NTC Account Baseline Templates
Description​
NTC Account Baseline Templates provide a standardized framework for configuring AWS accounts with essential guardrails, security controls, and operational settings. These templates automate the deployment of account-specific configurations, including IAM policies, logging, security, and baseline compliance checks. By applying consistent baselines across accounts, this building block ensures governance, security, and operational efficiency at scale.
NTC Account Baseline Templates are highly customizable, enabling you to tailor configurations to meet the specific needs of different environments or workloads.
Starting with NTC Account Baseline Templates v4, the unified multi-region baseline is the only supported mode. The legacy per-region baseline templates have been removed.
See Account Baseline for full documentation and examples.
NTC Account Baseline Templates can be easily customized and then applied via NTC Account Factory.
Custom Baseline Templates​
In addition to the pre-built templates, you can create custom baseline Terraform files that are deployed alongside the standard templates. Custom templates use the same injected variables and multi-region pattern.
Available injected variables:
| Variable | Type | Description |
|---|---|---|
var.aws_partition | string | AWS partition (e.g., aws, aws-cn, aws-us-gov) |
var.aws_partition_dns_suffix | string | AWS partition DNS suffix (e.g., amazonaws.com) |
var.main_region | string | Primary region for the account baseline |
var.baseline_regions | list(string) | All regions where the baseline is deployed |
var.current_account_id | string | AWS account ID |
var.current_account_name | string | Account name |
var.current_account_email | string | Account email address |
var.current_account_ou_path | string | Organizational unit path |
var.current_account_tags | map | Account tags |
var.current_account_alternate_contacts | list | Alternate contacts |
var.current_account_customer_values | any | Custom values from account creation |
var.baseline_scope_name | string | Name of the baseline scope |
var.baseline_parameters | any | Scope-specific parameters |
var.baseline_terraform_version | string | Terraform/OpenTofu version |
var.baseline_terraform_binary | string | terraform or opentofu |
var.baseline_aws_provider_version | string | AWS provider version |
var.baseline_execution_role_name | string | IAM role name for baseline execution |
Example custom unified baseline template:
# files/custom_baseline.tf
# Global resource (no region argument — deployed once per account)
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 14
require_lowercase_characters = true
require_uppercase_characters = true
require_numbers = true
require_symbols = true
allow_users_to_change_password = true
max_password_age = 90
password_reuse_prevention = 24
}
# Regional resource (deployed in each baseline region)
resource "aws_ebs_encryption_by_default" "enabled" {
for_each = toset(var.baseline_regions)
region = each.value
enabled = true
}
# Regional resource with account-aware naming
resource "aws_sns_topic" "baseline_alerts" {
for_each = toset(var.baseline_regions)
region = each.value
name = "${var.current_account_name}-baseline-alerts"
}
Reference custom files in your Account Factory configuration alongside the pre-built templates:
baseline_terraform_files = [
# Pre-built templates
module.account_baseline_templates.account_baseline_terraform_files["iam_monitoring_reader"],
module.account_baseline_templates.account_baseline_terraform_files["aws_config"],
# Custom baseline file
{
file_name = "custom_baseline.tf"
content = file("${path.module}/files/custom_baseline.tf")
}
]
Usage​
| Latest Release | 4.0.0 |
|---|
Requirements​
The following requirements are needed by this module:
-
terraform (>= 1.10.0)
-
aws (>= 6.0)
-
local (>= 2.4.0)
Providers​
The following providers are used by this module:
-
aws (>= 6.0)
-
local (>= 2.4.0)
Modules​
No modules.
Resources​
The following resources are used by this module:
- aws_region.default (data source)
- local_file.ntc_check_if_template_exists (data source)
Required Inputs​
The following input variables are required:
account_baseline_templates​
Description: List of baseline file templates which should be used to generate a Terraform Account Baseline.
Type:
list(object({
file_name = string
template_name = string
# NOTE: Legacy per-region baseline templates have been removed.
# 'unified_multi_region_baseline' must be true (default). Set to false is no longer supported.
unified_multi_region_baseline = optional(bool, true)
iam_role_inputs = optional(object({
role_name = optional(string, "")
role_path = optional(string, "/")
policy_name = optional(string, "")
policy_json = optional(string, "")
policy_arn = optional(string, "")
role_principal_type = optional(string, "AWS")
role_principal_identifiers = optional(list(string), [])
role_add_current_account_to_principals = optional(bool, false)
role_is_instance_profile = optional(bool, false)
}), {})
openid_connect_inputs = optional(object({
provider = optional(string, "")
audience = optional(string, "")
subject_list = optional(list(string), [])
subject_list_encoded = optional(string, "")
role_name = optional(string, "ntc-oidc-role")
role_path = optional(string, "/")
role_max_session_in_hours = optional(number, 1)
permission_boundary_arn = optional(string, "")
permission_policy_arn = optional(string, "arn:$${var.aws_partition}:iam::aws:policy/AdministratorAccess") # $${var.aws_partition} is injected by ntc-account-factory
}), {})
tfstate_backend_inputs = optional(object({
s3_bucket_name = optional(string, "")
s3_bucket_force_destroy = optional(bool, false)
s3_regional_namespace = optional(bool, false)
s3_regional_buckets = optional(bool, false)
kms_deletion_window_in_days = optional(number, 30)
kms_key_rotation_enabled = optional(bool, true)
kms_key_owners = optional(list(string), [])
config_iam_role_name = optional(string, "ntc-config-role")
access_rules = optional(list(object({
name = string
description = optional(string, "Access rule")
role_arns = optional(list(string), [])
allowed_prefixes = optional(list(string), ["*"])
})), [])
}), {})
aws_config_inputs = optional(object({
config_recorder_name = optional(string, "ntc-config-recorder")
config_delivery_channel_name = optional(string, "ntc-config-delivery")
config_iam_role_name = optional(string, "ntc-config-role")
config_iam_path = optional(string, "/")
config_log_archive_bucket_arn = optional(string, "")
config_log_archive_kms_key_arn = optional(string, "")
config_delivery_frequency = optional(string, "One_Hour")
config_security_main_region = optional(string, "")
config_recording_mode = optional(object({
frequency = optional(string, "CONTINUOUS")
resource_types = optional(list(string), [])
recording_mode_override = optional(object({
frequency = optional(string, "DAILY")
resource_types = optional(list(string), [])
}), {})
}), {
frequency = "CONTINUOUS"
resource_types = []
})
}), {})
}))
Optional Inputs​
No optional inputs.
Outputs​
The following outputs are exported:
account_baseline_terraform_files​
Description: Account Baseline Terraform files grouped by template name.