Migrate VPC
VPC module with compliance controls for network security. VPC is one of the simplest migrations because most controls align with existing secure configurations. The primary change that may need attention is disabling automatic public IP assignment on public subnets.
Before and After
The migration is a source URL change. Your arguments, outputs, and Terraform state remain the same.
Before (terraform-aws-modules):
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b"]
public_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
private_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
tags = {
Environment = "production"
}
}
After (compliance.tf / PCI DSS v4.0):
module "vpc" {
source = "pcidss.compliance.tf/terraform-aws-modules/vpc/aws"
version = "~> 6.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b"]
public_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
private_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
tags = {
Environment = "production"
}
}
Before (terraform-aws-modules):
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b"]
public_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
private_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
tags = {
Environment = "production"
}
}
After (compliance.tf / SOC 2):
module "vpc" {
source = "soc2.compliance.tf/terraform-aws-modules/vpc/aws"
version = "~> 6.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b"]
public_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
private_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
tags = {
Environment = "production"
}
}
What Changes
- Source URL points to compliance.tf registry
- Compliance controls are enforced via validation rules
- terraform plan will fail if required controls are not satisfied
What Stays the Same
- All input variables (same interface as upstream terraform-aws-modules)
- All output values
- Resource addresses in Terraform state
- Provider configuration
- Version constraints
Step-by-Step Migration
- Change the source URL in your module block to your framework subdomain
- Run
terraform init -upgradeto download the compliance.tf module - Run
terraform planto review changes. Expect a clean plan or validation errors for missing values - Fix validation errors if any (see Common Issues below)
- Run
terraform apply - Verify by checking
.compliancetf-manifest.jsonin.terraform/modules/
Common Issues and Fixes
Public IP auto-assignment on public subnets
Cause: The vpc_subnet_auto_assign_public_ip_disabled control (SOC 2) requires map_public_ip_on_launch = false. Many VPC configurations enable this for public subnets.
Fix: Set map_public_ip_on_launch = false in the module configuration. Instances that need public IPs should use Elastic IPs or NAT gateways instead.
VPC flow logs may need to be enabled
Cause: The vpc_flow_logs_enabled control requires VPC flow logs. The VPC module supports this via the enable_flow_log variable, but it defaults to false in most configurations.
Fix: Set enable_flow_log = true in the module configuration and provide the required flow_log_destination_arn.
Version Compatibility
| Upstream Version | compliance.tf Version | Status | Notes |
|---|---|---|---|
| v6.x | v6.x | Supported | Direct swap. Adapter version constraint: >=6.0.0 |
State Impact
No terraform state mv needed in typical cases. Resource addresses are unchanged because compliance.tf modules use the same internal resource structure as upstream. If a compliance control adds a new resource (rare), terraform plan will show the addition.
Controls Enforced
Rollback
To revert, change the source URL back and re-initialize:
- Change source back to "terraform-aws-modules/vpc/aws"
- Run terraform init -upgrade
- Run terraform plan to confirm no resource changes
- Compliance controls are no longer enforced, but existing configurations remain in place