Compatibility with Open-Source Terraform AWS Modules

Compliance-ready Terraform modules by compliance.tf are interface-compatible with the open-source terraform-aws-modules — same inputs, same outputs. Compliance controls add plan-time validation that may surface new errors for non-compliant configurations.

How it works

Compliance.tf modules update the original terraform-aws-modules and apply compliance rules through constraints. This ensures that non-compliant infrastructure resources cannot be deployed. The rules are applied without changing the module interface — all existing arguments and outputs work the same way.

Supported Modules

The terraform-aws-modules are among the most widely used Terraform modules, backed by a large community.

A list of supported modules is available in the module catalog, on the Terraform Registry, and on GitHub.

If a module is not yet available on compliance.tf, requests are proxied to the original HashiCorp Terraform Registry. This allows continued use of your existing workflow and Terraform Registry hostname.

Release Cadence

Compliance.tf tracks upstream terraform-aws-modules releases. New module versions are available on the same day as the upstream release. An automated pipeline detects new versions, applies compliance controls, and publishes the updated module. You upgrade the same way you upgrade any Terraform module — change the version number and run terraform init -upgrade.

Migration Checklist

Already using terraform-aws-modules? Here is what changes — and what does not — when you switch to compliance.tf.

Source URL change

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "5.0.0"
}

module "s3_bucket" {
  source  = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "5.0.0"
}

What changes

• Module source URL — the only required code change.
• Compliance controls are now enforced — terraform plan may produce validation errors if your existing configuration does not satisfy all controls (for example, missing logging.target_bucket on an S3 bucket).
• Module source address in state — Terraform handles this automatically when you run terraform init -upgrade. No manual state surgery needed.

What does NOT change

• Resource addresses in Terraform state — your existing resources are typically not recreated. See the Migration Guide for exceptions.
• Module arguments and outputs — same interface, same variable names, same types.
• Provider configuration — no new providers, no provider version changes.
• Terraform workflow — same init, plan, apply cycle.

Rollback

If you need to switch back, change the source URL to the upstream terraform-aws-modules path and run terraform init -upgrade. No state changes, no resource changes. You are back to the original modules.

For step-by-step migration instructions, see the Migration Guide.

Terraform and OpenTofu Version Compatibility

Compliance.tf modules are tested against the following runtime versions:

Modules use validation blocks for control enforcement, which require Terraform >= 0.13. In practice, all current module versions target Terraform >= 1.0 for consistency with upstream terraform-aws-modules version constraints.

Provider version requirements (e.g., hashicorp/aws >= 5.0) are inherited from the upstream terraform-aws-modules and are documented on each module page.