compliance.tf
GuidesMigration Kit

Migrate S3 Bucket

S3 bucket module with compliance controls for encryption, logging, versioning, public access blocking, replication, and object lock. S3 has the highest control count of any module, making it a good first migration to understand the compliance.tf enforcement model.

Minor Fixes · 15-30 minutes per instance

Before and After

The migration is a source URL change. Your arguments, outputs, and Terraform state remain the same.

PCI DSS v4.0

Before (terraform-aws-modules):

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "~> 5.0"

  bucket = "my-app-logs"

  tags = {
    Environment = "production"
  }
}

After (compliance.tf / PCI DSS v4.0):

module "s3_bucket" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "~> 5.0"

  bucket = "my-app-logs"

  tags = {
    Environment = "production"
  }
}

SOC 2

Before (terraform-aws-modules):

module "s3_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "~> 5.0"

  bucket = "my-app-logs"

  tags = {
    Environment = "production"
  }
}

After (compliance.tf / SOC 2):

module "s3_bucket" {
  source  = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
  version = "~> 5.0"

  bucket = "my-app-logs"

  tags = {
    Environment = "production"
  }
}

What Changes

  • Source URL points to compliance.tf registry
  • Compliance controls are enforced via validation rules
  • terraform plan will fail if required controls are not satisfied

What Stays the Same

  • All input variables (same interface as upstream terraform-aws-modules)
  • All output values
  • Resource addresses in Terraform state
  • Provider configuration
  • Version constraints

Step-by-Step Migration

  1. Change the source URL in your module block to your framework subdomain
  2. Run terraform init -upgrade to download the compliance.tf module
  3. Run terraform plan to review changes. Expect a clean plan or validation errors for missing values
  4. Fix validation errors if any (see Common Issues below)
  5. Run terraform apply
  6. Verify by checking .compliancetf-manifest.json in .terraform/modules/

Common Issues and Fixes

Version Compatibility

Upstream Versioncompliance.tf VersionStatusNotes
v5.xv5.xSupportedDirect swap. Adapter version constraint: >=5.0.0

State Impact

No terraform state mv needed in typical cases. Resource addresses are unchanged because compliance.tf modules use the same internal resource structure as upstream. If a compliance control adds a new resource (rare), terraform plan will show the addition.

Controls Enforced

PCI DSS v4.0

SOC 2

Rollback

To revert, change the source URL back and re-initialize:

  1. Change source back to "terraform-aws-modules/s3-bucket/aws"
  2. Run terraform init -upgrade
  3. Run terraform plan to confirm no resource changes
  4. Compliance controls are no longer enforced, but existing configurations remain in place

Migration Guide · Compatibility · S3 Bucket Module

RDS

Previous Page

VPC

Next Page

On this page

Migrate S3 BucketBefore and AfterPCI DSS v4.0SOC 2What ChangesWhat Stays the SameStep-by-Step MigrationCommon Issues and FixesVersion CompatibilityState ImpactControls EnforcedPCI DSS v4.0SOC 2Rollback

Ask AI about this

Help improve this page