NTC Account Baseline Templates

Release Notes Source Code Implementation Blueprint

Description

NTC Account Baseline Templates provide a standardized framework for configuring AWS accounts with essential guardrails, security controls, and operational settings. These templates automate the deployment of account-specific configurations, including IAM policies, logging, security, and baseline compliance checks. By applying consistent baselines across accounts, this building block ensures governance, security, and operational efficiency at scale.

NTC Account Baseline Templates are highly customizable, enabling you to tailor configurations to meet the specific needs of different environments or workloads.

Usage

Latest Release	1.3.2

Account Baseline

# --------------------------------------------------------------------------------------------------
# ¦ NTC ACCOUNT BASELINE TEMPLATES
# --------------------------------------------------------------------------------------------------
module "account_baseline_templates" {
  source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-account-baseline-templates?ref=X.X.X"

  account_baseline_templates = [
    {
      file_name     = "iam_monitoring_reader"
      template_name = "iam_role"
      iam_role_inputs = {
        role_name = "CloudWatch-CrossAccountSharingRole"
        # policy can be submitted directly as JSON or via data source aws_iam_policy_document
        policy_json         = "INSERT_JSON_POLICY"
        role_principal_type = "AWS"
        # grant monitoring account permission to assume role in member account
        role_principal_identifiers = ["111111111111"]
      }
    },
    {
      file_name     = "iam_instance_profile"
      template_name = "iam_role"
      iam_role_inputs = {
        role_name = "ntc-ssm-instance-profile"
        # use 'policy_arn' to reference an aws managed policy
        policy_arn          = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
        role_principal_type = "Service"
        # grant account (org management) permission to assume role in member account
        role_principal_identifiers = ["ec2.amazonaws.com"]
        # (optional) set to true to create an instance profile
        role_is_instance_profile = true
      }
    },
    {
      file_name     = "oidc_spacelift"
      template_name = "openid_connect"
      openid_connect_inputs = {
        provider                  = "nuvibit.app.spacelift.io"
        audience                  = "nuvibit.app.spacelift.io"
        role_name                 = "ntc-oidc-spacelift-role"
        role_path                 = "/"
        role_max_session_in_hours = 1
        permission_boundary_arn   = ""
        permission_policy_arn     = "arn:aws:iam::aws:policy/AdministratorAccess"
        # make sure to define a subject which is limited to your scope (e.g. a generic subject could grant access to all terraform cloud users)
        # you can use dynamic values by referencing the injected baseline variables (e.g. var.current_account_name) - additional '$' escape is required
        # for additional flexibility use 'subject_list_encoded' which allows injecting more complex structures (e.g. grant permission to multiple pipelines in one account)
        /* examples for common openid_connect subjects
          terraform cloud = "organization:ORG_NAME:project:PROJECT_NAME:workspace:WORKSPACE_NAME:run_phase:RUN_PHASE"
          spacelift       = "space:SPACE_ID:stack:STACK_ID:run_type:RUN_TYPE:scope:RUN_PHASE"
          gitlab          = "project_path:GROUP_NAME/PROJECT_NAME:ref_type:branch:ref:main"
          github          = "repo:ORG_NAME/REPO_NAME:environment:prod"
          jenkins         = "job:JOB_NAME/master"
        */
        subject_list = ["space:SPACE_ID:stack:$${var.current_account_name}:*"]
      }
    },
    {
      file_name     = "aws_config"
      template_name = "aws_config"
      aws_config_inputs = {
        config_log_archive_bucket_arn  = local.ntc_parameters["log-archive"]["log_bucket_arns"]["aws_config"]
        config_log_archive_kms_key_arn = local.ntc_parameters["log-archive"]["log_bucket_kms_key_arns"]["aws_config"]
        # optional inputs
        config_recorder_name         = "ntc-config-recorder"
        config_delivery_channel_name = "ntc-config-delivery"
        config_iam_role_name         = "ntc-config-role"
        config_iam_path              = "/"
        config_delivery_frequency    = "One_Hour"
        # (optional) override account baseline main region with main region of security tooling
        # this is necessary when security tooling uses a different main region
        # omit to use the main region of the account baseline
        config_security_main_region  = ""
      }
    },
  ]
}

Requirements

The following requirements are needed by this module:

terraform (>= 1.3.0)
aws (>= 4.0)
local (>=2.4.0)

Providers

The following providers are used by this module:

aws (>= 4.0)
local (>=2.4.0)

Modules

No modules.

Resources

The following resources are used by this module:

aws_region.default (data source)
local_file.ntc_check_if_template_exists (data source)

Required Inputs

The following input variables are required:

account_baseline_templates

Description: List of baseline file templates which should be used to generate a Terraform Account Baseline.

Type:

list(object({
    file_name     = string
    template_name = string
    iam_role_inputs = optional(object({
      role_name                              = optional(string, "")
      role_path                              = optional(string, "/")
      policy_name                            = optional(string, "")
      policy_json                            = optional(string, "")
      policy_arn                             = optional(string, "")
      role_principal_type                    = optional(string, "AWS")
      role_principal_identifiers             = optional(list(string), [])
      role_add_current_account_to_principals = optional(bool, false)
      role_is_instance_profile               = optional(bool, false)
    }), {})
    openid_connect_inputs = optional(object({
      provider                  = optional(string, "")
      audience                  = optional(string, "")
      subject_list              = optional(list(string), [])
      subject_list_encoded      = optional(string, "")
      role_name                 = optional(string, "ntc-oidc-role")
      role_path                 = optional(string, "/")
      role_max_session_in_hours = optional(number, 1)
      permission_boundary_arn   = optional(string, "")
      permission_policy_arn     = optional(string, "arn:aws:iam::aws:policy/AdministratorAccess")
    }), {})
    aws_config_inputs = optional(object({
      config_recorder_name           = optional(string, "ntc-config-recorder")
      config_delivery_channel_name   = optional(string, "ntc-config-delivery")
      config_iam_role_name           = optional(string, "ntc-config-role")
      config_iam_path                = optional(string, "/")
      config_log_archive_bucket_arn  = optional(string, "")
      config_log_archive_kms_key_arn = optional(string, "")
      config_delivery_frequency      = optional(string, "One_Hour")
      config_security_main_region    = optional(string, "")
    }), {})
  }))

Optional Inputs

No optional inputs.

Outputs

The following outputs are exported:

account_baseline_terraform_files

Description: Account Baseline Terraform files grouped by template name.

Description​

Usage​

Requirements​

Providers​

Modules​

Resources​

Required Inputs​

account_baseline_templates​

Optional Inputs​

Outputs​

account_baseline_terraform_files​