Skip to content

Compliance-Ready Terraform Modules

Compliance controls built into your Terraform modules — enforced at plan time, not after deployment.

Same terraform-aws-modules you already use. Change the source URL. Compliance controls are enforced automatically at terraform plan time. No new CLI tools, no policy engines, no agents.

See it in action

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "5.0.0"
}

module "s3_bucket" {
  source  = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "5.0.0"
}

Same arguments. Same outputs. Compliance controls enforced automatically.

SOC 2 Type II Certified · 34 modules · 300+ controls · Works with Checkov, OPA, Sentinel · No state migration

I want to...

Set up compliance.tfGet a compliant terraform plan — typically in under 10 minutes.TerraformOpenTofuSee what controls are enforcedBrowse all AWS controls, filter by framework, service, or effort level.AWS300+ controlsMigrate from upstream modulesSwitch from terraform-aws-modules with a single source URL change.terraform-aws-modulesdrop-inFind my compliance frameworkSOC 2, PCI DSS, CIS, HIPAA, NIST, and 35+ more.SOC 2PCI DSSCISHIPAAPrepare for an auditGenerate compliance artifacts and evidence for your auditors.evidenceaudit readyIntegrate with CI/CDValidate compliance in GitHub Actions, GitLab CI, and more.GitHubGitLabautomationAdd operational rules to modulesLifecycle blocks, tag management, provisioner removal — applied at download time.prevent_destroyignore_changes7 rules

How it works

  1. Pick your compliance framework — SOC 2, PCI DSS, HIPAA, CIS, NIST, and 35+ more. Each framework maps to a registry endpoint. Browse frameworks →

  2. Change the source URL — Replace terraform-aws-modules/... with soc2.compliance.tf/terraform-aws-modules/... in your Terraform config. See registry endpoints →

  3. Deploy with confidence — Run terraform plan. Controls are enforced automatically. Non-compliant configurations fail with clear error messages telling you exactly what to fix. No post-deployment scanning step. No post-deployment remediation cycle.

Controls are validated at terraform plan time. If your configuration violates a control, you get an error message — not a scan finding after deployment.

Latest from Plan, Apply, Comply. A blog by compliance.tf.

Loading posts…