account_baseline_pipeline_policy_name​
Description: The name for the baseline pipelines IAM policy.
Type: string
Default: "ntc-af-pipeline-policy"
account_baseline_scopes​
Description: List of baseline scopes which define which member accounts will be baselined with a specific Terraform baseline configuration.
Type:
list(object({
scope_name = string
terraform_parallelism = optional(number, 10)
terraform_binary = optional(string, "terraform")
terraform_version = string
aws_provider_version = string
provider_default_tags = optional(map(string), { ManagedBy = "ntc-account-factory" })
pipeline_compute_type = optional(string, "BUILD_GENERAL1_SMALL")
pipeline_delay_options = optional(object({
wait_for_seconds = optional(number, 120)
wait_retry_count = optional(number, 5)
wait_for_execution_role = optional(bool, true)
wait_for_regions = optional(bool, true)
wait_for_securityhub = optional(bool, false)
wait_for_guardduty = optional(bool, false)
}), {})
schedule_rerun_every_x_hours = optional(number, 0)
baseline_execution_role_name = optional(string, "OrganizationAccountAccessRole")
baseline_execution_session_name = optional(string, "ntc-account-factory")
baseline_assume_role_providers = optional(list(object({
configuration_alias = string
role_arn = string
session_name = optional(string, "ntc-account-factory")
})), [])
baseline_terraform_files = list(object({
file_name = string
content = string
terraform_version_minimum = optional(string, "")
aws_provider_version_minimum = optional(string, "")
}))
unified_multi_region_baseline = optional(bool, false)
baseline_regions = list(string)
baseline_main_region = string
baseline_parameters_json = optional(string, "{}")
baseline_import_resources = optional(list(object({
import_to = string
import_id = string
import_condition_account_names = optional(list(string), [])
})), [])
baseline_moved_resources = optional(list(object({
moved_from = string
moved_to = string
moved_condition_account_names = optional(list(string), [])
})), [])
baseline_removed_resources = optional(list(object({
removed_from = string
removed_condition_account_names = optional(list(string), [])
})), [])
baseline_maintenance_plan_only = optional(bool, false)
include_accounts_all = optional(bool, false)
include_accounts_by_ou_paths = optional(list(string), [])
include_accounts_by_names = optional(list(string), [])
include_accounts_by_tags = optional(list(object({
key = string
value = string
})), [])
exclude_accounts_by_ou_paths = optional(list(string), [])
exclude_accounts_by_names = optional(list(string), [])
exclude_accounts_by_tags = optional(list(object({
key = string
value = string
})), [])
decommission_accounts_all = optional(bool, false)
decommission_accounts_by_ou_paths = optional(list(string), [])
decommission_accounts_by_names = optional(list(string), [])
decommission_accounts_by_tags = optional(list(object({
key = string
value = string
})), [])
}))
Default: []
account_baseline_terraform_registry_host​
Description: Name of Terraform Cloud or Enterprise host. Required if you want to reference Terraform modules in your account baseline from a Terraform Cloud or Enterprise private registry. Registry must be reachable via Internet.
Type: string
Default: "app.terraform.io"
account_baseline_terraform_registry_token​
Description: Team- or User-Token for Terraform Cloud or Enterprise. Required if you want to reference Terraform modules in your account baseline from a Terraform Cloud or Enterprise private registry. Registry must be reachable via Internet.
Type: string
Default: ""
account_baseline_terraform_registry_token_secret_name​
Description: Name of the secrets manager secret where the 'account_baseline_terraform_registry_token' will be stored so that the baseline pipeline can access it.
Type: string
Default: "terraform_registry_token"
account_factory_baseline_artifacts_bucket_suffix_name​
Description: The name for account factory S3 bucket which stores codebuild artifacts.
Type: string
Default: "-artifacts"
account_factory_bucket_access_logging_target_bucket_name​
Description: Name of the bucket where S3 access logging should be stored. Requires "account_factory_bucket_enable_access_logging" to be true.
Type: string
Default: ""
account_factory_bucket_access_logging_target_prefix​
Description: Prefix used for S3 access logging. Requires "account_factory_bucket_enable_access_logging" to be true.
Type: string
Default: "logs/"
account_factory_bucket_enable_access_logging​
Description: Set to true to log S3 access logging.
Type: bool
Default: false
account_factory_bucket_force_destroy​
Description: Set to true if you want to allow the account factory s3 bucket to be force destroyed. WARNING: This is intended for automated testing and should otherwise stay false.
Type: bool
Default: false
account_factory_cloudtrail_kms_alias_name​
Description: The alias name for account factory pipeline encryption kms key.
Type: string
Default: "ntc-af-cloudtrail-encryption"
account_factory_forward_events_policy_name​
Description: The name of IAM policy used to forward events.
Type: string
Default: "ntc-af-event-forwarding-policy"
account_factory_forward_events_role_name​
Description: The name of IAM role used to forward events.
Type: string
Default: "ntc-af-event-forwarding-role"
account_factory_forward_events_rule_prefix​
Description: The name of event rule used to forward events.
Type: string
Default: "ntc-af-event-forwarding"
account_factory_lambda_execution_role_name​
Description: The execution role name for account factory lambdas.
Type: string
Default: "ntc-af-lambda-execution-role"
account_factory_lambda_policy_name​
Description: The policy name for account factory lambdas.
Type: string
Default: "ntc-af-lambda-policy"
account_factory_list​
Description: List of member accounts that should be provisioned and managed in AWS Organizations.
Type:
list(object({
account_name = string
account_email = string
ou_path = string
close_on_deletion = bool
ignore_naming_conventions = optional(bool, false)
account_tags = optional(map(string), {})
alternate_contacts = optional(list(object({
type = string
name = string
email_address = string
title = optional(string, "Mx")
phone_number = optional(string, "00000000000")
})), [])
customer_values = optional(any, {})
}))
Default: []
account_factory_naming_conventions​
Description: Regex patterns for optional naming conventions. Account name and email are critical values that cannot be easily modified after creation.
Type:
object({
account_name_regex = optional(string, "")
account_email_regex = optional(string, "")
})
Default: {}
account_factory_notification_settings​
Description: SNS topic settings to send account factory notifications.
Type:
object({
enable_notifications = optional(bool, true)
org_identifier = optional(string, "")
sns_topic_name = optional(string, "ntc-af-notification-topic")
event_rule_prefix = optional(string, "ntc-af-notification")
notification_lambda_name = optional(string, "ntc-af-notification-lambda")
subscriptions = optional(list(object({
protocol = optional(string, "email")
endpoints = optional(list(string), [])
subscription_role_arn = optional(string, null)
})), [])
})
Default: {}
account_factory_org_events_trail_name​
Description: The name of NTC Account Factory cloudtrail which records Organizations account lifecycle events.
Type: string
Default: "ntc-af-org-events-trail"
account_factory_pipeline_kms_alias_name​
Description: The alias name for account factory pipeline encryption kms key.
Type: string
Default: "ntc-af-encryption"
account_factory_secretsmanager_prefix​
Description: Grant read access to account factory for existing secrets with a specific prefix name.
Type: string
Default: "ntc-af-"
account_lifecycle_customization_on_demand_triggers​
Description: Trigger the account lifecycle customization on demand with user-defined events.
Type:
object({
lambda_name = optional(string, "ntc-af-on-demand-triggers-lambda")
user_defined_events = optional(list(string), [])
})
Default: {}
account_lifecycle_customization_state_machine_name​
Description: The state machine name for account lifecycle step functions.
Type: string
Default: "ntc-af-state-machine"
account_lifecycle_customization_steps​
Description: List of lifecycle customization steps which define which lambda functions will be executed when a specific event occurs.
Type:
list(object({
organizations_event_trigger = string
step_sequence = list(object({
step_name = string
description = optional(string, null)
lambda_package_source_path = string
lambda_handler = string
lambda_execution_role_arn = optional(string, null)
lambda_timeout_in_seconds = optional(number, 720)
environment_variables = optional(map(string), {})
runtime = optional(string, "python3.13")
}))
}))
Default: []
arm_based_compute​
Description: Set to false to use x86_64 instead of arm for pipelines and lambdas.
Type: bool
Default: true
create_organizations_member_role_in_current_account​
Description: The Organizations member role is required in current account for 'account lifecycle customzation' and 'account baseline'. Set to false if Organizations member role already exists in current account.
Type: bool
Default: true
increase_aws_service_quotas​
Description: Manage service quotas for services used in account factory.
Type:
object({
organizations_maximum_number_of_accounts = optional(number, 0)
codebuild_concurrent_runs_arm_small = optional(number, 0)
codebuild_concurrent_runs_arm_large = optional(number, 0)
codebuild_concurrent_runs_linux_small = optional(number, 0)
codebuild_concurrent_runs_linux_medium = optional(number, 0)
codebuild_concurrent_runs_linux_large = optional(number, 0)
codebuild_concurrent_runs_linux_2xlarge = optional(number, 0)
codepipelines_max_count = optional(number, 0)
event_rules_max_count = optional(number, 0)
})
Default: {}
lambda_runtime​
Description: The runtime with which all the lambda function runs
Type: string
Default: "python3.11"
organizations_member_role_in_current_account_policy_arn​
Description: By default the Organizations member role in current account will get assigned AdministratorAccess.
Type: string
Default: ""
organizations_member_role_name​
Description: The name of an IAM role that Organizations automatically preconfigures in the new member account.
Type: string
Default: "OrganizationAccountAccessRole"
region​
Description: AWS region where the resources will be created. Omit to use the provider default region.
Type: string
Default: null
secretsmanager_recovery_window_in_days​
Description: Number of days that AWS Secrets Manager waits before it can delete account factory secrets. Set to 0 to force deletion.
Type: number
Default: 7
tracing_mode_lambdas​
Description: Whether to to sample and trace a subset of incoming requests with AWS X-Ray for all Account Factory Lambdas.
Can be either PassThrough or Active and if omitted tracing is disabled.
If PassThrough, Lambdas will only trace the request from an upstream service if it contains a tracing header with "sampled=1".
If Active, Lambdas will respect any tracing header it receives from an upstream service.
If no tracing header is received, Lambdas will call X-Ray for a tracing decision.
Type: string
Default: null
Outputs​
The following outputs are exported:
account_factory_account_ids​
Description: Map of account factory account identifiers by account name.
account_factory_baseline_iam_role_arns​
Description: List of account factory baseline IAM role ARNs.
account_factory_codebuild_projects​
Description: Map of all account factory codebuild projects including Names and ARNs.
account_factory_notifications_sns_topic_arn​
Description: ARN of SNS topic which notifies about Account Factory pipeline and step function errors.
account_lifecycle_customization_state_machine_arn​
Description: ARN of step function state machine wich is responsible for account lifecycle customization.
account_lifecycle_customization_state_machine_definition​
Description: Definition of step function state machine which is responsible for account lifecycle customization.
organization_account_summary​
Description: Summary of accounts in the organization, including total active, suspended accounts and accounts not managed by account factory.