NTC Parameters

Release Notes Source Code Implementation Blueprint

Description

NTC building block module to store and retrieve Terraform or JSON parameters across multiple AWS accounts and CI/CD pipelines. This module is specifically designed to seamlessly integrate with NTC and streamline complex multi-account deployments.

Usage

Latest Release	1.1.3

Parameters Bucket

The 'ntc_parameters_bucket' should ideally be deployed together with the NTC Account Factory. This enables the Account Factory to share the account map with organization members.

# --------------------------------------------------------------------------------------------------
# ¦ NTC PARAMETERS - BUCKET
# --------------------------------------------------------------------------------------------------
module "ntc_parameters_bucket" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-parameters?ref=X.X.X"

  bucket_name = "example-parameter-bucket-name"

  # grant read access to parameters for all organization members
  org_id = data.aws_organizations_organization.current.id

  # only the parameter-node owner is granted write access to his corresponding parameters
  parameter_nodes = [
    {
      "node_name" = "mgmt-organizations",
      # you can limit write access to the account id or more granular to a specific IAM role
      "node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-management"]
      "node_owner_iam_role_name" = "ntc-oidc-spacelift-role"
    },
    {
      "node_name"                 = "mgmt-account-factory",
      "node_owner_account_id"     = local.account_factory_core_account_ids["aws-c2-management"]
      "node_owner_iam_role_name"  = "ntc-oidc-spacelift-role"
      # the ntc-account-factory can additionaly store the account map
      "node_owner_is_account_factory" = true
    },
    {
      "node_name"                = "mgmt-identity-center",
      "node_owner_account_id"    = local.account_factory_core_account_ids["aws-c2-management"]
      "node_owner_iam_role_name" = "ntc-oidc-spacelift-role"
    },
    {
      "node_name"             = "connectivity"
      "node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-connectivity"]
    },
    {
      "node_name"             = "security-tooling"
      "node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-security"]
    },
    {
      "node_name"             = "log-archive"
      "node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-log-archive"]
    }
  ]

  providers = {
    aws = aws.euc1
  }
}

Parameters Writer

# --------------------------------------------------------------------------------------------------
# ¦ LOCALS
# --------------------------------------------------------------------------------------------------
locals {
  ntc_parameters_bucket_name = "example-parameter-bucket-name"
  ntc_parameters_writer_node = "mgmt-account-factory"

  # parameters that are managed by account factory pipeline
  ntc_parameters_to_write = {
    "core_accounts"      = local.account_factory_core_account_ids
  }

  # by default existing node parameters will be merged with new parameters to avoid deleting parameters
  ntc_replace_parameters = true

  # node owner that is also the account factory can optionally store an account map
  ntc_store_account_map = true
  ntc_account_map = {
    for account in local.account_factory_list_enriched : account.account_id => account
  }
}

# --------------------------------------------------------------------------------------------------
# ¦ NTC PARAMETERS - WRITER
# --------------------------------------------------------------------------------------------------
module "ntc_parameters_reader" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-parameters//modules/reader?ref=X.X.X"

  bucket_name    = "example-parameter-bucket-name"
  parameter_node = "mgmt-account-factory"
  # parameters that are managed by account factory pipeline
  node_parameters = {
    "core_accounts" = local.account_factory_core_account_ids
  }
  # node owner that is also the account factory can optionally store an account map
  store_account_map = true
  account_map = {
    for account in local.account_factory_list_enriched : account.account_id => account
  }
  # by default existing node parameters will be merged with new parameters to avoid deleting parameters
  replace_parameters = true

  providers = {
    aws = aws.euc1
  }
}

Parameters Reader

# --------------------------------------------------------------------------------------------------
# ¦ OUTPUTS
# --------------------------------------------------------------------------------------------------
output "ntc_parameters" {
  description = "Map of all ntc-parameters"
  value       = local.ntc_parameters
}

# --------------------------------------------------------------------------------------------------
# ¦ NTC PARAMETERS - READER
# --------------------------------------------------------------------------------------------------
module "ntc_parameters_reader" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-parameters//modules/reader?ref=X.X.X"

  bucket_name = "example-parameter-bucket-name"

  providers = {
    aws = aws.euc1
  }
}

Requirements

The following requirements are needed by this module:

• terraform (>= 1.3.0)

• aws (>= 4.0)

Providers

The following providers are used by this module:

• aws (>= 4.0)

Modules

No modules.

Resources

The following resources are used by this module:

• aws_s3_bucket.ntc_parameters (resource)
• aws_s3_bucket_logging.ntc_parameters (resource)
• aws_s3_bucket_ownership_controls.ntc_parameters (resource)
• aws_s3_bucket_policy.ntc_parameters (resource)
• aws_s3_bucket_public_access_block.ntc_parameters (resource)
• aws_s3_bucket_server_side_encryption_configuration.ntc_parameters (resource)
• aws_s3_bucket_versioning.ntc_parameters (resource)
• aws_s3_object.ntc_store_nodeowners (resource)
• aws_iam_policy_document.ntc_bucket_policy (data source)
• aws_partition.current (data source)

Required Inputs

The following input variables are required:

bucket_name

Description: Name of the S3 bucket where core parameters will be stored.

Type: string

Optional Inputs

The following input variables are optional (have default values):

access_logging_target_bucket_name

Description: Name of the bucket where S3 access logging should be stored. Requires "enable_access_logging" to be true.

Type: string

Default: ""

access_logging_target_prefix

Description: Prefix used for S3 access logging. Requires "enable_access_logging" to be true.

Type: string

Default: "logs/"

enable_access_logging

Description: Set to true to log S3 access logging.

Type: bool

Default: false

enable_versioning

Description: Set to false to disable S3 Versioning.

Type: bool

Default: true

force_destroy

Description: Set to true to delete all parameters when the S3 bucket is destroyed.

Type: bool

Default: false

org_id

Description: Organization Id to limit bucket access to organization accounts.

Type: string

Default: ""

parameter_nodes

Description: List of parameter nodes. Nodes can be merged into a single parameter map. A node owner (usually a core account) is allowed to manage parameters in his node.

Type:

list(object({
    node_name                     = string
    node_owner_account_id         = string
    node_owner_iam_role_name      = optional(string, "")
    node_owner_iam_user_name      = optional(string, "")
    node_owner_is_account_factory = optional(bool, false)
  }))

Default: []

Outputs

The following outputs are exported:

bucket_arn

Description: ARN of the S3 bucket

bucket_id

Description: ID of the S3 bucket

bucket_policy_json

Description: Bucket policy as JSON