Migrate VPC

VPC module with compliance controls for network security. VPC is one of the simplest migrations because most controls align with existing secure configurations. The primary change that may need attention is disabling automatic public IP assignment on public subnets.

Minor Fixes · 10-15 minutes per instance

Before and After

The migration is a source URL change. Your arguments, outputs, and Terraform state remain the same.

PCI DSS v4.0

Before (terraform-aws-modules):

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 6.0"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["eu-west-1a", "eu-west-1b"]
  public_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
  private_subnets = ["10.0.101.0/24", "10.0.102.0/24"]

  tags = {
    Environment = "production"
  }
}

After (compliance.tf / PCI DSS v4.0):

module "vpc" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/vpc/aws"
  version = "~> 6.0"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["eu-west-1a", "eu-west-1b"]
  public_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
  private_subnets = ["10.0.101.0/24", "10.0.102.0/24"]

  tags = {
    Environment = "production"
  }
}

SOC 2

Before (terraform-aws-modules):

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 6.0"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["eu-west-1a", "eu-west-1b"]
  public_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
  private_subnets = ["10.0.101.0/24", "10.0.102.0/24"]

  tags = {
    Environment = "production"
  }
}

After (compliance.tf / SOC 2):

module "vpc" {
  source  = "soc2.compliance.tf/terraform-aws-modules/vpc/aws"
  version = "~> 6.0"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["eu-west-1a", "eu-west-1b"]
  public_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
  private_subnets = ["10.0.101.0/24", "10.0.102.0/24"]

  tags = {
    Environment = "production"
  }
}

What Changes

• Source URL points to compliance.tf registry
• Compliance controls are enforced via validation rules
• terraform plan will fail if required controls are not satisfied

What Stays the Same

• All input variables (same interface as upstream terraform-aws-modules)
• All output values
• Resource addresses in Terraform state
• Provider configuration
• Version constraints

Step-by-Step Migration

1. Change the source URL in your module block to your framework subdomain
2. Run terraform init -upgrade to download the compliance.tf module
3. Run terraform plan to review changes. Expect a clean plan or validation errors for missing values
4. Fix validation errors if any (see Common Issues below)
5. Run terraform apply
6. Verify by checking .compliancetf-manifest.json in .terraform/modules/

Common Issues and Fixes

Version Compatibility

State Impact

No terraform state mv needed in typical cases. Resource addresses are unchanged because compliance.tf modules use the same internal resource structure as upstream. If a compliance control adds a new resource (rare), terraform plan will show the addition.

Controls Enforced

PCI DSS v4.0

• VPC Security groups should only allow unrestricted incoming traffic for authorized ports

SOC 2

• VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888
• VPC subnet auto assign public IP should be disabled

Rollback

To revert, change the source URL back and re-initialize:

1. Change source back to "terraform-aws-modules/vpc/aws"
2. Run terraform init -upgrade
3. Run terraform plan to confirm no resource changes
4. Compliance controls are no longer enforced, but existing configurations remain in place

Migration Guide · Compatibility · VPC Module