Make the Case for compliance.tf
You have evaluated compliance.tf. Now you need to justify adopting it. This page gives you the arguments, the math, and the pre-answered objections, structured for the people who approve the purchase.
Summary for Leadership
Compliance.tf provides compliance-ready versions of terraform-aws-modules, the same open-source Terraform modules used in billions of provisions worldwide. The only change is the module source URL. Compliance controls for SOC 2, PCI DSS, HIPAA, NIST 800-53, and 30+ other frameworks are enforced automatically at terraform plan time. Non-compliant infrastructure cannot be deployed through compliance.tf modules.
What it replaces:
- Maintaining custom wrapper modules that enforce compliance defaults
- Manually configuring compliance settings on every module instance
- Post-deployment scan-and-remediate cycles for infrastructure controls
- Mapping infrastructure resources to compliance controls during audit preparation
- Writing and updating custom OPA, Sentinel, or Checkov policies for infrastructure defaults
How it works — change one line per module:
# Before
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "5.0.0"
}
# After
module "s3_bucket" {
source = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "5.0.0"
}
No new CLI. No agent. No sidecar. No workflow change. Same terraform init, plan, apply.
What it costs: compliance.tf is available on AWS Marketplace. Billing can go through AWS Marketplace, simplifying procurement. Compliance.tf is still a vendor dependency, but exit is straightforward: change the source URL back to upstream. View the AWS Marketplace listing.
ROI Calculation Template
Use this worksheet to estimate your team's annual time savings. Fill in your own numbers, or use the worked example below as a starting point.
Your inputs
| Input | Your value |
|---|---|
| Number of Terraform modules in use | ______ |
| Number of engineers on platform/infrastructure team | ______ |
| Number of compliance frameworks required (SOC 2, PCI DSS, etc.) | ______ |
| Audit frequency (annual, semi-annual, quarterly) | ______ |
| Current approach (custom wrappers / manual config / scan-and-fix) | ______ |
Time savings by category
| Category | What this covers | Range | Formula |
|---|---|---|---|
| Custom wrapper maintenance | Keeping wrappers in sync with upstream releases, adding new controls, testing across environments | 5-20 hrs/module/year | [modules] x [hrs/module] |
| Compliance scan remediation | Researching findings, applying fixes, testing, redeploying | 2-8 hrs/finding | [findings/audit] x [hrs/finding] x [audits/year] |
| Audit preparation for infrastructure controls | Mapping controls to resources, generating evidence, documenting exceptions | 40-160 hrs/audit | [hrs/audit] x [audits/year] |
| Custom policy maintenance | Writing, testing, updating OPA/Sentinel/Checkov rules when upstream modules change | 10-40 hrs/year | Flat estimate for the team |
Worked example (using low-end estimates)
Scenario: 10 modules, 2 engineers, 1 framework, annual audit, 5 findings per audit.
| Category | Calculation | Hours/year |
|---|---|---|
| Custom wrapper maintenance | 10 modules x 5 hrs/module | 50 |
| Compliance scan remediation | 5 findings x 2 hrs/finding x 1 audit | 10 |
| Audit preparation | 40 hrs x 1 audit | 40 |
| Custom policy maintenance | 10 hrs (flat) | 10 |
| Total | 110 hrs/year |
At your team's loaded hourly cost, convert hours to dollars. For this scenario at $100/hr, that is $11,000/year, using the low end of every range. A team with more modules, more frameworks, or more frequent audits will see higher numbers.
These ranges are estimates. Adjust based on your team's actual experience. The ROI calculator is a planning tool, not a guarantee.
Risk Reduction (for Your CISO)
Preventive controls vs. detective controls
Most infrastructure compliance today works like speed cameras: deploy infrastructure, scan it, find violations, remediate, re-scan. This is a detective control — it catches problems after they exist.
Compliance.tf works like guardrails: compliance controls are enforced inside the module, so non-compliant infrastructure cannot be planned in the first place. This is a preventive control. Auditors consistently rate preventive controls higher than detective controls because they reduce the window during which a violation can exist to zero.
Your existing scanning tools (Checkov, Prowler, Powerpipe, AWS Config) remain valuable as independent verification that the preventive controls are working. It does not replace scanning tools; it adds a layer that prevents the violations those tools would otherwise find.
Fewer audit findings
When infrastructure controls are enforced by default, there are fewer findings during audit cycles. Fewer findings means less remediation time, fewer follow-up cycles, and faster audit completion. This applies to the infrastructure controls that compliance.tf modules cover: encryption at rest, logging, access restrictions, and similar Terraform-enforceable settings.
No gap between policy and reality
Controls live in the module code, not in a policy document that can be circumvented or forgotten. There is no drift between "our policy requires encryption" and "this bucket was deployed without encryption." Every terraform plan validates compliance, not only during scheduled scans or audit preparation.
Reduced blast radius of human error
An engineer cannot forget to enable S3 access logging — the module enables it. An engineer cannot accidentally disable versioning — the module enforces it. This is not about trusting engineers less. It is about making the compliant configuration the default configuration, so the right thing happens without relying on memory or checklists.
What compliance.tf covers — and what it does not
Compliance.tf covers Terraform-enforceable infrastructure controls only. It handles encryption, logging, versioning, access restrictions, network configuration, and similar settings across 34 supported modules and 36 compliance frameworks.
Compliance.tf does not replace:
- Access reviews and identity governance
- Security awareness training
- Incident response procedures
- Vendor risk management
- HR background checks
- Organizational policies and procedures
- Non-Terraform infrastructure (ClickOps, CloudFormation, CDK, manually created resources)
It is one layer in a defense-in-depth strategy, eliminating a specific, high-effort category of compliance work: maintaining compliant infrastructure defaults. Your compliance program still requires all of the above.
Questions Your Security Team Will Ask
"Is this a vendor dependency?"
No. Switch back by changing the module source URL and running terraform init -upgrade.
Compliance.tf modules use the same input variables, outputs, and state format as upstream terraform-aws-modules. Your Terraform state file contains nothing compliance.tf-specific. There is no proprietary CLI, no agent running in your environment, and no proprietary data format. If you stop using compliance.tf, change the source URL back to the upstream registry. Your infrastructure continues to work — you just lose the enforced controls. See the Get Started guide for how the source URL works.
"How do we verify the controls are actually enforced?"
Run your existing scanning tools against compliance.tf module output.
The controls are visible in the terraform plan output — you can inspect exactly what will be deployed before applying. Run Checkov, Prowler, or Powerpipe against your plan files or deployed infrastructure to independently verify that controls are in effect. Compliance.tf is additive to your existing verification pipeline, not a replacement. See Verifying compliance.tf Modules for a detailed walkthrough.
"What about our custom controls and organizational requirements?"
Compliance.tf handles infrastructure security defaults. Your custom policies handle everything else.
The modules enforce infrastructure controls: encryption, logging, access restrictions, and versioning. Your organization-specific requirements (naming conventions, tagging policies, allowed instance types, regional restrictions, cost controls) still need your existing OPA, Sentinel, or Checkov rules. These are complementary layers: compliance.tf handles the compliance framework defaults, your policies handle your organizational standards.
"What if compliance.tf goes down?"
There is no runtime dependency. Compliance.tf is only involved at terraform init time.
Modules are served from a private registry. Once you have downloaded a module version (terraform init), your workflow does not contact compliance.tf again — plan and apply run locally or in your CI/CD environment. Already-deployed infrastructure is completely unaffected. Compliance.tf is not an agent, sidecar, or running service in your environment.
"Is compliance.tf SOC 2 certified itself?"
Yes. Compliance.tf is SOC 2 Type II certified.
You can review our security posture and request the full audit report through the Trust Center. For additional detail on our security practices, see the Security page.
Compliance.tf modules can also be independently verified: run your scanning tools against the module output, inspect the terraform plan, and confirm that controls match your framework requirements. The modules themselves are transparent — you can see exactly what they enforce.
Vendor Due Diligence
For teams conducting vendor evaluation, compliance.tf provides:
- Security practices — how modules are built, signed, and distributed
- Trust Center — SOC 2 Type II reports and penetration test summaries
- SLA — uptime commitments and support response times
- DPA — data processing agreement
- License / EULA — terms of use
- Contact — reach the team directly
"Which frameworks and controls are covered?"
300+ controls enforced through module code, mapped to 36 compliance frameworks.
Rather than listing them here, see the authoritative sources: Browse frameworks for framework-specific coverage and Browse controls for individual control details. Each framework page shows which controls are enforced and which modules implement them.
Questions Your Engineering Team Will Ask
"Do I need to change my Terraform workflow?"
No. Same terraform init, plan, apply. The only change is the module source URL. Your state management, backend configuration, provider setup, and CI/CD pipeline remain the same. You will need to authenticate with the compliance.tf registry (a one-time terraform login command or a token in your .terraformrc), the same way you authenticate with any private Terraform registry. See Get Started for setup.
"Does this work with Terraform Cloud, Spacelift, Atlantis, or GitHub Actions?"
Any tool that runs terraform init works. Configure registry authentication (a token) the same way you would for any private registry. Terraform Cloud, Spacelift, Atlantis, GitHub Actions, GitLab CI, and Jenkins are all compatible.
"Can I still configure modules the way I do now?"
Same input variables, same outputs as upstream terraform-aws-modules. The modules add compliance defaults but do not remove your ability to configure. You set the same variables you use today. The difference is that compliance-critical settings have enforced defaults that prevent non-compliant configurations.
"What if a compliance control blocks my deployment?"
Controls can be disabled with proper authorization.
If a specific control does not apply to your use case, it can be disabled via query parameters on the module source URL. Disabled controls are logged and auditable — your compliance team retains visibility. This is intentionally not a silent override. See Enable/Disable Controls for details.
"What happens when terraform-aws-modules releases a new version?"
Compliance.tf tracks upstream releases. When a new version of an upstream module ships, it gets processed with the applicable compliance controls and published as an updated version. You upgrade the same way you upgrade any Terraform module: change the version number and run terraform init -upgrade.
"Can I adopt this incrementally?"
One module at a time. Compliance.tf modules and upstream terraform-aws-modules coexist in the same Terraform configuration. Start with the highest-risk resources (S3 buckets, RDS instances, VPCs) and expand as you gain confidence. There is no all-or-nothing requirement.
Next Steps
Ready to evaluate?
Set up compliance.tf and run your first compliant
terraform plan.See what is covered
Browse frameworks, controls, and supported modules.
Start a free trial
Available on AWS Marketplace. Billing through your existing AWS account.