Get Started with Compliance.tf
From account setup to a compliant terraform plan — typically under 10 minutes.
Prerequisites
Before you begin, make sure you have:
- Terraform >= 1.0 or OpenTofu >= 1.6 installed
- An AWS account (with or without existing terraform-aws-modules usage)
- A compliance.tf account — start a free trial or sign in
Step 1: Get Your Access Token
You need an access token to download modules from the compliance.tf registry.
Interactive use — run the login command for your framework endpoint:
terraform login soc2.compliance.tfor, if you use OpenTofu:
tofu login soc2.compliance.tfThis opens a browser window where you authenticate with your compliance.tf credentials. The CLI stores a short-lived token locally. The token expires after 1 day.
CI/CD or automation — get a long-lived token from the Access Tokens page and configure it manually (see Step 2). The token is valid until you revoke it.
See also: Terraform login docs, OpenTofu login docs
Step 2: Configure Terraform CLI
If you used terraform login or tofu login in Step 1, your CLI is already configured and you can skip to Step 3.
For CI/CD pipelines or manual setup, add your token to one of these configuration files:
credentials "soc2.compliance.tf" {
token = "ctf_YOUR_TOKEN_HERE"
}Replace soc2 with your chosen framework (e.g., hipaa, pcidssv40). Replace ctf_YOUR_TOKEN_HERE with the token from the Access Tokens page.
machine soc2.compliance.tf
login anything
password ctf_YOUR_TOKEN_HEREThe login value can be anything — only the password (your access token) matters. Replace ctf_YOUR_TOKEN_HERE with the token from the Access Tokens page.
Not sure which format to choose? See Registry Endpoints for guidance.
Step 3: Use a Compliance.tf Module
Add a module block to your Terraform configuration. This example creates a compliant S3 bucket:
module "s3_bucket" {
source = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
version = "5.0.0"
bucket = "my-first-compliant-bucket"
logging = {
target_bucket = "my-logging-bucket"
target_prefix = "s3-access-logs/"
}
}Then run the standard Terraform workflow:
terraform init # Downloads the module from the compliance.tf registry
terraform plan # Controls are validated here
terraform apply # Deploy compliant infrastructureStep 4: Verify It Worked
Success case
If your configuration satisfies all controls, terraform plan succeeds normally:
Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.s3_bucket.aws_s3_bucket.this[0] will be created
+ resource "aws_s3_bucket" "this" {
+ bucket = "my-first-compliant-bucket"
+ force_destroy = false
...
}
Plan: 3 to add, 0 to change, 0 to destroy.All compliance controls are satisfied. The plan proceeds normally with resources to create.
Failure case
If a control is violated, you get a clear validation error at plan time — not a scan finding after deployment:
│ Error: Invalid value for variable
│
│ on main.tf line 3, in module "s3_bucket":
│ 3: source = "soc2.compliance.tf/terraform-aws-modules/s3-bucket/aws"
│
│ s3_bucket_logging_enabled: logging.target_bucket must be set
│ to enable S3 bucket access logging.
│
│ Frameworks requiring this control:
│ SOC 2, CIS AWS v1.4.0 (3.6), PCI DSS v4.0 (10.2.1)This is working as expected. The module is enforcing the control. Add the missing logging block to your configuration and re-run terraform plan.
What's Next
- Starting a new project from scratch? — Compliance Starter Kits has pre-composed Terraform for SOC 2, PCI DSS, and HIPAA — clone, fill in tfvars, apply
- Want lifecycle blocks and operational standards? — Getting Started with Operational Rules
- Migrating existing modules? — Migration guide
- Need to disable a control? — Customize modules
- Setting up CI/CD? — CI/CD integration guide
- Want to see all controls? — Browse controls
- Preparing for an audit? — Audit evidence guide
- Evaluating vendor trust? — Security & Trust · Trust Center