NTC Organizations
NTC Organizations v2 introduces major improvements including AWS Provider v6 support, AWS European Sovereign Cloud compatibility, and simplified multi-region configuration.
📖 Read the Migration Guide for step-by-step instructions.
Description​
NTC Organizations provides a streamlined and scalable solution for managing AWS Organizations, enabling you to efficiently structure and govern multi-account environments. With a focus on security, compliance, and automation, this building block helps you define your organizational units (OUs), enforce Guardrails like Service Control Policies (SCPs) and Resource Control Polices (RCP), and implement foundational guardrails for your AWS accounts.
NTC Guardrail Templates provide a set of best practice Service Control Policies (SCPs) and Resource Control Policies (RCP) that can be easily customized and then applied via organization_policies.
To configure the Organizational Cloudtrail via organization_trail, an S3 bucket and KMS key is required.
Use NTC Log Archive to provision compliant S3 buckets for storing audit-relevant logs.
Service Control Policies (SCPs) and Resource Control Policies (RCPs) should always be thoroughly tested before they are applied organization-wide to avoid major outages (e.g. apply new policies to test accounts first).
Usage​
| Latest Release | 2.0.3 |
|---|
Requirements​
The following requirements are needed by this module:
-
terraform (>= 1.10.0)
-
aws (>= 6.0)
Providers​
The following providers are used by this module:
-
aws (>= 6.0)
-
aws.global_service_region (>= 6.0)
Modules​
The following Modules are called:
admin_delegations​
Source: ./modules/regional-admin-delegations
Version:
org_cloudtrail​
Source: ./modules/cloudtrail
Version:
Resources​
The following resources are used by this module:
- aws_cloudwatch_log_group.ntc_cloudtrail_cw_logs (resource)
- aws_iam_organizations_features.ntc_centralize_root_access (resource)
- aws_iam_role.ntc_cloudtrail_cw_logs (resource)
- aws_iam_role.ntc_org_account_reader (resource)
- aws_iam_role_policy.ntc_cloudtrail_cw_logs (resource)
- aws_iam_role_policy.ntc_org_account_reader (resource)
- aws_kms_key.ntc_cloudtrail_cw_logs_encryption (resource)
- aws_organizations_organization.ntc_org (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level1 (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level2 (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level3 (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level4 (resource)
- aws_organizations_organizational_unit.ntc_nested_ou_level5 (resource)
- aws_organizations_policy.ntc_org_policy (resource)
- aws_organizations_policy_attachment.ntc_org_policy_account_attachment (resource)
- aws_organizations_policy_attachment.ntc_org_policy_ou_attachment (resource)
- aws_ram_sharing_with_organization.ntc_org (resource)
- aws_servicequotas_template.ntc_servicequota_templates (resource)
- aws_servicequotas_template_association.ntc_servicequota_templates (resource)
- aws_caller_identity.current (data source)
- aws_cloudwatch_log_group.ntc_cloudtrail_cw_logs (data source)
- aws_iam_policy_document.ntc_cloudtrail_cw_logs (data source)
- aws_iam_policy_document.ntc_cloudtrail_cw_logs_assume (data source)
- aws_iam_policy_document.ntc_cloudtrail_cw_logs_encryption (data source)
- aws_iam_policy_document.ntc_org_account_reader (data source)
- aws_iam_policy_document.ntc_org_account_reader_trust (data source)
- aws_iam_role.ntc_cloudtrail_cw_logs (data source)
- aws_partition.current (data source)
- aws_region.current (data source)
- aws_servicequotas_service_quota.ntc_servicequota_templates (data source)
Required Inputs​
No required inputs.
Optional Inputs​
The following input variables are optional (have default values):
centralize_root_access​
Description: Manages centralized root access features across AWS member accounts.
Type:
object({
enabled = optional(bool, false)
features = optional(list(string), ["RootCredentialsManagement", "RootSessions"])
})
Default: {}
delegated_administrators​
Description: List of service principals which should be delegated to administrator account.
Type:
list(object({
service_principal = string
admin_account_id = string
regions = list(string)
}))
Default: []
organization_policies​
Description: List of organization policies that should be applied to member accounts. Organization policies are inherited to nested OUs from parent OU to child OUs.
Type:
list(object({
policy_name = string
policy_description = optional(string, null)
policy_type = string
target_ou_paths = optional(list(string), [])
target_account_ids = optional(list(string), [])
policy_json = string
}))
Default: []
organization_reader​
Description: Create organization reader IAM role which can be assumed by specified principals.
Type:
object({
enabled = optional(bool, false)
allowed_principals = optional(list(string), [])
iam_role_name = optional(string, "ntc-org-account-reader")
iam_role_path = optional(string, "/") # validation: must end with '/'
iam_policy_name = optional(string, "ntc-org-account-reader-policy")
})
Default: {}
organization_trail​
Description: Create organization cloudtrail by providing s3_bucket_name (log archive) and kms_key_arn (server side encryption).
Type:
object({
trail_name = optional(string, "organization-trail")
kms_key_arn = optional(string, "")
s3_bucket_name = optional(string, "")
s3_key_prefix = optional(string, null)
cloud_watch_logs_enable = optional(bool, false)
cloud_watch_logs_existing = optional(bool, false)
cloud_watch_logs_group_name = optional(string, "organization-trail-logs")
cloud_watch_logs_role_name = optional(string, "organization-trail-logs")
cloud_watch_logs_retention_in_days = optional(number, 30)
})
Default: {}
organizational_unit_paths​
Description: List of organizational units (OU) that should be added under the root organization path.
The path "/root/infrastructure" will create a new "infrastructure" OU directly under the root organization path.
The path "/root/workloads/prod" will create a new "prod" OU directly under the "workloads" OU path.
https://aws.amazon.com/de/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/
Type: list(string)
Default: []
region​
Description: AWS region where the resources will be created. Omit to use the provider default region.
Type: string
Default: null
service_access_principals​
Description: List of AWS service principal names for which you want to enable integration with your organization.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html
Type: list(string)
Default:
[
"iam.amazonaws.com",
"account.amazonaws.com",
"servicequotas.amazonaws.com",
"cloudtrail.amazonaws.com",
"securityhub.amazonaws.com",
"config.amazonaws.com",
"config-multiaccountsetup.amazonaws.com",
"guardduty.amazonaws.com",
"inspector2.amazonaws.com",
"macie.amazonaws.com",
"malware-protection.guardduty.amazonaws.com",
"access-analyzer.amazonaws.com",
"sso.amazonaws.com",
"ipam.amazonaws.com",
"ram.amazonaws.com"
]
service_quota_templates​
Description: Manage service quota templates which will apply service quotas to all new accounts in organization.
Type:
list(object({
regions = list(string)
quota_name = string
service_code = string
new_value = number
}))
Default: []
Outputs​
The following outputs are exported:
master_account_arn​
Description: ARN of the master account.
master_account_email​
Description: Email address of the master account.
master_account_id​
Description: Identifier of the master account.
org_arn​
Description: ARN of the organization.
org_id​
Description: Identifier of the organization.
org_root_ou_id​
Description: Identifier of the organization root path.
organization_cloudtrail_arn​
Description: ARN of organization cloudtrail.
organization_unit_path_ids​
Description: Map of organization unit paths by ou path in including org id as value. Useful for IAM policies with aws:PrincipalOrgPaths condition.
organizational_unit_ids​
Description: Map of organization unit identifiers by ou path.