Skip to main content

NTC Organizations

Release Notes Source Code Implementation Blueprint

Description

NTC Organizations provides a streamlined and scalable solution for managing AWS Organizations, enabling you to efficiently structure and govern multi-account environments. With a focus on security, compliance, and automation, this building block helps you define your organizational units (OUs), enforce Service Control Policies (SCPs), and implement foundational guardrails for your AWS accounts.

Usage

Latest Release1.3.1
# --------------------------------------------------------------------------------------------------
# ¦ NTC ORGANIZATIONS
# --------------------------------------------------------------------------------------------------
module "ntc_organizations" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-organizations?ref=X.X.X"

  # enable sharing resources within your organization
  enable_ram_sharing_in_organization = true

  # list of services which should be enabled in Organizations
  # https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html
  # the following services will be enabled by default, but can be overwritten
  service_access_principals = [
    "account.amazonaws.com",
    "servicequotas.amazonaws.com",
    "cloudtrail.amazonaws.com",
    "securityhub.amazonaws.com",
    "config.amazonaws.com",
    "config-multiaccountsetup.amazonaws.com",
    "guardduty.amazonaws.com",
    "malware-protection.guardduty.amazonaws.com",
    "inspector2.amazonaws.com",
    "access-analyzer.amazonaws.com",
    "sso.amazonaws.com",
    "ipam.amazonaws.com",
  ]

  # list of nested (up to 5 levels) organizational units
  organizational_unit_paths = [
    "/root/infrastructure",
    "/root/security",
    "/root/sandbox",
    "/root/suspended",
    "/root/decommission",
    "/root/workloads",
    "/root/workloads/prod",
    "/root/workloads/dev",
    "/root/workloads/test"
  ]

  # list of SCPs which should be attached to multiple organizational units and/or accounts
  service_control_policies = [
    # {
    #   policy_name        = "scp_deny_all_outside_eu_regions",
    #   target_ou_paths    = ["/root/workloads"]
    #   target_account_ids = []
    #   policy_json        = "INSERT_SCP_JSON"
    # }
    module.ntc_scp_templates.service_control_policies["scp_root_ou"],
    module.ntc_scp_templates.service_control_policies["scp_suspended_ou"],
    module.ntc_scp_templates.service_control_policies["scp_workloads_ou"],
  ]

  # 'ntc-log-archive' must be provisioned before creating the organization trail
  organization_trail = {
    kms_key_arn    = local.ntc_parameters["log-archive"]["log_bucket_kms_key_arns"]["org_cloudtrail"]
    s3_bucket_name = local.ntc_parameters["log-archive"]["log_bucket_ids"]["org_cloudtrail"]
    # (optional) log cloudtrail to cloudwatch for real time analysis
    cloud_watch_logs_enable = false
    # cloud_watch_logs_existing   = false
    # cloud_watch_logs_group_name = "organization-trail-logs"
    # cloud_watch_logs_role_name  = "organization-trail-logs"
  }

  # create an organization reader IAM role which can be assumed by specified principals
  organization_reader = {
    enabled = true
    # list of IAM principals which can assume the org_reader role (e.g. account ids)
    allowed_principals = [
      local.ntc_parameters["mgmt-account-factory"]["core_accounts"]["aws-c2-security"],
    ]
    iam_role_name   = "ntc-org-account-reader"
    iam_role_path   = "/"
    iam_policy_name = "ntc-org-account-reader-policy"
  }
}

Requirements

The following requirements are needed by this module:

  • terraform (>= 1.3.0)

  • aws (>= 5.21)

Providers

The following providers are used by this module:

  • aws (>= 5.21)

Modules

The following Modules are called:

org_cloudtrail

Source: ./modules/cloudtrail

Version:

Resources

The following resources are used by this module:

Required Inputs

No required inputs.

Optional Inputs

The following input variables are optional (have default values):

enable_ram_sharing_in_organization

Description: Set to true to enable sharing with your organization without using invitations.

Type: bool

Default: false

enabled_policy_types

Description: List of Organizations policy types to enable in the Organization Root.
https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html

Type: list(string)

Default:

[
  "SERVICE_CONTROL_POLICY"
]

manage_existing_organization

Description: Set to true to skip creation a new organization and managing an existing one.
The AWS provider needs sufficient permissions to manage existing organization.
Additionaly service_access_principals and enabled_policy_types will not be configured.

Type: bool

Default: false

organization_reader

Description: Create organization reader IAM role which can be assumed by specified principals.

Type:

object({
    enabled            = optional(bool, false)
    allowed_principals = optional(list(string), [])
    iam_role_name      = optional(string, "ntc-org-account-reader")
    iam_role_path      = optional(string, "/") # validation: must end with '/'
    iam_policy_name    = optional(string, "ntc-org-account-reader-policy")
  })

Default: {}

organization_trail

Description: Create organization cloudtrail by providing s3_bucket_name (log archive) and kms_key_arn (server side encryption).

Type:

object({
    trail_name                  = optional(string, "organization-trail")
    kms_key_arn                 = optional(string, "")
    s3_bucket_name              = optional(string, "")
    s3_key_prefix               = optional(string, null)
    cloud_watch_logs_enable     = optional(bool, false)
    cloud_watch_logs_existing   = optional(bool, false)
    cloud_watch_logs_group_name = optional(string, "organization-trail-logs")
    cloud_watch_logs_role_name  = optional(string, "organization-trail-logs")
  })

Default: {}

organizational_unit_paths

Description: List of organizational units (OU) that should be added under the root organization path.
The path "/root/infrastructure" will create a new "infrastructure" OU directly under the root organization path.
The path "/root/workloads/prod" will create a new "prod" OU directly under the "workloads" OU path.
https://aws.amazon.com/de/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/

Type: list(string)

Default: []

service_access_principals

Description: List of AWS service principal names for which you want to enable integration with your organization.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html

Type: list(string)

Default:

[
  "account.amazonaws.com",
  "servicequotas.amazonaws.com",
  "cloudtrail.amazonaws.com",
  "securityhub.amazonaws.com",
  "config.amazonaws.com",
  "config-multiaccountsetup.amazonaws.com",
  "guardduty.amazonaws.com",
  "inspector2.amazonaws.com",
  "malware-protection.guardduty.amazonaws.com",
  "sso.amazonaws.com",
  "ipam.amazonaws.com"
]

service_control_policies

Description: List of service control policies that should be attached to a target. Service control policies are inherited to nested OUs from parent OU to child OUs.

Type:

list(object({
    policy_name        = string
    target_ou_paths    = optional(list(string), [])
    target_account_ids = optional(list(string), [])
    policy_json        = string
  }))

Default: []

Outputs

The following outputs are exported:

master_account_arn

Description: ARN of the master account.

master_account_email

Description: Email address of the master account.

master_account_id

Description: Identifier of the master account.

org_arn

Description: ARN of the organization.

org_id

Description: Identifier of the organization.

org_root_ou_id

Description: Identifier of the organization root path.

organization_cloudtrail_arn

Description: ARN of organization cloudtrail.

organizational_unit_ids

Description: Map of organization unit identifiers by ou path.