Features
Compliance.tf is a private Terraform registry that serves hardened versions of
the open-source terraform-aws-modules. Each module ships with compliance
controls embedded in the source code, so policy enforcement happens inside
terraform plan — no external scanner required for the controls it covers, no separate policy engine.
How Controls Work
Controls are validation rules written directly in the module HCL. When a
module is sourced from the compliance.tf registry, those validations run
automatically during terraform plan. A non-compliant variable value — say, a
public S3 bucket ACL or an unencrypted RDS instance — produces a plan-time
error before any infrastructure is created. There is no scanning step after the
fact and no sidecar process to maintain. The controls live where the
infrastructure code lives.
At a glance
Connect Terraform to the compliance.tf private registry
Enable or disable individual controls per module
Drop-in compatible with terraform-aws-modules
Registry Endpoints
Point your Terraform source attribute at the compliance.tf registry and
authenticate with a registry token. Modules are versioned and served through
the standard Terraform registry protocol, so existing workflows — CI runners,
Terraform Cloud, local CLI — work without changes. See
Registry Endpoints for setup details.
Customize Controls
Every control in a module can be toggled individually. If a specific rule
conflicts with a workload requirement, disable it via a query parameter on the
module source URL (?disable=control_name). The rest of the controls continue
to enforce. See Customize Modules for the full interface.
Module Compatibility
Compliance.tf modules maintain the same variable and output interface as the
upstream terraform-aws-modules they extend. Switching from the public registry
to compliance.tf requires changing the source URL and pinning a version —
no variable renames, no output rewiring. Existing Terraform state remains
valid. See Module Compatibility for specifics.
Operational Rules
Operational Rules apply your organization's standards to modules at download
time — lifecycle blocks (prevent_destroy, ignore_changes), provisioner
removal, and instance type restrictions. Rules are independent from compliance
controls: controls handle regulatory requirements, rules handle operational
standards. Both layers apply during terraform init with no workflow changes.
See Operational Rules for the full overview.
Reversibility
Adopting compliance.tf does not create vendor lock-in. To revert, change the
module source URL back to the upstream terraform-aws-modules registry and
remove the control variables. Terraform will plan the delta (if any) and apply
it normally.
Security & Vendor Evaluation
For details on how modules are built, signed, and distributed, see the Security & Trust page. Organizations conducting vendor due diligence can review the Trust Center for SOC 2 reports, data handling policies, and penetration test summaries.