Production-ready Terraform modules for compliance infrastructure across AWS, Azure, and GCP. Covers account baselines, encryption, IAM, networking, logging, threat detection, drift detection, and automated remediation.
| Module | Purpose |
|---|---|
account-baseline |
Foundational account/subscription/project setup with security defaults |
certificate |
Certificate management and rotation |
compute |
Hardened compute instances with compliance tagging |
connector-provisioning |
Automated provisioning of security tool connectors |
container |
Container security (ECR/ACR/GCR scanning, runtime policies) |
database |
Encrypted database deployments with audit logging |
deploy |
Application deployment with compliance gates |
drift-detection |
Detect configuration drift from compliance baselines |
encryption |
KMS/Key Vault/Cloud KMS setup with rotation policies |
iam |
Least-privilege IAM with MFA enforcement and access reviews |
logging |
Centralized logging (CloudTrail, Activity Log, Audit Logs) |
networking |
VPC/VNet/VPC with segmentation, flow logs, and WAF |
platform-paas |
PaaS deployment patterns with compliance controls |
remediation-engine |
Automated remediation of compliance violations |
secrets |
Secrets management (Secrets Manager, Key Vault) |
storage |
Encrypted storage with access policies and lifecycle rules |
threat-detection |
GuardDuty, Defender, Security Command Center setup |
_shared |
Shared variables, locals, and helper modules |
Each module includes provider-specific implementations:
- AWS —
aws/subdirectories - Azure —
azure/subdirectories - GCP —
gcp/subdirectories
module "account_baseline" {
source = "./modules/account-baseline/aws"
environment = "production"
enable_logging = true
tags = {
compliance = "soc2"
managed_by = "terraform"
}
}
module "encryption" {
source = "./modules/encryption/aws"
key_rotation_days = 90
key_policy = data.aws_iam_policy_document.kms.json
}
module "drift_detection" {
source = "./modules/drift-detection/aws"
baseline_snapshot = "s3://compliance/baseline.json"
alert_sns_topic = aws_sns_topic.compliance_alerts.arn
schedule = "rate(6 hours)"
}cd modules/account-baseline/aws
terraform init
terraform validate
terraform fmt -checkMIT