NTC Parameters

Release Notes Source Code Implementation Blueprint

Description

NTC building block module to store and retrieve Terraform or JSON parameters across multiple AWS accounts and CI/CD pipelines. This module is specifically designed to seamlessly integrate with NTC and streamline complex multi-account deployments.

info

NTC Parameters is a custom solution using S3 to store and share parameters across multiple accounts. While alternatives like AWS SSM Parameter Store exist, they are typically more complex to configure and maintain.

Usage

Latest Release	1.1.4

Parameters Bucket

The 'ntc_parameters_bucket' should ideally be deployed together with the NTC Account Factory. This enables the Account Factory to share the account map with organization members.

# --------------------------------------------------------------------------------------------------
# ¦ NTC PARAMETERS - BUCKET
# --------------------------------------------------------------------------------------------------
module "ntc_parameters_bucket" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-parameters?ref=X.X.X"

  bucket_name = "example-parameter-bucket-name"

  # grant read access to parameters for all organization members
  org_id = data.aws_organizations_organization.current.id

  # only the parameter-node owner is granted write access to his corresponding parameters
  parameter_nodes = [
    {
      "node_name" = "mgmt-organizations",
      # you can limit write access to the account id or more granular to a specific IAM role
      "node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-management"]
      "node_owner_iam_role_name" = "ntc-oidc-spacelift-role"
    },
    {
      "node_name"                 = "mgmt-account-factory",
      "node_owner_account_id"     = local.account_factory_core_account_ids["aws-c2-management"]
      "node_owner_iam_role_name"  = "ntc-oidc-spacelift-role"
      # the ntc-account-factory can additionaly store the account map
      "node_owner_is_account_factory" = true
    },
    {
      "node_name"                = "mgmt-identity-center",
      "node_owner_account_id"    = local.account_factory_core_account_ids["aws-c2-management"]
      "node_owner_iam_role_name" = "ntc-oidc-spacelift-role"
    },
    {
      "node_name"             = "connectivity"
      "node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-connectivity"]
    },
    {
      "node_name"             = "security-tooling"
      "node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-security"]
    },
    {
      "node_name"             = "log-archive"
      "node_owner_account_id" = local.account_factory_core_account_ids["aws-c2-log-archive"]
    }
  ]

  providers = {
    aws = aws.euc1
  }
}

Parameters Writer

# --------------------------------------------------------------------------------------------------
# ¦ LOCALS
# --------------------------------------------------------------------------------------------------
locals {
  ntc_parameters_bucket_name = "example-parameter-bucket-name"
  ntc_parameters_writer_node = "mgmt-account-factory"

  # parameters that are managed by account factory pipeline
  ntc_parameters_to_write = {
    "core_accounts"      = local.account_factory_core_account_ids
  }

  # by default existing node parameters will be merged with new parameters to avoid deleting parameters
  ntc_replace_parameters = true

  # node owner that is also the account factory can optionally store an account map
  ntc_store_account_map = true
  ntc_account_map = {
    for account in local.account_factory_list_enriched : account.account_id => account
  }
}

# --------------------------------------------------------------------------------------------------
# ¦ NTC PARAMETERS - WRITER
# --------------------------------------------------------------------------------------------------
module "ntc_parameters_reader" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-parameters//modules/reader?ref=X.X.X"

  bucket_name    = "example-parameter-bucket-name"
  parameter_node = "mgmt-account-factory"
  # parameters that are managed by account factory pipeline
  node_parameters = {
    "core_accounts" = local.account_factory_core_account_ids
  }
  # node owner that is also the account factory can optionally store an account map
  store_account_map = true
  account_map = {
    for account in local.account_factory_list_enriched : account.account_id => account
  }
  # by default existing node parameters will be merged with new parameters to avoid deleting parameters
  replace_parameters = true

  providers = {
    aws = aws.euc1
  }
}

Parameters Reader

# --------------------------------------------------------------------------------------------------
# ¦ OUTPUTS
# --------------------------------------------------------------------------------------------------
output "ntc_parameters" {
  description = "Map of all ntc-parameters"
  value       = local.ntc_parameters
}

# --------------------------------------------------------------------------------------------------
# ¦ NTC PARAMETERS - READER
# --------------------------------------------------------------------------------------------------
module "ntc_parameters_reader" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-parameters//modules/reader?ref=X.X.X"

  bucket_name = "example-parameter-bucket-name"

  providers = {
    aws = aws.euc1
  }
}

Requirements

The following requirements are needed by this module:

• terraform (>= 1.3.0)

• aws (>= 4.0)

Providers

The following providers are used by this module:

• aws (>= 4.0)

Modules

No modules.

Resources

The following resources are used by this module:

• aws_s3_bucket.ntc_parameters (resource)
• aws_s3_bucket_logging.ntc_parameters (resource)
• aws_s3_bucket_ownership_controls.ntc_parameters (resource)
• aws_s3_bucket_policy.ntc_parameters (resource)
• aws_s3_bucket_public_access_block.ntc_parameters (resource)
• aws_s3_bucket_server_side_encryption_configuration.ntc_parameters (resource)
• aws_s3_bucket_versioning.ntc_parameters (resource)
• aws_s3_object.ntc_store_nodeowners (resource)
• aws_iam_policy_document.ntc_bucket_policy (data source)
• aws_partition.current (data source)

Required Inputs

The following input variables are required:

bucket_name

Description: Name of the S3 bucket where core parameters will be stored.

Type: string

Optional Inputs

The following input variables are optional (have default values):

access_logging_target_bucket_name

Description: Name of the bucket where S3 access logging should be stored. Requires "enable_access_logging" to be true.

Type: string

Default: ""

access_logging_target_prefix

Description: Prefix used for S3 access logging. Requires "enable_access_logging" to be true.

Type: string

Default: "logs/"

enable_access_logging

Description: Set to true to log S3 access logging.

Type: bool

Default: false

enable_versioning

Description: Set to false to disable S3 Versioning.

Type: bool

Default: true

force_destroy

Description: Set to true to delete all parameters when the S3 bucket is destroyed.

Type: bool

Default: false

org_id

Description: Organization Id to limit bucket access to organization accounts.

Type: string

Default: ""

parameter_nodes

Description: List of parameter nodes. Nodes can be merged into a single parameter map. A node owner (usually a core account) is allowed to manage parameters in his node.

Type:

list(object({
    node_name                     = string
    node_owner_account_id         = string
    node_owner_iam_role_name      = optional(string, "")
    node_owner_iam_user_name      = optional(string, "")
    node_owner_is_account_factory = optional(bool, false)
  }))

Default: []

Outputs

The following outputs are exported:

bucket_arn

Description: ARN of the S3 bucket

bucket_id

Description: ID of the S3 bucket

bucket_policy_json

Description: Bucket policy as JSON