Skip to content
Ask AI about this
Help improve this page

Terraform Registry Endpoints

At a glance
  • Two ways to access modules: Registry format or HTTPS URL format.
  • Both formats work with standard Terraform CLI workflows and support framework-specific endpoints (for example, soc2.compliance.tf).
  • HTTPS URL format adds flexibility (enable/disable controls, pin versions).
  • Authentication differs: API token for Registry format, .netrc for HTTPS.

Compliance-ready Terraform modules are available through the private Terraform Registry via Terraform Registry format and HTTPS URL formats.

Which format should I use?

Your situationRecommended formatWhy
Starting a new projectTerraform Registry formatSimpler setup, native version constraints (~> 5.0)
Need to enable or disable specific controlsHTTPS URL formatSupports enable= and disable= query parameters
Using Terraform Cloud or Terraform EnterpriseTerraform Registry formatNative registry integration, no .netrc needed
Using Spacelift, env0, or AtlantisEither format worksSee your platform's docs for credential configuration

Not sure? Start with the Terraform Registry format — it's the simplest path. You can switch to the HTTPS URL format later if you need per-module control customization.

Terraform Registry format

module "..." {
    source  = "<framework>.compliance.tf/terraform-aws-modules/<module>/aws"
    version = "<version>"
}
Authentication for Terraform Registry format

The registry is available to licensed users who have configured an API token for the Terraform/OpenTofu CLI. You can obtain a token from the "Your Access Tokens" page.

Required arguments

  • <framework> is the identifier of the compliance framework the module is compiled for (such as soc2, hipaa, pcidssv321, cisv140, nist-800-53-rev5, fedrampmoderaterev4).
  • <module> is the name of the Terraform module (such as s3-bucket, cloudfront).

Optional arguments

  • <version> is the version of the Terraform module (such as 5.0.0, ~> 5.0, 5.1.0-98ddc498fa).

Examples

S3 bucket module with SOC2 compliance framework controls enabled

module "s3_bucket" {
    source = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
}

S3 bucket module with HIPAA compliance framework controls enabled

module "s3_bucket" {
    source = "hipaa.compliance.tf/terraform-aws-modules/s3-bucket/aws"
}
More examples
  • pcidssv321.compliance.tf/terraform-aws-modules/s3-bucket/aws
  • registry.compliance.tf/terraform-aws-modules/s3-bucket/aws

HTTPS URL format (more flexible)

module "..." {
    source = "https://<framework>.compliance.tf/terraform-aws-modules/<module>/aws[?version=<version>][&disable=<disabled_controls>][&enable=<enabled_controls>]"
}
Authentication for HTTPS URL format

Use a .netrc file to configure the credentials for Terraform Registry via HTTPS URL format. By default, Terraform searches for the .netrc file in your HOME directory. You can override this location with the NETRC environment variable.

Example .netrc:

.netrc
# Allow access to the framework-specific Terraform Registry endpoint
machine soc2.compliance.tf  # (1)!
    login anything  # login doesn't matter, it can be anything
    password ctf_EXAMPLE_TOKEN  # (2)!

# Allow access to the original Terraform Registry endpoint (optional)
machine registry.compliance.tf  # (3)!
    login anything
    password ctf_EXAMPLE_TOKEN
  1. soc2.compliance.tf is a framework-specific hostname to get access to.
  2. ctf_EXAMPLE_TOKEN - replace it with your Access Token obtained from Your Access Tokens page.
  3. registry.compliance.tf is a hostname to allow access to the original modules without any compliance-related fixes applied.

Required arguments

  • <framework> is the identifier of the compliance framework the module is compiled for (such as soc2, hipaa, pcidssv321, cisv140, nist-800-53-rev5, fedrampmoderaterev4).
  • <module> is the name of the Terraform module (such as s3-bucket, cloudfront).

Optional arguments

  • <version> is the version of the Terraform module (such as 5.0.0, 5.1.0).
  • <enabled_controls> is comma-separated list of controls to enable.
  • <disabled_controls> is comma-separated list of controls to disable.

Examples

S3 bucket module with SOC2 compliance framework controls enabled, and a few controls disabled

module "s3_bucket" {
    source = "https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0&disable=s3_bucket_object_lock_enabled,s3_bucket_versioning_and_lifecycle_policy_enabled"
}
More examples
  • https://registry.compliance.tf/terraform-aws-modules/s3-bucket/aws
  • https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws
  • https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0
  • https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0&disable=s3_bucket_object_lock_enabled,s3_bucket_versioning_and_lifecycle_policy_enabled
  • https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0&enable=s3_bucket_object_lock_enabled,s3_bucket_versioning_and_lifecycle_policy_enabled

Footnotes

  • The registry.compliance.tf hostname serves the original module with zero controls enabled — a blank-slate baseline. Combine it with ?enable= to selectively enable individual controls, or with ?disable= to selectively disable controls from a framework endpoint.

  • Check the official HashiCorp documentation for more information on Terraform Modules Sources.

References