Terraform modules that answer the auditor before they ask.

TerraSov is a private library of hardened AWS modules where every security setting is annotated with the exact clause it satisfies — ISO 27001:2022, BSI C5:2020, ENS (RD 311/2022), GDPR, NIS2 and DORA — plus a CI gate that blocks the pull request when someone breaks a control, citing the clause in the review comment.

ISO 27001:2022BSI C5:2020ENS · RD 311/2022GDPR Art. 32 & 44NIS2 Art. 21(2)DORA Arts. 8–12eu-central-1 · eu-west-1 · eu-south-2

What a failed control looks like

A developer switches a bucket to an AWS-managed key. The gate fails the PR and writes the review comment your auditor would have written three months later:

✗ FAIL  CKV_TSOV_S3_001  aws_s3_bucket_server_side_encryption_configuration.data

  Violates TSOV-CRY-001 — customer-managed KMS keys required.
  ISO 27001:2022 A.8.24 · BSI C5 CRY-03/CRY-04 · ENS mp.si.2 · GDPR Art. 32(1)(a)

  Fix: set kms_key_arn to a CMK from the terrasov kms module.
  Evidence guide: docs/evidence/iso27001.md#a824

Three layers auditors actually accept

modules/

10 hardened modules

Org guardrails with EU region-lock SCPs, CMK management, immutable audit trail (Object Lock), IAM & network baselines, S3, RDS, EKS, ECS and GitHub OIDC. The secure posture is not configurable — 29 controls, enforced by design.

.github/workflows/gate.yml

A PR gate with citations

Custom Checkov policies verify every control on each pull request. Failures comment the violated clause across all four frameworks, so reviewers argue with the regulation, not with each other.

docs/evidence/

Auditor evidence guides

Six per-framework walkthroughs generated from the same control matrix the policies enforce: annotation → CI report → AWS CLI command that proves the control in the live account. Hand them to the auditor as-is.

How it works

Subscribe — checkout takes two minutes. You get instant access for 1 or 5 GitHub accounts.

Activate — enter your GitHub username, accept the repo invitation, git clone.

Reference the modules — pin by tag (?ref=s3-secure/v1.0.0), copy the gate workflow into your repos.

Stay compliant — regulation and provider updates ship as tagged releases with compliance patch notes.

Built for EU-regulated SaaS

If your customers ask for ISO 27001, your German prospects ask for C5, your Spanish public-sector deals need ENS, your bank clients send DORA questionnaires, and NIS2 just made your management personally liable — this library is the same answer to all of them, written as Terraform.