Plan, Apply, Comply - Blog by Compliance.tf¶

November 27, 2025

Verifying compliance.tf Modules: From Guardrails to Audit Evidence

Compliance.tf (CTF) modules are designed to make non-compliant infrastructure effectively impossible to create for the controls they cover. Controls are enforced inside the modules through safe defaults, validation rules, and restricted configuration surfaces, as described in the first part of this series.

But if you are on a security or audit team, you still need to answer a simple question: how do we know it really works?

This article walks through how to verify CTF modules in practice, how IaC scanners and infrastructure scanners each play a role, and what kind of audit evidence you can expect.

November 26, 2025

Make Non-Compliant Terraform Impossible With compliance.tf

Your CI pipeline fails again. Checkov found 23 new findings. The sprint deadline is tomorrow.

If this sounds familiar, you're not alone. Teams across the industry spend countless hours in the same cycle: write Terraform, run an IaC scanner, get a wall of findings, fix them, run again, hope for green. This is the reality of compliance-as-code today, and it is fundamentally reactive.

Tools like Checkov and Trivy are valuable. They catch misconfigurations before they reach production. But they share a common limitation: they detect non-compliance after your code already exists. Every finding becomes a negotiation. Every PR becomes a compliance discussion. Every sprint loses time to remediation.

What if non-compliant resources were effectively impossible to create in the first place when you use standard modules?

Compliance.tf (CTF) is a private Terraform registry that turns common AWS modules into compliant-by-default building blocks, so non-compliant infrastructure is blocked by the module itself instead of discovered later by scanners.