Brownfield Assessment
You have existing Terraform resources deployed. Here’s how to assess and fix compliance gaps without disrupting your infrastructure.
Step 1 — Scan existing resources
Section titled “Step 1 — Scan existing resources”Point complyform scan at your state file to discover deployed resources.
# Local state filecomplyform scan --state=terraform.tfstate
# Remote state (GCS)complyform scan --state=gs://my-org-tfstate/prod/default.tfstate
# Multiple state filescomplyform scan --state=terraform.tfstate --state=gs://bucket/staging.tfstateUse --output=json if you need machine-readable output for CI pipelines.
Step 2 — Assess compliance posture
Section titled “Step 2 — Assess compliance posture”Run an assessment against one or more frameworks.
# Single frameworkcomplyform assess --frameworks=soc2
# Multiple frameworks (union of controls)complyform assess --frameworks=soc2,hipaa,iso27001Example output:
Assessment: SOC 2 Type IIResources scanned: 142Controls evaluated: 87 Passed: 61 (70.1%) Failed: 22 (25.3%) Not applicable: 4 ( 4.6%)Compliance score: 70.1%Step 3 — Review the gap report
Section titled “Step 3 — Review the gap report”Failed controls produce a gap report with actionable detail.
FAIL CC6.1.3 google_sql_database_instance.production Severity: CRITICAL Description: Cloud SQL instance lacks customer-managed encryption key Remediation: Add `encryption_key_name` to disk_encryption_configuration block
FAIL CC6.6.1 google_compute_firewall.allow_all Severity: HIGH Description: Firewall rule allows ingress from 0.0.0.0/0 Remediation: Restrict source_ranges to specific CIDR blocksPipe to JSON for integration with other tools: complyform assess --frameworks=soc2 --output=json.
Step 4 — Prioritize by severity
Section titled “Step 4 — Prioritize by severity”Filter findings to focus on what matters first.
complyform assess --frameworks=soc2 --severity=critical,highWork through findings in order: critical → high → medium → low. Critical findings typically represent data exposure or missing encryption — fix these before your next audit window.
Step 5 — Generate remediation patches
Section titled “Step 5 — Generate remediation patches”Let ComplyForm generate Terraform patch files for failed controls.
complyform remediate --frameworks=soc2This produces .tf patch files in a remediation/ directory. Patches are additive — they add missing configuration blocks and arguments without modifying your existing resource definitions. Always review patches before running terraform apply.
Step 6 — Validate patches
Section titled “Step 6 — Validate patches”Confirm the patches resolve compliance gaps.
complyform validateThis runs Checkov against the patched configuration and reports any remaining failures.
Next steps
Section titled “Next steps”complyform scan— full scan optionscomplyform assess— assessment flags and output formatscomplyform remediate— patch generation detailscomplyform validate— validation options- Greenfield Generation — starting new projects compliant from day one