Skip to content

Terraform Registry Endpoints

At a glance
  • Two ways to access modules: Registry format or HTTPS URL format.
  • Both formats work with standard Terraform CLI workflows and support framework-specific endpoints (for example, soc2.compliance.tf).
  • HTTPS URL format adds flexibility (enable/disable controls, pin versions).
  • Authentication differs: API token for Registry format, .netrc for HTTPS.

Compliance-ready Terraform modules are available through the private Terraform Registry via Terraform Registry format and HTTPS URL formats.

Terraform Registry format

module "..." {
    source  = "<framework>.compliance.tf/terraform-aws-modules/<module>/aws"
    version = "<version>"
}
Authentication for Terraform Registry format

The registry is available to licensed users who have configured an API token for the Terraform/OpenTofu CLI. You can obtain a token from the "Your Access Tokens" page.

Required arguments

  • <framework> is the identifier of the compliance framework the module is compiled for (such as soc2, hipaa, pcidssv321, cisv140, nist-800-53-rev5, fedrampmoderaterev4).
  • <module> is the name of the Terraform module (such as s3-bucket, cloudfront).

Optional arguments

  • <version> is the version of the Terraform module (such as 5.0.0, ~> 5.0, 5.1.0-98ddc498fa).

Examples

S3 bucket module with SOC2 compliance framework controls enabled

module "s3_bucket" {
    source = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
}

S3 bucket module with HIPAA compliance framework controls enabled

module "s3_bucket" {
    source = "hipaa.compliance.tf/terraform-aws-modules/s3-bucket/aws"
}
More examples
  • pcidssv321.compliance.tf/terraform-aws-modules/s3-bucket/aws
  • registry.compliance.tf/terraform-aws-modules/s3-bucket/aws

HTTPS URL format (more flexible)

module "..." {
    source = "https://<framework>.compliance.tf/terraform-aws-modules/<module>/aws[?version=<version>][&disable=<disabled_controls>][&enable=<enabled_controls>]"
}
Authentication for HTTPS URL format

Use a .netrc file to configure the credentials for Terraform Registry via HTTPS URL format. By default, Terraform searches for the .netrc file in your HOME directory. You can override this location with the NETRC environment variable.

Example .netrc:

.netrc
# Allow access to the framework-specific Terraform Registry endpoint
machine soc2.compliance.tf  # (1)!
    login anything  # login doesn't matter, it can be anything
    password ctf_EXAMPLE_TOKEN  # (2)!

# Allow access to the original Terraform Registry endpoint (optional)
machine registry.compliance.tf  # (3)!
    login anything
    password ctf_EXAMPLE_TOKEN
  1. soc2.compliance.tf is a framework-specific hostname to get access to.
  2. ctf_EXAMPLE_TOKEN - replace it with your Access Token obtained from Your Access Tokens page.
  3. registry.compliance.tf is a hostname to allow access to the original modules without any compliance-related fixes applied.

Required arguments

  • <framework> is the identifier of the compliance framework the module is compiled for (such as soc2, hipaa, pcidssv321, cisv140, nist-800-53-rev5, fedrampmoderaterev4).
  • <module> is the name of the Terraform module (such as s3-bucket, cloudfront).

Optional arguments

  • <version> is the version of the Terraform module (such as 5.0.0, 5.1.0).
  • <enabled_controls> is comma-separated list of controls to enable.
  • <disabled_controls> is comma-separated list of controls to disable.

Examples

S3 bucket module with SOC2 compliance framework controls enabled, and a few controls disabled

module "s3_bucket" {
    source = "https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0&disable=s3_bucket_object_lock_enabled,s3_bucket_versioning_and_lifecycle_policy_enabled"
}
More examples
  • https://registry.compliance.tf/terraform-aws-modules/s3-bucket/aws
  • https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws
  • https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0
  • https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0&disable=s3_bucket_object_lock_enabled,s3_bucket_versioning_and_lifecycle_policy_enabled
  • https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0&enable=s3_bucket_object_lock_enabled,s3_bucket_versioning_and_lifecycle_policy_enabled

Footnotes

  • Use registry.compliance.tf as the hostname to use the original module without compliance-related fixes applied. You can combine it with the rest of the arguments to enable or disable individual controls using HTTPS URL format.

  • Check the official HashiCorp documentation for more information on Terraform Modules Sources.

References