NTC Account Baseline Templates
Description​
NTC Account Baseline Templates provide a standardized framework for configuring AWS accounts with essential guardrails, security controls, and operational settings. These templates automate the deployment of account-specific configurations, including IAM policies, logging, security, and baseline compliance checks. By applying consistent baselines across accounts, this building block ensures governance, security, and operational efficiency at scale.
NTC Account Baseline Templates are highly customizable, enabling you to tailor configurations to meet the specific needs of different environments or workloads.
Starting with NTC v2, baseline templates support the unified multi-region baseline mode:
unified_multi_region_baseline = true
See Account Baseline for full documentation and examples.
The legacy per-region baseline mode (without unified_multi_region_baseline) is deprecated and will be removed in a future. Migrate existing baselines to unified mode.
NTC Account Baseline Templates can be easily customized and then applied via NTC Account Factory.
Custom Unified Baseline Templates​
In addition to the pre-built templates, you can create custom unified baseline Terraform files that are deployed alongside the standard templates. Custom templates use the same injected variables and unified multi-region pattern.
Available injected variables in unified mode:
| Variable | Type | Description |
|---|---|---|
var.aws_partition | string | AWS partition (e.g., aws, aws-cn, aws-us-gov) |
var.aws_partition_dns_suffix | string | AWS partition DNS suffix (e.g., amazonaws.com) |
var.main_region | string | Primary region for the account baseline |
var.baseline_regions | list(string) | All regions where the baseline is deployed |
var.current_account_id | string | AWS account ID |
var.current_account_name | string | Account name |
var.current_account_email | string | Account email address |
var.current_account_ou_path | string | Organizational unit path |
var.current_account_tags | map | Account tags |
var.current_account_alternate_contacts | list | Alternate contacts |
var.current_account_customer_values | any | Custom values from account creation |
var.baseline_scope_name | string | Name of the baseline scope |
var.baseline_parameters | any | Scope-specific parameters |
var.baseline_terraform_version | string | Terraform/OpenTofu version |
var.baseline_terraform_binary | string | terraform or opentofu |
var.baseline_aws_provider_version | string | AWS provider version |
var.baseline_execution_role_name | string | IAM role name for baseline execution |
Example custom unified baseline template:
# files/unified_custom_baseline.tf
# Global resource (no region argument — deployed once per account)
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 14
require_lowercase_characters = true
require_uppercase_characters = true
require_numbers = true
require_symbols = true
allow_users_to_change_password = true
max_password_age = 90
password_reuse_prevention = 24
}
# Regional resource (deployed in each baseline region)
resource "aws_ebs_encryption_by_default" "enabled" {
for_each = toset(var.baseline_regions)
region = each.value
enabled = true
}
# Regional resource with account-aware naming
resource "aws_sns_topic" "baseline_alerts" {
for_each = toset(var.baseline_regions)
region = each.value
name = "${var.current_account_name}-baseline-alerts"
}
Reference custom files in your Account Factory configuration alongside the pre-built templates:
baseline_terraform_files = [
# Pre-built unified templates
module.account_baseline_templates.account_baseline_terraform_files["unified_iam_monitoring_reader"],
module.account_baseline_templates.account_baseline_terraform_files["unified_aws_config"],
# Custom unified baseline file
{
file_name = "unified_custom_baseline.tf"
content = file("${path.module}/files/unified_custom_baseline.tf")
}
]
Usage​
| Latest Release | 3.0.1 |
|---|
Requirements​
The following requirements are needed by this module:
-
terraform (>= 1.6.5)
-
aws (>= 6.0)
-
local (>= 2.4.0)
Providers​
The following providers are used by this module:
-
aws (>= 6.0)
-
local (>= 2.4.0)
Modules​
No modules.
Resources​
The following resources are used by this module:
- aws_region.default (data source)
- local_file.ntc_check_if_template_exists (data source)
Required Inputs​
The following input variables are required:
account_baseline_templates​
Description: List of baseline file templates which should be used to generate a Terraform Account Baseline.
Type:
list(object({
file_name = string
template_name = string
# NOTE: NTC Account Factory v2 supports a new unified multi-region account baseline deployment mode
# set 'unified_multi_region_baseline' to true to generate a compatible unified baseline template
unified_multi_region_baseline = optional(bool, false)
iam_role_inputs = optional(object({
role_name = optional(string, "")
role_path = optional(string, "/")
policy_name = optional(string, "")
policy_json = optional(string, "")
policy_arn = optional(string, "")
role_principal_type = optional(string, "AWS")
role_principal_identifiers = optional(list(string), [])
role_add_current_account_to_principals = optional(bool, false)
role_is_instance_profile = optional(bool, false)
}), {})
openid_connect_inputs = optional(object({
provider = optional(string, "")
audience = optional(string, "")
subject_list = optional(list(string), [])
subject_list_encoded = optional(string, "")
role_name = optional(string, "ntc-oidc-role")
role_path = optional(string, "/")
role_max_session_in_hours = optional(number, 1)
permission_boundary_arn = optional(string, "")
permission_policy_arn = optional(string, "arn:$${var.aws_partition}:iam::aws:policy/AdministratorAccess") # $${var.aws_partition} is injected by ntc-account-factory
}), {})
tfstate_backend_inputs = optional(object({
s3_bucket_name = optional(string, "")
s3_bucket_force_destroy = optional(bool, false)
state_locking_mechanism = optional(string, "s3")
existing_kms_key_arn = optional(string, "")
kms_deletion_window_in_days = optional(number, 30)
kms_key_rotation_enabled = optional(bool, true)
kms_key_owners = optional(list(string), [])
config_iam_role_name = optional(string, "ntc-config-role")
access_rules = optional(list(object({
name = string
description = optional(string, "Access rule")
role_arns = optional(list(string), [])
allowed_prefixes = optional(list(string), ["*"])
})), [])
}), {})
aws_config_inputs = optional(object({
config_recorder_name = optional(string, "ntc-config-recorder")
config_delivery_channel_name = optional(string, "ntc-config-delivery")
config_iam_role_name = optional(string, "ntc-config-role")
config_iam_path = optional(string, "/")
config_log_archive_bucket_arn = optional(string, "")
config_log_archive_kms_key_arn = optional(string, "")
config_delivery_frequency = optional(string, "One_Hour")
config_security_main_region = optional(string, "")
config_recording_mode = optional(object({
frequency = optional(string, "CONTINUOUS")
resource_types = optional(list(string), [])
recording_mode_override = optional(object({
frequency = optional(string, "DAILY")
resource_types = optional(list(string), [])
}), {})
}), {
frequency = "CONTINUOUS"
resource_types = []
})
}), {})
}))
Optional Inputs​
No optional inputs.
Outputs​
The following outputs are exported:
account_baseline_terraform_files​
Description: Account Baseline Terraform files grouped by template name.