NTC Parameters
Description
NTC building block module to store and retrieve Terraform or JSON parameters across multiple AWS accounts and CI/CD pipelines. This module is specifically designed to seamlessly integrate with NTC and streamline complex multi-account deployments.
NTC Parameters is a custom solution using S3 to store and share parameters across multiple accounts. While alternatives like AWS SSM Parameter Store exist, they are typically more complex to configure and maintain.
Usage
Latest Release | 1.1.4 |
---|
- Parameters Bucket
- Parameters Writer
- Parameters Reader
The 'ntc_parameters_bucket' should ideally be deployed together with the NTC Account Factory. This enables the Account Factory to share the account map with organization members.
# --------------------------------------------------------------------------------------------------
# ¦ NTC PARAMETERS - BUCKET
# --------------------------------------------------------------------------------------------------
module "ntc_parameters_bucket" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-parameters?ref=X.X.X"
bucket_name = "example-parameter-bucket-name"
# grant read access to parameters for all organization members
org_id = data.aws_organizations_organization.current.id
# only the parameter-node owner is granted write access to his corresponding parameters
parameter_nodes = [
{
"node_name" = "mgmt-organizations",
# you can limit write access to the account id or more granular to a specific IAM role
"node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-management"]
"node_owner_iam_role_name" = "ntc-oidc-spacelift-role"
},
{
"node_name" = "mgmt-account-factory",
"node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-management"]
"node_owner_iam_role_name" = "ntc-oidc-spacelift-role"
# the ntc-account-factory can additionaly store the account map
"node_owner_is_account_factory" = true
},
{
"node_name" = "mgmt-identity-center",
"node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-management"]
"node_owner_iam_role_name" = "ntc-oidc-spacelift-role"
},
{
"node_name" = "connectivity"
"node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-connectivity"]
},
{
"node_name" = "security-tooling"
"node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-security"]
},
{
"node_name" = "log-archive"
"node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-log-archive"]
}
]
providers = {
aws = aws.euc1
}
}
# --------------------------------------------------------------------------------------------------
# ¦ LOCALS
# --------------------------------------------------------------------------------------------------
locals {
ntc_parameters_bucket_name = "example-parameter-bucket-name"
ntc_parameters_writer_node = "mgmt-account-factory"
# parameters that are managed by account factory pipeline
ntc_parameters_to_write = {
"core_accounts" = local.account_factory_core_account_ids
}
# by default existing node parameters will be merged with new parameters to avoid deleting parameters
ntc_replace_parameters = true
# node owner that is also the account factory can optionally store an account map
ntc_store_account_map = true
ntc_account_map = {
for account in local.account_factory_list_enriched : account.account_id => account
}
}
# --------------------------------------------------------------------------------------------------
# ¦ NTC PARAMETERS - WRITER
# --------------------------------------------------------------------------------------------------
module "ntc_parameters_reader" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-parameters//modules/reader?ref=X.X.X"
bucket_name = "example-parameter-bucket-name"
parameter_node = "mgmt-account-factory"
# parameters that are managed by account factory pipeline
node_parameters = {
"core_accounts" = local.account_factory_core_account_ids
}
# node owner that is also the account factory can optionally store an account map
store_account_map = true
account_map = {
for account in local.account_factory_list_enriched : account.account_id => account
}
# by default existing node parameters will be merged with new parameters to avoid deleting parameters
replace_parameters = true
providers = {
aws = aws.euc1
}
}
# --------------------------------------------------------------------------------------------------
# ¦ OUTPUTS
# --------------------------------------------------------------------------------------------------
output "ntc_parameters" {
description = "Map of all ntc-parameters"
value = local.ntc_parameters
}
# --------------------------------------------------------------------------------------------------
# ¦ NTC PARAMETERS - READER
# --------------------------------------------------------------------------------------------------
module "ntc_parameters_reader" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-parameters//modules/reader?ref=X.X.X"
bucket_name = "example-parameter-bucket-name"
providers = {
aws = aws.euc1
}
}
Requirements
The following requirements are needed by this module:
-
terraform (>= 1.3.0)
-
aws (>= 4.0)
Providers
The following providers are used by this module:
- aws (>= 4.0)
Modules
No modules.
Resources
The following resources are used by this module:
- aws_s3_bucket.ntc_parameters (resource)
- aws_s3_bucket_logging.ntc_parameters (resource)
- aws_s3_bucket_ownership_controls.ntc_parameters (resource)
- aws_s3_bucket_policy.ntc_parameters (resource)
- aws_s3_bucket_public_access_block.ntc_parameters (resource)
- aws_s3_bucket_server_side_encryption_configuration.ntc_parameters (resource)
- aws_s3_bucket_versioning.ntc_parameters (resource)
- aws_s3_object.ntc_store_nodeowners (resource)
- aws_iam_policy_document.ntc_bucket_policy (data source)
- aws_partition.current (data source)
Required Inputs
The following input variables are required:
bucket_name
Description: Name of the S3 bucket where core parameters will be stored.
Type: string
Optional Inputs
The following input variables are optional (have default values):
access_logging_target_bucket_name
Description: Name of the bucket where S3 access logging should be stored. Requires "enable_access_logging" to be true.
Type: string
Default: ""
access_logging_target_prefix
Description: Prefix used for S3 access logging. Requires "enable_access_logging" to be true.
Type: string
Default: "logs/"
enable_access_logging
Description: Set to true to log S3 access logging.
Type: bool
Default: false
enable_versioning
Description: Set to false to disable S3 Versioning.
Type: bool
Default: true
force_destroy
Description: Set to true to delete all parameters when the S3 bucket is destroyed.
Type: bool
Default: false
org_id
Description: Organization Id to limit bucket access to organization accounts.
Type: string
Default: ""
parameter_nodes
Description: List of parameter nodes. Nodes can be merged into a single parameter map. A node owner (usually a core account) is allowed to manage parameters in his node.
Type:
list(object({
node_name = string
node_owner_account_id = string
node_owner_iam_role_name = optional(string, "")
node_owner_iam_user_name = optional(string, "")
node_owner_is_account_factory = optional(bool, false)
}))
Default: []
Outputs
The following outputs are exported:
bucket_arn
Description: ARN of the S3 bucket
bucket_id
Description: ID of the S3 bucket
bucket_policy_json
Description: Bucket policy as JSON