NTC Control Tower Integration
The NTC Control Tower Integration is currently in Beta and certain functionality is subject to change.
Before enrolling AWS accounts, ensure that AWS Control Tower is pre-configured according to the Quickstart Guide. Additionally, only accounts in organizational units (OUs) registered with AWS Control Tower can be enrolled.
Descriptionβ
NTC Control Tower Integration is an optional extension of NTC, designed to combine the advantages of AWS Control Tower with NTC's advanced governance, security, and connectivity features. This building block enables you to leverage Control Towerβs controls and prebuilt landing zone capabilities while massively extending its functionality with Terraform/OpenTofu-based automation. By seamlessly integrating the flexibility of NTC, you retain full Infrastructure-as-Code (IaC) benefits without compromising Control Towerβs built-in advantages.
Achieve enhanced scalability, governance, and compliance across your AWS environment.
Usageβ
| Latest Release | beta |
|---|
- AWS Control Tower Integration
# --------------------------------------------------------------------------------------------------
# Β¦ NTC CONTROL TOWER INTEGRATION
# --------------------------------------------------------------------------------------------------
module "ntc_control_tower_integration" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-control-tower-integration?ref=X.X.X"
# notify on control tower account enrollment step function errors
account_enrollment_notification_settings = {
# identify for which AWS Organization notifications are sent
org_identifier = "c3"
# multiple subscriptions with different protocols is supported
subscriptions = [
{
protocol = "email"
endpoints = ["demo-ops@nuvibit.com"]
}
]
}
# organizations member role is assumed to verify control tower prerequisites
# 'OrganizationAccountAccessRole' is the default role in AWS Organizations
# https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
organizations_member_role_name = "OrganizationAccountAccessRole"
# (optional) configure AWS account access for enrolled accounts according to Control Tower Landing Zone settings:
# 1) AWS Control Tower creates AWS account access with IAM Identity Center
# 2) Self-managed AWS account access with IAM Identity Center or another method (recommended)
# https://docs.aws.amazon.com/controltower/latest/userguide/select-idp.html
account_enrollment_access_configuration = {
# if account access is Control Tower managed and sso_user inputs are omitted -> a generic Admin User will be created for each enrolled AWS accounts
# if account access is Control Tower managed and sso_user inputs are defined -> an existing SSO User will be granted access for all enrolled AWS accounts
# if account access is 'self-managed' -> Control Tower will not configure a SSO User for enrolled AWS accounts
sso_user_email = ""
sso_user_firstname = ""
sso_user_lastname = ""
}
# when a new AWS account is created in AWS Organizations the enrollment step function will be triggered
# you can define the scope of accounts which should be enrolled to AWS Control Tower
# WARNING: 'account_enrollment_scope' only applies to new AWS accounts. Existing AWS accounts can be enrolled with 'acccount_enrollment_existing_accounts'
account_enrollment_scope = {
# which accounts should be enrolled
enroll_accounts_all = false
enroll_accounts_by_ou_paths = [
"/root/workloads"
]
enroll_accounts_by_names = []
enroll_accounts_by_tags = [
# {
# key = "AccountType"
# value = "workload"
# }
]
# which accounts should be excluded
exclude_accounts_by_ou_paths = []
exclude_accounts_by_names = []
exclude_accounts_by_tags = []
}
# (optional) trigger Control Tower account enrollment for existing accounts
# WARNING: Control Tower has concurrency limits which can lead to errors in account enrollment
# https://docs.aws.amazon.com/controltower/latest/userguide/limits.html
acccount_enrollment_existing_accounts = [
"111111111111",
]
}
Requirementsβ
The following requirements are needed by this module:
-
terraform (>= 1.3.0)
-
aws (>= 4.0)
Providersβ
The following providers are used by this module:
-
aws (>= 4.0)
-
local
Modulesβ
The following Modules are called:
lambda_enrollment_existing_accountsβ
Source: ./modules/lambda
Version:
lambda_pretty_notificationsβ
Source: ./modules/lambda
Version:
lambda_step_functionβ
Source: ./modules/lambda
Version:
Resourcesβ
The following resources are used by this module:
- aws_cloudwatch_event_rule.ntc_state_machine_notification (resource)
- aws_cloudwatch_event_rule.ntc_state_machine_trigger (resource)
- aws_cloudwatch_event_target.ntc_state_machine_notification (resource)
- aws_cloudwatch_event_target.ntc_state_machine_trigger (resource)
- aws_dynamodb_table.ntc_account_enrollment_state (resource)
- aws_iam_role.ntc_lambda_execution_role (resource)
- aws_iam_role.ntc_state_machine_event_rule_role (resource)
- aws_iam_role_policy.ntc_lambda_policy (resource)
- aws_iam_role_policy.ntc_state_machine_event_rule_policy (resource)
- aws_kms_alias.ntc_account_enrollment_encryption (resource)
- aws_kms_key.ntc_account_enrollment_encryption (resource)
- aws_kms_key_policy.ntc_account_enrollment_encryption (resource)
- aws_lambda_invocation.ntc_enrollment_existing_accounts (resource)
- aws_sfn_state_machine.ntc_account_enrollment_state_machine (resource)
- aws_sns_topic.ntc_account_enrollment_notification (resource)
- aws_sns_topic_policy.ntc_account_enrollment_notification (resource)
- aws_sns_topic_subscription.ntc_account_enrollment_notification (resource)
- local_file.ntc_account_enrollment_scope (resource)
- aws_caller_identity.current (data source)
- aws_iam_policy_document.ntc_account_enrollment_encryption_policy (data source)
- aws_iam_policy_document.ntc_account_enrollment_notification (data source)
- aws_iam_policy_document.ntc_lambda_assume_role (data source)
- aws_iam_policy_document.ntc_lambda_policy (data source)
- aws_iam_policy_document.ntc_state_machine_event_rule_assume_role (data source)
- aws_iam_policy_document.ntc_state_machine_event_rule_policy (data source)
- aws_organizations_organization.current (data source)
- aws_partition.current (data source)
- aws_region.current (data source)
Required Inputsβ
No required inputs.
Optional Inputsβ
The following input variables are optional (have default values):
acccount_enrollment_existing_accountsβ
Description: List of existing accounts which should be enrolled into Control Tower.
Type: list(string)
Default: []
acccount_enrollment_existing_accounts_lambda_nameβ
Description: Name of the lambda which can trigger Control Tower account enrollment for existing accounts.
Type: string
Default: "ntc-ct-enrollment-existing-accounts-lambda"
account_enrollment_access_configurationβ
Description: SSO account access settings for Control Tower account enrollment. This values will be ignored if Control Tower is configured for self-managed access management.
Type:
object({
sso_user_email = optional(string, "")
sso_user_firstname = optional(string, "")
sso_user_lastname = optional(string, "")
})
Default: {}
account_enrollment_dynamodb_stateβ
Description: Configuration of control tower account enrollment dynamodb state.
Type:
object({
dynamodb_state_table_name = optional(string, "ntc-ct-account-enrollment-state")
dynamodb_state_billing_mode = optional(string, "PAY_PER_REQUEST")
dynamodb_state_provisioned_capacity = optional(object({
read = optional(string, 20)
write = optional(string, 20)
}), {})
})
Default: {}
account_enrollment_kms_alias_nameβ
Description: The alias name for control tower account enrollment encryption kms key.
Type: string
Default: "ntc-ct-enrollment-encryption"
account_enrollment_lambda_execution_role_nameβ
Description: The execution role name for control tower enrollment lambdas.
Type: string
Default: "ntc-ct-enrollment-lambda-execution-role"
account_enrollment_lambda_policy_nameβ
Description: The policy name for control tower enrollment lambdas.
Type: string
Default: "ntc-ct-enrollment-lambda-policy"
account_enrollment_notification_settingsβ
Description: SNS topic settings to send Control Tower account enrollment notifications.
Type:
object({
enable_notifications = optional(bool, true)
org_identifier = optional(string, "")
sns_topic_name = optional(string, "ntc-ct-enrollment-notification-topic")
event_rule_prefix = optional(string, "ntc-ct-enrollment-notification")
notification_lambda_name = optional(string, "ntc-ct-enrollment-notification-lambda")
subscriptions = optional(list(object({
protocol = optional(string, "email")
endpoints = optional(list(string), [])
subscription_role_arn = optional(string, null)
})), [])
})
Default: {}
account_enrollment_scopeβ
Description: Definition of scope of accounts which should be enrolled to Control Tower.
Type:
object({
enroll_accounts_all = optional(bool, false)
enroll_accounts_by_ou_paths = optional(list(string), [])
enroll_accounts_by_names = optional(list(string), [])
enroll_accounts_by_tags = optional(list(object({
key = string
value = string
})), [])
exclude_accounts_by_ou_paths = optional(list(string), [])
exclude_accounts_by_names = optional(list(string), [])
exclude_accounts_by_tags = optional(list(object({
key = string
value = string
})), [])
})
Default: {}
account_enrollment_state_machine_event_rule_nameβ
Description: Name of the event rule to trigger the state machine for control tower account enrollment.
Type: string
Default: "ntc-ct-enrollment-state-machine-trigger"
account_enrollment_state_machine_event_rule_role_nameβ
Description: The iam role name to trigger the state machine for control tower account enrollment.
Type: string
Default: "ntc-ct-enrollment-state-machine-trigger"
account_enrollment_state_machine_nameβ
Description: The state machine name for control tower account enrollment step functions.
Type: string
Default: "ntc-ct-enrollment-state-machine"
arm_based_computeβ
Description: Set to false to use x86_64 instead of arm for lambdas.
Type: bool
Default: true
control_tower_execution_role_nameβ
Description: Nme of the Control Tower execution role. This role is assumed to trigger the Control Tower service catalog.
Type: string
Default: "AWSControlTowerExecution"
control_tower_servicecatalog_product_nameβ
Description: Name of the service catalog product used by Control Tower Account Factory.
Type: string
Default: "AWS Control Tower Account Factory"
lambda_runtimeβ
Description: The runtime with which all the lambda function runs
Type: string
Default: "python3.11"
organizations_member_role_nameβ
Description: Name of the Organizations member role. This role is assumed to verify control tower prerequisites on member accounts.
Type: string
Default: "OrganizationAccountAccessRole"
tracing_mode_lambdasβ
Description: Whether to sample and trace a subset of incoming requests with AWS X-Ray for all Lambdas.
Can be either PassThrough or Active and if omitted tracing is disabled.
If PassThrough, Lambdas will only trace the request from an upstream service if it contains a tracing header with "sampled=1".
If Active, Lambdas will respect any tracing header it receives from an upstream service.
If no tracing header is received, Lambdas will call X-Ray for a tracing decision.
Type: string
Default: null
tracing_mode_step_functionsβ
Description: Whether to sample and trace a subset of incoming requests with AWS X-Ray for all Step Functions.
Can be either PassThrough or Active and if omitted tracing is disabled.
If PassThrough, Lambdas will only trace the request from an upstream service if it contains a tracing header with "sampled=1".
If Active, Lambdas will respect any tracing header it receives from an upstream service.
If no tracing header is received, Lambdas will call X-Ray for a tracing decision.
Type: string
Default: null
Outputsβ
The following outputs are exported:
account_enrollment_notifications_sns_topic_arnβ
Description: ARN of SNS topic which notifies about Control Tower enrollment errors.
account_enrollment_state_machine_arnβ
Description: ARN of step function state machine wich is responsible for Control Tower enrollments.
account_enrollment_state_machine_execution_role_arnβ
Description: ARN of IAM execution role for step function.