Compliance Starter Kits
Three pre-composed Terraform configurations for common compliance scenarios. Each kit bundles the modules you actually need, wired together with the right controls for your framework, so you can start with a clean architecture instead of retrofitting compliance onto existing infrastructure.
All modules are sourced from the compliance.tf registry. The registry enforces controls at terraform plan time; non-compliant configurations fail before they're applied.
Kits
| Kit | Target | Frameworks | Modules | GitHub |
|---|---|---|---|---|
| B2B SaaS: SOC 2 | Seed-to-Series B SaaS selling to enterprise | SOC 2 | 13 | compliancetf/starter-kit-saas-soc2 |
| Fintech: PCI DSS v4.0 + SOC 2 | Payment platforms, neobanks, BNPL | PCI DSS v4.0, SOC 2 | 18 | compliancetf/starter-kit-fintech-pcidss |
| HealthTech: HIPAA + SOC 2 | Telehealth, EHR, health data platforms | HIPAA, SOC 2 | 17 | compliancetf/starter-kit-healthtech-hipaa |
Which kit is right for you?
If your first enterprise deal is stalled on a security questionnaire or SOC 2 requirement, use the B2B SaaS kit.
If you're handling cardholder data now or will be, use the Fintech kit. The CDE scoping and network segmentation decisions you make in the first six months are hard to undo.
If you're about to handle PHI for the first time, use the HealthTech kit. RDS encryption must be enabled at database creation; it can't be added later without rebuilding.
If you need SOC 2 alongside PCI DSS or HIPAA, pick the more specific kit (both include SOC 2 controls).
How it works
Each kit is a standalone Terraform configuration you clone, fill in, and apply:
- Clone the repo and copy
terraform.tfvars.exampletoterraform.tfvars - Fill in your AWS region, domain name, and Route 53 zone
- Authenticate:
terraform login soc2.compliance.tf(orpcidss/hipaa) - Run
terraform init && terraform plan && terraform apply
terraform plan validates all compliance controls before anything is created. If a required control isn't satisfied, plan fails with the control name and the module that violated it. Fix the error, re-run the plan.
The kits use existing compliance.tf modules. No wrapper modules, no extra abstractions. You own the Terraform code after you clone it.
Migrating existing infrastructure?
If you already have Terraform using terraform-aws-modules, the kits are not the right starting point. See the Brownfield Migration Kit instead; it covers switching existing modules to compliance.tf without state surgery or resource recreation.
For teams that are starting fresh, the starter kits get you to a working, compliant baseline in one terraform apply.