Skip to content

Features

Compliance.tf is a private Terraform registry that serves hardened versions of the open-source terraform-aws-modules. Each module ships with compliance controls embedded in the source code, so policy enforcement happens inside terraform plan — no external scanner required for the controls it covers, no separate policy engine.

How Controls Work

Controls are validation rules written directly in the module HCL. When a module is sourced from the compliance.tf registry, those validations run automatically during terraform plan. A non-compliant variable value — say, a public S3 bucket ACL or an unencrypted RDS instance — produces a plan-time error before any infrastructure is created. There is no scanning step after the fact and no sidecar process to maintain. The controls live where the infrastructure code lives.

At a glance

Registry EndpointsConnect Terraform to the compliance.tf private registryDevOpsCustomize ModulesEnable or disable individual controls per modulePlatformModule CompatibilityDrop-in compatible with terraform-aws-modulesDevOps

Registry Endpoints

Point your Terraform source attribute at the compliance.tf registry and authenticate with a registry token. Modules are versioned and served through the standard Terraform registry protocol, so existing workflows — CI runners, Terraform Cloud, local CLI — work without changes. See Registry Endpoints for setup details.

Customize Controls

Every control in a module can be toggled individually. If a specific rule conflicts with a workload requirement, disable it via a query parameter on the module source URL (?disable=control_name). The rest of the controls continue to enforce. See Customize Modules for the full interface.

Module Compatibility

Compliance.tf modules maintain the same variable and output interface as the upstream terraform-aws-modules they extend. Switching from the public registry to compliance.tf requires changing the source URL and pinning a version — no variable renames, no output rewiring. Existing Terraform state remains valid. See Module Compatibility for specifics.

Operational Rules

Operational Rules apply your organization's standards to modules at download time — lifecycle blocks (prevent_destroy, ignore_changes), provisioner removal, and instance type restrictions. Rules are independent from compliance controls: controls handle regulatory requirements, rules handle operational standards. Both layers apply during terraform init with no workflow changes. See Operational Rules for the full overview.

Reversibility

Adopting compliance.tf does not create vendor lock-in. To revert, change the module source URL back to the upstream terraform-aws-modules registry and remove the control variables. Terraform will plan the delta (if any) and apply it normally.

Security & Vendor Evaluation

For details on how modules are built, signed, and distributed, see the Security & Trust page. Organizations conducting vendor due diligence can review the Trust Center for SOC 2 reports, data handling policies, and penetration test summaries.