{"id":51319935,"url":"https://github.com/solirius/zero-trust-compliance-pack","last_synced_at":"2026-07-01T12:02:40.413Z","repository":{"id":357837348,"uuid":"1238564322","full_name":"Solirius/zero-trust-compliance-pack","owner":"Solirius","description":"Zero-Trust Secrets \u0026 Compliance Pack — Terraform modules for instant SOC2/ISO security compliance on Azure/AWS landing zones","archived":false,"fork":false,"pushed_at":"2026-05-14T14:05:17.000Z","size":56,"stargazers_count":0,"open_issues_count":4,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-14T14:37:08.235Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Solirius.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-14T08:30:53.000Z","updated_at":"2026-05-14T10:21:40.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Solirius/zero-trust-compliance-pack","commit_stats":null,"previous_names":["solirius/zero-trust-compliance-pack"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Solirius/zero-trust-compliance-pack","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Solirius%2Fzero-trust-compliance-pack","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Solirius%2Fzero-trust-compliance-pack/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Solirius%2Fzero-trust-compliance-pack/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Solirius%2Fzero-trust-compliance-pack/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Solirius","download_url":"https://codeload.github.com/Solirius/zero-trust-compliance-pack/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Solirius%2Fzero-trust-compliance-pack/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35005413,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-01T02:00:05.325Z","response_time":130,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-07-01T12:02:39.628Z","updated_at":"2026-07-01T12:02:40.398Z","avatar_url":"https://github.com/Solirius.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Zero-Trust Secrets \u0026 Compliance Pack\n\n\u003e **One `terraform apply`. Instant SOC2 compliance. Zero stored credentials.**\n\nA drop-in Terraform module that deploys zero-trust security into any Azure landing zone in under 5 minutes — secret rotation, least-privilege IAM, encryption-at-rest, and SOC2 compliance evidence. Built to military-grade standards.\n\n---\n\n## The Problem\n\nEvery client landing zone deployment requires the same security scaffolding: secret rotation, least-privilege IAM, encryption-at-rest, and compliance evidence. Today this is **1–2 weeks of manual Terraform work per engagement**, with inconsistent implementation across teams. Controls are often incomplete, and compliance evidence is generated retroactively during audit prep.\n\n## The Solution\n\n```hcl\nmodule \"zero_trust\" {\n  source = \"github.com/Solirius/zero-trust-compliance-pack\"\n\n  environment         = \"production\"\n  project_name        = \"my-landing-zone\"\n  resource_group_name = azurerm_resource_group.main.name\n}\n```\n\nThat's it. One module call. Everything below is automated.\n\n---\n\n## What Gets Deployed\n\n| Module | What It Does | SOC2 Controls |\n|---|---|---|\n| **secrets-rotation** | Azure Key Vault (Premium/HSM), automated secret rotation, audit logging | CC6.2 |\n| **iam-least-privilege** | Custom RBAC roles with zero wildcards, deny assignments, scoped service principals | CC6.1, CC6.3 |\n| **kms-encryption** | Customer-managed RSA-4096 keys, encrypted storage, disk encryption set, TLS 1.2 | CC6.6, CC6.7 |\n| **compliance-checks** | Azure Policy initiative mapped to SOC2, activity log alerts, compliance dashboard | CC7.1, CC7.2, CC8.1 |\n\n### SOC2 Controls Covered\n\n| Control | Description | Automated Evidence |\n|---|---|---|\n| CC6.1 | Logical access security | Custom RBAC roles, zero wildcards, scoped to resource group |\n| CC6.2 | Credentials \u0026 secrets | Key Vault rotation policy, purge protection, audit logging |\n| CC6.3 | Restrict unauthorized access | `not_actions` deny blocks on dangerous operations |\n| CC6.6 | Encryption in transit | TLS 1.2 minimum, HTTPS-only, shared keys disabled |\n| CC6.7 | Encryption at rest | CMK RSA-4096, auto-rotation, storage + disk encryption |\n| CC7.1 | Monitoring \u0026 detection | Activity log alerts on RBAC and Key Vault changes |\n| CC7.2 | Anomaly detection | Key Vault configuration change alerts |\n| CC8.1 | Change management | Infrastructure-as-Code, policy drift detection alerts |\n\n---\n\n## Architecture\n\n```\nzero-trust-compliance-pack/\n├── .github/\n│   ├── workflows/\n│   │   ├── validate.yml            # PR: fmt, validate, tfsec, checkov\n│   │   └── deploy.yml              # Main: OIDC → terraform apply\n│   ├── CODEOWNERS\n│   └── pull_request_template.md\n│\n├── main.tf                         # Root module — wires everything\n├── variables.tf                    # Top-level config\n├── outputs.tf                      # Aggregated compliance report\n├── versions.tf                     # Pinned provider versions\n├── backend.tf                      # Azure blob remote state\n│\n├── bootstrap/                      # One-time environment setup\n│   ├── main.tf\n│   └── init-environment.sh\n│\n├── modules/\n│   ├── secrets-rotation/           # Key Vault + rotation + logging\n│   ├── iam-least-privilege/        # Custom RBAC + deny assignments\n│   ├── kms-encryption/             # CMK + storage + disk encryption\n│   └── compliance-checks/          # Azure Policy + alerts\n│\n└── examples/\n    └── azure-landing-zone/         # Full working example\n```\n\n---\n\n## Quick Start\n\n### Prerequisites\n\n- Azure subscription with **Contributor + User Access Administrator**\n- Terraform \u003e= 1.5\n- Azure CLI: `az login` completed\n- GitHub CLI: `gh auth status` passing\n\n### 1. Bootstrap (first time only)\n\n```bash\ngit clone https://github.com/Solirius/zero-trust-compliance-pack.git\ncd zero-trust-compliance-pack/bootstrap\nchmod +x init-environment.sh\n./init-environment.sh\n```\n\n### 2. Deploy\n\n```bash\ncd ..\nterraform init\nterraform plan -var=\"project_name=my-project\"\nterraform apply -var=\"project_name=my-project\"\n```\n\n### 3. Verify\n\n```bash\n# Compliance report\nterraform output -json compliance_report\n\n# Azure Portal\n# → Key Vault: secrets, purge protection, RBAC\n# → IAM: custom roles, zero wildcards\n# → Storage: CMK encryption, TLS 1.2\n# → Policy: compliance dashboard with SOC2 control names\n```\n\n---\n\n## Military-Grade Standards\n\nEvery module in this pack enforces these non-negotiable requirements:\n\n### Zero-Trust Principles\n\n- **Never trust, always verify** — default-deny on all resources\n- **Least privilege** — no wildcards (`*`) in permissions, ever\n- **Assume breach** — encrypt everything, log everything, alert on anomalies\n- **No long-lived credentials** — OIDC for CI/CD, managed identities for workloads\n- **Defense in depth** — multiple independent security layers\n\n### Module Engineering Standards\n\n- ✅ Every variable has a `validation {}` block\n- ✅ Zero hardcoded values — everything parameterised\n- ✅ Secure defaults — most restrictive option is always the default\n- ✅ `sensitive = true` on all secret outputs\n- ✅ `compliance_status` output on every module for aggregation\n- ✅ Idempotent — `terraform apply` is safe to run repeatedly\n- ✅ Tagged — every resource carries `environment`, `project`, `managed_by`, `module_name`\n- ✅ README — usage, inputs, outputs, SOC2 controls covered\n\n### CI/CD Security\n\n- GitHub Actions OIDC to Azure — zero stored credentials\n- `tfsec` + `checkov` on every PR — misconfigurations blocked before merge\n- Branch protection — 1 review required, no force push, signed commits\n- CODEOWNERS — module owners must approve changes to their modules\n\n---\n\n## Module Toggles\n\nEach module can be enabled or disabled independently:\n\n```hcl\nmodule \"zero_trust\" {\n  source = \"github.com/Solirius/zero-trust-compliance-pack\"\n\n  project_name        = \"my-project\"\n  resource_group_name = \"rg-workload\"\n\n  # Toggle modules on/off\n  enable_secrets_rotation    = true\n  enable_iam_least_privilege = true\n  enable_kms_encryption      = true\n  enable_compliance_checks   = true\n}\n```\n\nEmergency disable a broken module without affecting others:\n\n```bash\nterraform apply -var=\"enable_kms_encryption=false\"\n```\n\n---\n\n## Compliance Report\n\nAfter `terraform apply`, the root module outputs an aggregated compliance report:\n\n```bash\nterraform output -json compliance_report\n```\n\n```json\n{\n  \"CC6.1\": {\n    \"control\": \"CC6.1 — Logical access security\",\n    \"status\": \"compliant\",\n    \"evidence\": \"Custom RBAC roles with zero wildcard permissions...\"\n  },\n  \"CC6.2\": {\n    \"control\": \"CC6.2 — Credentials \u0026 secrets\",\n    \"status\": \"compliant\",\n    \"evidence\": \"Key Vault with automated rotation policy...\"\n  }\n}\n```\n\n---\n\n## Team\n\n| Person | Role | Modules |\n|---|---|---|\n| **Ayo** | Principal Engineer | Bootstrap, root wiring, integration, CI/CD |\n| **Owen** | Engineer | secrets-rotation, kms-encryption |\n| **Philip Afrane** | Engineer | iam-least-privilege, compliance-checks |\n\n---\n\n## Contributing\n\n1. Branch from `dev`: `git checkout -b feature/\u003cmodule-name\u003e`\n2. Follow the [module interface contract](#module-engineering-standards)\n3. Run locally: `terraform fmt \u0026\u0026 terraform validate \u0026\u0026 tfsec .`\n4. PR to `dev` — CI must pass, 1 approval required\n5. Use conventional commits: `feat:`, `fix:`, `chore:`\n\n---\n\n## Project Board\n\n[GitHub Project → Zero-Trust Secrets \u0026 Compliance Pack](https://github.com/orgs/Solirius/projects/11)\n\n32 issues across P0/P1/P2 priorities with execution guides per module.\n\n---\n\n## License\n\nInternal — Solirius Technology\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolirius%2Fzero-trust-compliance-pack","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsolirius%2Fzero-trust-compliance-pack","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolirius%2Fzero-trust-compliance-pack/lists"}