Skip to content

Customize Compliance-ready Terraform modules

At a glance
  • Compliance-ready Terraform modules (CTF) can be customized with query parameters.
  • You can enable or disable specific controls or entire frameworks.
  • Uses the HTTPS URL format to apply compliance rules during module retrieval.
  • If no compliance layer is applied, modules fall back to the original source.

Compliance-ready Terraform modules are highly customizable and can be configured to meet the specific requirements of your organization.

Use HTTPS URL format to access Compliance-ready Terraform modules

Customization is supported only when accessing the Compliance.tf Terraform Registry via the HTTPS URL format, because it requires query string parameters.

Here are some common use cases:

Use HTTPS URL format to access Compliance-ready Terraform modules

Customization is supported only when accessing Compliance.tf Terraform Registry via HTTPS URL format because it requires query string parameters.

Here are some of the use cases:

  • Enable and disable specific controls. For example, a compliance framework may enable certain controls by default, but you may wish to disable some of them.
  • Customize a specific module version by enabling additional important controls that are not enabled by default in the original module.

See the HTTPS URL format section for details on supported arguments and examples.

How it works

The diagram below shows how compliance controls flow from framework definitions and user-defined settings into the final Terraform module. Disabled controls are filtered out, and enabled controls are merged to produce the final configuration.

flowchart TD
    A["Framework Controls<br/>(e.g., SOC2, HIPAA)"] --> C[All Active Controls]
    B["Enabled Controls<br/>(from __enable__ argument)"] --> C
    C --> D["Remove Disabled Controls<br/>(from __disable__ argument)"]
    D --> E[Final Controls Set]
    E --> F[Generate Terraform Module]

Available compliance frameworks

View the list of available compliance frameworks here.

Available controls

View the list of available controls here.

Examples

S3 bucket module with one control enabled

module "s3_bucket" {
    source = "https://registry.compliance.tf/terraform-aws-modules/s3-bucket/aws?enable=s3_bucket_versioning_and_lifecycle_policy_enabled"
}
Note about the registry.compliance.tf hostname

Use registry.compliance.tf as hostname to use the original module without any compliance-related fixes applied as a base for customization.

S3 bucket module with SOC2 framework controls enabled

module "s3_bucket" {
    source = "https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
}

S3 bucket module with HIPAA framework controls enabled

module "s3_bucket" {
    source = "https://hipaa.compliance.tf/terraform-aws-modules/s3-bucket/aws"
}

S3 bucket module with FedRAMP Moderate framework controls enabled

module "s3_bucket" {
    source = "https://fedrampmoderaterev4.compliance.tf/terraform-aws-modules/s3-bucket/aws"
}