Terraform Registry Endpoints
- Two ways to access modules: Registry format or HTTPS URL format.
- Both formats work with standard Terraform CLI workflows and support framework-specific endpoints (for example,
soc2.compliance.tf). - HTTPS URL format adds flexibility (enable/disable controls, pin versions).
- Authentication differs: API token for Registry format,
.netrcfor HTTPS.
Compliance-ready Terraform modules are available through the private Terraform Registry via Terraform Registry format and HTTPS URL formats.
Which format should I use?
| Your situation | Recommended format | Why |
|---|---|---|
| Starting a new project | Terraform Registry format | Simpler setup, native version constraints (~> 5.0) |
| Need to enable or disable specific controls | HTTPS URL format | Supports enable= and disable= query parameters |
| Using Terraform Cloud or Terraform Enterprise | Terraform Registry format | Native registry integration, no .netrc needed |
| Using Spacelift, env0, or Atlantis | Either format works | See your platform's docs for credential configuration |
Not sure? Start with the Terraform Registry format — it's the simplest path. You can switch to the HTTPS URL format later if you need per-module control customization.
Terraform Registry format
module "..." {
source = "<framework>.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}Required arguments
<framework>is the identifier of the compliance framework the module is compiled for (such assoc2,hipaa,pcidssv321,cisv140,nist-800-53-rev5,fedrampmoderaterev4).<module>is the name of the Terraform module (such ass3-bucket,cloudfront).
Optional arguments
<version>is the version of the Terraform module (such as5.0.0,~> 5.0,5.1.0-98ddc498fa).
Examples
S3 bucket module with SOC2 compliance framework controls enabled
module "s3_bucket" {
source = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
}S3 bucket module with HIPAA compliance framework controls enabled
module "s3_bucket" {
source = "hipaa.compliance.tf/terraform-aws-modules/s3-bucket/aws"
}HTTPS URL format (more flexible)
module "..." {
source = "https://<framework>.compliance.tf/terraform-aws-modules/<module>/aws[?version=<version>][&disable=<disabled_controls>][&enable=<enabled_controls>]"
}Required arguments
<framework>is the identifier of the compliance framework the module is compiled for (such assoc2,hipaa,pcidssv321,cisv140,nist-800-53-rev5,fedrampmoderaterev4).<module>is the name of the Terraform module (such ass3-bucket,cloudfront).
Optional arguments
<version>is the version of the Terraform module (such as5.0.0,5.1.0).<enabled_controls>is comma-separated list of controls to enable.<disabled_controls>is comma-separated list of controls to disable.
Examples
S3 bucket module with SOC2 compliance framework controls enabled, and a few controls disabled
module "s3_bucket" {
source = "https://soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws?version=5.0.0&disable=s3_bucket_object_lock_enabled,s3_bucket_versioning_and_lifecycle_policy_enabled"
}Footnotes
-
The
registry.compliance.tfhostname serves the original module with zero controls enabled — a blank-slate baseline. Combine it with?enable=to selectively enable individual controls, or with?disable=to selectively disable controls from a framework endpoint. -
Check the official HashiCorp documentation for more information on Terraform Modules Sources.