Skip to content

Get Started with Compliance.tf

From account setup to a compliant terraform plan — typically under 10 minutes.

Prerequisites

Before you begin, make sure you have:

  • Terraform >= 1.0 or OpenTofu >= 1.6 installed
  • An AWS account (with or without existing terraform-aws-modules usage)
  • A compliance.tf accountstart a free trial or sign in

Step 1: Get Your Access Token

You need an access token to download modules from the compliance.tf registry.

Interactive use — run the login command for your framework endpoint:

terraform login soc2.compliance.tf

or, if you use OpenTofu:

tofu login soc2.compliance.tf

This opens a browser window where you authenticate with your compliance.tf credentials. The CLI stores a short-lived token locally. The token expires after 1 day.

CI/CD or automation — get a long-lived token from the Access Tokens page and configure it manually (see Step 2). The token is valid until you revoke it.

See also: Terraform login docs, OpenTofu login docs

Step 2: Configure Terraform CLI

If you used terraform login or tofu login in Step 1, your CLI is already configured and you can skip to Step 3.

For CI/CD pipelines or manual setup, add your token to one of these configuration files:

~/.terraformrc
credentials "soc2.compliance.tf" {
  token = "ctf_YOUR_TOKEN_HERE"
}

Replace soc2 with your chosen framework (e.g., hipaa, pcidssv40). Replace ctf_YOUR_TOKEN_HERE with the token from the Access Tokens page.

~/.netrc
machine soc2.compliance.tf
    login anything
    password ctf_YOUR_TOKEN_HERE

The login value can be anything — only the password (your access token) matters. Replace ctf_YOUR_TOKEN_HERE with the token from the Access Tokens page.

Not sure which format to choose? See Registry Endpoints for guidance.

Step 3: Use a Compliance.tf Module

Add a module block to your Terraform configuration. This example creates a compliant S3 bucket:

main.tf
module "s3_bucket" {
  source  = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "5.0.0"

  bucket = "my-first-compliant-bucket"

  logging = {
    target_bucket = "my-logging-bucket"
    target_prefix = "s3-access-logs/"
  }
}

Then run the standard Terraform workflow:

terraform init    # Downloads the module from the compliance.tf registry
terraform plan    # Controls are validated here
terraform apply   # Deploy compliant infrastructure

Step 4: Verify It Worked

Success case

If your configuration satisfies all controls, terraform plan succeeds normally:

Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.s3_bucket.aws_s3_bucket.this[0] will be created
  + resource "aws_s3_bucket" "this" {
      + bucket        = "my-first-compliant-bucket"
      + force_destroy = false
      ...
    }

Plan: 3 to add, 0 to change, 0 to destroy.

All compliance controls are satisfied. The plan proceeds normally with resources to create.

Failure case

If a control is violated, you get a clear validation error at plan time — not a scan finding after deployment:

│ Error: Invalid value for variable
│
│   on main.tf line 3, in module "s3_bucket":
│    3:   source  = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
│
│ s3_bucket_logging_enabled: logging.target_bucket must be set
│ to enable S3 bucket access logging.
│
│ Frameworks requiring this control:
│   SOC 2, CIS AWS v1.4.0 (3.6), PCI DSS v4.0 (10.2.1)

This is working as expected. The module is enforcing the control. Add the missing logging block to your configuration and re-run terraform plan.

What's Next