A Pluggable Terraform Linter
TFLint is a framework and each feature is provided by plugins, the key features are as follows:
- Find possible errors (like illegal instance types) for Major Cloud providers (AWS/Azure/GCP).
- Warn about deprecated syntax, unused declarations.
- Enforce best practices, naming conventions.
Bash script (Linux):
curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
Homebrew (macOS):
brew install tflint
Chocolatey (Windows):
choco install tflint
GnuPG
gpg --import 8CE69160EB3F2FE9.key
gpg --verify checksum.txt.sig checksum.txt
sha256sum --ignore-missing -c checksums.txt
Cosign (experimental)
COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature checksums.txt.keyless.sig checksums.txt
sha256sum --ignore-missing -c checksums.txt
IMPORTANT: Keyless Signing is in development and you should not completely trust this way. For instance, you have not validated the OIDC subject claim, so it is not guaranteed to be the public key issued by the maintainers.
Instead of installing directly, you can use the Docker images:
Name | Description |
---|---|
ghcr.io/terraform-linters/tflint | Basic image |
ghcr.io/terraform-linters/tflint-bundle | A Docker image with TFLint and ruleset plugins |
Example:
docker run --rm -v $(pwd):/data -t ghcr.io/terraform-linters/tflint
If you want to run on GitHub Actions, setup-tflint action is available.
If you are using an AWS/Azure/GCP provider, it is a good idea to install the plugin and try it according to each usage:
Rules for the Terraform Language is built into the TFLint binary, so you don't need to install any plugins. Please see Rules for a list of available rules.
If you want to extend TFLint with other plugins, you can declare the plugins in the config file and easily install them with tflint --init
.
plugin "foo" {
enabled = true
version = "0.1.0"
source = "github.com/org/tflint-ruleset-foo"
signing_key = <<-KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFzpPOMBEADOat4P4z0jvXaYdhfy+UcGivb2XYgGSPQycTgeW1YuGLYdfrwz
9okJj9pMMWgt/HpW8WrJOLv7fGecFT3eIVGDOzyT8j2GIRJdXjv8ZbZIn1Q+1V72
AkqlyThflWOZf8GFrOw+UAR1OASzR00EDxC9BqWtW5YZYfwFUQnmhxU+9Cd92e6i
...
KEY
}
See also Configuring Plugins.
TFLint inspects files under the current directory by default. You can change the behavior with the following options/arguments:
$ tflint --help
Usage:
tflint [OPTIONS] [FILE or DIR...]
Application Options:
-v, --version Print TFLint version
--init Install plugins
--langserver Start language server
-f, --format=[default|json|checkstyle|junit|compact|sarif] Output format
-c, --config=FILE Config file name (default: .tflint.hcl)
--ignore-module=SOURCE Ignore module sources
--enable-rule=RULE_NAME Enable rules from the command line
--disable-rule=RULE_NAME Disable rules from the command line
--only=RULE_NAME Enable only this rule, disabling all other defaults. Can be specified multiple times
--enable-plugin=PLUGIN_NAME Enable plugins from the command line
--var-file=FILE Terraform variable file name
--var='foo=bar' Set a Terraform variable
--module Inspect modules
--force Return zero exit status even if issues found
--color Enable colorized output
--no-color Disable colorized output
--loglevel=[trace|debug|info|warn|error] Change the loglevel
Help Options:
-h, --help Show this help message
See User Guide for details.
No. TFLint always checks only the current root module (no recursive check). However, you can check calling child modules based on module arguments by enabling Module Inspection. This allows you to check that you are not passing illegal values to the module.
Note that if you want to recursively inspect local modules, you need to run them in each directory. This is a limitation that occurs because Terraform always works for one directory. TFLint tries to emulate Terraform's semantics, so cannot perform recursive inspection.
No. TFLint works as a single binary because Terraform is embedded as a library. Note that this means that the version of Terraform used is determined for each TFLint version. See also Compatibility with Terraform.
First, check the version of Terraform and TFLint you are using. TFLint loads files differently than the installed Terraform, so an error can occur if the version of Terraform supported by TFLint is different from the installed Terraform.
If you don't get the expected behavior, you can see the detailed logs when running with TFLINT_LOG
environment variable.
$ TFLINT_LOG=debug tflint
See Developer Guide.