Problem
The coding standard lacks a dedicated section on compliance requirements (ISO 27001, SOC2, Vanta).
Without this, AI coding assistants and new contributors make incorrect assumptions about data
classification and retention — e.g., treating access logs as "ephemeral data" when they are
compliance-required audit records.
What's needed
A new chapter/document covering compliance requirements that InfraHouse infrastructure must meet.
Topics to cover (non-exhaustive):
- Data classification — which data is compliance-governed (access logs, audit trails,
CloudTrail, VPC flow logs) vs truly ephemeral (build artifacts, Athena query results)
- Retention requirements — minimum retention periods mandated by ISO/SOC2
(e.g., 365 days for logs)
- Cross-region replication — Vanta test: "S3 backup configured for redundancy across
regions (AWS)" requires CRR on S3 buckets; this is not optional nice-to-have
- Destruction safeguards — production buckets containing compliance data must NOT default
to force_destroy; only test environments should opt in explicitly
- Vanta controls mapping — key Vanta tests and what infrastructure properties satisfy them
- Encryption requirements — at rest and in transit, which keys to use where
- Audit trail integrity — requirements around immutability and tamper evidence
Why
This context is critical for making correct infrastructure decisions. Without it codified:
- AI tools suggest unsafe defaults (force_destroy=true on audit logs)
- Contributors may skip CRR thinking it's gold-plating
- Review feedback lacks an authoritative reference to point to
Seen in
infrahouse/terraform-aws-website-pod#121 — incorrect suggestion
to default force_destroy=true on access log buckets that are compliance-required.
Problem
The coding standard lacks a dedicated section on compliance requirements (ISO 27001, SOC2, Vanta).
Without this, AI coding assistants and new contributors make incorrect assumptions about data
classification and retention — e.g., treating access logs as "ephemeral data" when they are
compliance-required audit records.
What's needed
A new chapter/document covering compliance requirements that InfraHouse infrastructure must meet.
Topics to cover (non-exhaustive):
CloudTrail, VPC flow logs) vs truly ephemeral (build artifacts, Athena query results)
(e.g., 365 days for logs)
regions (AWS)" requires CRR on S3 buckets; this is not optional nice-to-have
to force_destroy; only test environments should opt in explicitly
Why
This context is critical for making correct infrastructure decisions. Without it codified:
Seen in
infrahouse/terraform-aws-website-pod#121 — incorrect suggestion
to default force_destroy=true on access log buckets that are compliance-required.