NTC Account Baseline Templates
Description​
NTC Account Baseline Templates provide a standardized framework for configuring AWS accounts with essential guardrails, security controls, and operational settings. These templates automate the deployment of account-specific configurations, including IAM policies, logging, security, and baseline compliance checks. By applying consistent baselines across accounts, this building block ensures governance, security, and operational efficiency at scale.
NTC Account Baseline Templates are highly customizable, enabling you to tailor configurations to meet the specific needs of different environments or workloads.
NTC Account Baseline Templates can be easily customized and then applied via NTC Account Factory.
Usage​
| Latest Release | 3.0.1 |
|---|
Requirements​
The following requirements are needed by this module:
-
terraform (>= 1.6.5)
-
aws (>= 6.0)
-
local (>= 2.4.0)
Providers​
The following providers are used by this module:
-
aws (>= 6.0)
-
local (>= 2.4.0)
Modules​
No modules.
Resources​
The following resources are used by this module:
- aws_region.default (data source)
- local_file.ntc_check_if_template_exists (data source)
Required Inputs​
The following input variables are required:
account_baseline_templates​
Description: List of baseline file templates which should be used to generate a Terraform Account Baseline.
Type:
list(object({
file_name = string
template_name = string
# NOTE: NTC Account Factory v2 supports a new unified multi-region account baseline deployment mode
# set 'unified_multi_region_baseline' to true to generate a compatible unified baseline template
unified_multi_region_baseline = optional(bool, false)
iam_role_inputs = optional(object({
role_name = optional(string, "")
role_path = optional(string, "/")
policy_name = optional(string, "")
policy_json = optional(string, "")
policy_arn = optional(string, "")
role_principal_type = optional(string, "AWS")
role_principal_identifiers = optional(list(string), [])
role_add_current_account_to_principals = optional(bool, false)
role_is_instance_profile = optional(bool, false)
}), {})
openid_connect_inputs = optional(object({
provider = optional(string, "")
audience = optional(string, "")
subject_list = optional(list(string), [])
subject_list_encoded = optional(string, "")
role_name = optional(string, "ntc-oidc-role")
role_path = optional(string, "/")
role_max_session_in_hours = optional(number, 1)
permission_boundary_arn = optional(string, "")
permission_policy_arn = optional(string, "arn:$${var.aws_partition}:iam::aws:policy/AdministratorAccess") # $${var.aws_partition} is injected by ntc-account-factory
}), {})
tfstate_backend_inputs = optional(object({
s3_bucket_name = optional(string, "")
s3_bucket_force_destroy = optional(bool, false)
state_locking_mechanism = optional(string, "s3")
existing_kms_key_arn = optional(string, "")
kms_deletion_window_in_days = optional(number, 30)
kms_key_rotation_enabled = optional(bool, true)
kms_key_owners = optional(list(string), [])
config_iam_role_name = optional(string, "ntc-config-role")
access_rules = optional(list(object({
name = string
description = optional(string, "Access rule")
role_arns = optional(list(string), [])
allowed_prefixes = optional(list(string), ["*"])
})), [])
}), {})
aws_config_inputs = optional(object({
config_recorder_name = optional(string, "ntc-config-recorder")
config_delivery_channel_name = optional(string, "ntc-config-delivery")
config_iam_role_name = optional(string, "ntc-config-role")
config_iam_path = optional(string, "/")
config_log_archive_bucket_arn = optional(string, "")
config_log_archive_kms_key_arn = optional(string, "")
config_delivery_frequency = optional(string, "One_Hour")
config_security_main_region = optional(string, "")
config_recording_mode = optional(object({
frequency = optional(string, "CONTINUOUS")
resource_types = optional(list(string), [])
recording_mode_override = optional(object({
frequency = optional(string, "DAILY")
resource_types = optional(list(string), [])
}), {})
}), {
frequency = "CONTINUOUS"
resource_types = []
})
}), {})
}))
Optional Inputs​
No optional inputs.
Outputs​
The following outputs are exported:
account_baseline_terraform_files​
Description: Account Baseline Terraform files grouped by template name.