Hardened Terraform · EU sovereignty on AWS

Terraform modules that answer the auditor before they ask.

TerraSov is a private library of hardened AWS modules where every security setting is annotated with the exact clause it satisfies — ISO 27001:2022, BSI C5:2020, ENS (RD 311/2022), GDPR, NIS2 and DORA — plus a CI gate that blocks the pull request when someone breaks a control, citing the clause in the review comment.

ISO 27001:2022BSI C5:2020ENS · RD 311/2022GDPR Art. 32 & 44NIS2 Art. 21(2)DORA Arts. 8–12eu-central-1 · eu-west-1 · eu-south-2
checks / terrasov-gate1 failing check
✗ FAIL  CKV_TSOV_S3_001  aws_s3_bucket_server_side_encryption_configuration.data

  Violates TSOV-CRY-001 — customer-managed KMS keys required.
  ISO 27001:2022 A.8.24 · BSI C5 CRY-03/CRY-04 · ENS mp.si.2 · GDPR Art. 32(1)(a)

  Fix: set kms_key_arn to a CMK from the terrasov kms module.
  Evidence guide: docs/evidence/iso27001.md#a824
What a failed control looks like. A developer switches a bucket to an AWS-managed key. The gate fails the PR and writes the review comment your auditor would have written three months later.
10Hardened modules
29Enforced controls
6Frameworks crosswalked
3EU regions supported

What you get

Three layers auditors actually accept

01modules/

10 hardened modules

Org guardrails with EU region-lock SCPs, CMK management, immutable audit trail (Object Lock), IAM & network baselines, S3, RDS, EKS, ECS and GitHub OIDC. The secure posture is not configurable — 29 controls, enforced by design.

02.github/workflows/gate.yml

A PR gate with citations

Custom Checkov policies verify every control on each pull request. Failures comment the violated clause across all six frameworks, so reviewers argue with the regulation, not with each other.

03docs/evidence/

Auditor evidence guides

Six per-framework walkthroughs generated from the same control matrix the policies enforce: annotation → CI report → AWS CLI command that proves the control in the live account. Hand them to the auditor as-is.

From checkout to compliant

How it works

01

Subscribe — checkout takes two minutes. You get instant access for 1 or 5 GitHub accounts.

02

Activate — enter your GitHub username, accept the repo invitation, git clone.

03

Reference the modules — pin by tag (?ref=s3-secure/v1.0.0), copy the gate workflow into your repos.

04

Stay compliant — regulation and provider updates ship as tagged releases with compliance patch notes.

Who it's for

Built for EU-regulated SaaS

If your customers ask for ISO 27001, your German prospects ask for C5, your Spanish public-sector deals need ENS, your bank clients send DORA questionnaires, and NIS2 just made your management personally liable — this library is the same answer to all of them, written as Terraform.