Migrate EC2 Instance
EC2 instance module with compliance controls for IMDSv2, detailed monitoring, EBS optimization, VPC placement, public IP restrictions, IAM instance profiles, and security group ingress rules. PCI DSS additionally requires an IAM instance role and prohibits EC2 key pairs in favor of Systems Manager Session Manager.
Minor Fixes · 15-30 minutes per instance
Before and After
The migration is a source URL change. Your arguments, outputs, and Terraform state remain the same.
PCI DSS v4.0
Before (terraform-aws-modules):
module "ec2" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
name = "my-app-server"
instance_type = "t3.micro"
ami = "ami-0123456789abcdef0"
subnet_id = "subnet-0123456789abcdef0"
tags = {
Environment = "production"
}
}After (compliance.tf / PCI DSS v4.0):
module "ec2" {
source = "pcidss.compliance.tf/terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
name = "my-app-server"
instance_type = "t3.micro"
ami = "ami-0123456789abcdef0"
subnet_id = "subnet-0123456789abcdef0"
tags = {
Environment = "production"
}
}SOC 2
Before (terraform-aws-modules):
module "ec2" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
name = "my-app-server"
instance_type = "t3.micro"
ami = "ami-0123456789abcdef0"
subnet_id = "subnet-0123456789abcdef0"
tags = {
Environment = "production"
}
}After (compliance.tf / SOC 2):
module "ec2" {
source = "soc2.compliance.tf/terraform-aws-modules/ec2-instance/aws"
version = "~> 6.0"
name = "my-app-server"
instance_type = "t3.micro"
ami = "ami-0123456789abcdef0"
subnet_id = "subnet-0123456789abcdef0"
tags = {
Environment = "production"
}
}What Changes
- Source URL points to compliance.tf registry
- Compliance controls are enforced via validation rules
- terraform plan will fail if required controls are not satisfied
What Stays the Same
- All input variables (same interface as upstream terraform-aws-modules)
- All output values
- Resource addresses in Terraform state
- Provider configuration
- Version constraints
Step-by-Step Migration
- Change the source URL in your module block to your framework subdomain
- Run
terraform init -upgradeto download the compliance.tf module - Run
terraform planto review changes. Expect a clean plan or validation errors for missing values - Fix validation errors if any (see Common Issues below)
- Run
terraform apply - Verify by checking
.compliancetf-manifest.jsonin.terraform/modules/
Common Issues and Fixes
Version Compatibility
| Upstream Version | compliance.tf Version | Status | Notes |
|---|---|---|---|
| v6.x | v6.x | Supported | Direct swap. Adapter version constraint: >=6.0.0 |
State Impact
No terraform state mv needed in typical cases. Resource addresses are unchanged because compliance.tf modules use the same internal resource structure as upstream. If a compliance control adds a new resource (rare), terraform plan will show the addition.
Controls Enforced
PCI DSS v4.0
- EC2 instances should have detailed monitoring enabled
- EC2 instances should have IAM profile attached
- EC2 instances should be in a VPC
- EC2 instances should not use key pairs in running state
- EC2 instances should not have a public IP address
- EC2 instances should use IMDSv2
- EC2 instances should use IAM instance roles for AWS resource access
SOC 2
- EC2 instances should have detailed monitoring enabled
- EC2 instances should have EBS optimization enabled
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- EC2 instances should use IMDSv2
Rollback
To revert, change the source URL back and re-initialize:
- Change source back to "terraform-aws-modules/ec2-instance/aws"
- Run terraform init -upgrade
- Run terraform plan to confirm no resource changes
- Compliance controls are no longer enforced, but existing configurations remain in place