A Pluggable Terraform Linter
TFLint is a framework and each feature is provided by plugins, the key features are as follows:
- Find possible errors (like invalid instance types) for Major Cloud providers (AWS/Azure/GCP).
- Warn about deprecated syntax, unused declarations.
- Enforce best practices, naming conventions.
Bash script (Linux):
curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
Homebrew (macOS):
brew install tflint
Chocolatey (Windows):
choco install tflint
NOTE: The Chocolatey package is NOT directly maintained by the TFLint maintainers. The latest version is always available by manual installation.
Artifact Attestations are available that can be verified using the GitHub CLI.
gh attestation verify checksums.txt -R terraform-linters/tflint
sha256sum --ignore-missing -c checksums.txt
Cosign verify-blob
command ensures that the release was built with GitHub Actions in this repository.
cosign verify-blob --certificate=checksums.txt.pem --signature=checksums.txt.keyless.sig --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" --certificate-oidc-issuer=https://token.actions.githubusercontent.com checksums.txt
sha256sum --ignore-missing -c checksums.txt
Instead of installing directly, you can use the Docker image:
docker run --rm -v $(pwd):/data -t ghcr.io/terraform-linters/tflint
If you want to run on GitHub Actions, setup-tflint action is available.
First, enable rules for Terraform Language (e.g. warn about deprecated syntax, unused declarations). TFLint Ruleset for Terraform Language is bundled with TFLint, so you can use it without installing it separately.
The bundled plugin enables the "recommended" preset by default, but you can disable the plugin or use a different preset. Declare the plugin block in .tflint.hcl
like this:
plugin "terraform" {
enabled = true
preset = "recommended"
}
See the tflint-ruleset-terraform documentation for more information.
Next, If you are using an AWS/Azure/GCP provider, it is a good idea to install the plugin and try it according to each usage:
If you want to extend TFLint with other plugins, you can declare the plugins in the config file and easily install them with tflint --init
.
plugin "foo" {
enabled = true
version = "0.1.0"
source = "github.com/org/tflint-ruleset-foo"
signing_key = <<-KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFzpPOMBEADOat4P4z0jvXaYdhfy+UcGivb2XYgGSPQycTgeW1YuGLYdfrwz
9okJj9pMMWgt/HpW8WrJOLv7fGecFT3eIVGDOzyT8j2GIRJdXjv8ZbZIn1Q+1V72
AkqlyThflWOZf8GFrOw+UAR1OASzR00EDxC9BqWtW5YZYfwFUQnmhxU+9Cd92e6i
...
KEY
}
See also Configuring Plugins.
If you want to add custom rules that are not in existing plugins, you can build your own plugin or write your own policy in Rego. See Writing Plugins or OPA Ruleset.
TFLint inspects files under the current directory by default. You can change the behavior with the following options/arguments:
$ tflint --help
Usage:
tflint --chdir=DIR/--recursive [OPTIONS]
Application Options:
-v, --version Print TFLint version
--init Install plugins
--langserver Start language server
-f, --format=[default|json|checkstyle|junit|compact|sarif] Output format
-c, --config=FILE Config file name (default: .tflint.hcl)
--ignore-module=SOURCE Ignore module sources
--enable-rule=RULE_NAME Enable rules from the command line
--disable-rule=RULE_NAME Disable rules from the command line
--only=RULE_NAME Enable only this rule, disabling all other defaults. Can be specified multiple times
--enable-plugin=PLUGIN_NAME Enable plugins from the command line
--var-file=FILE Terraform variable file name
--var='foo=bar' Set a Terraform variable
--call-module-type=[all|local|none] Types of module to call (default: local)
--chdir=DIR Switch to a different working directory before executing the command
--recursive Run command in each directory recursively
--filter=FILE Filter issues by file names or globs
--force Return zero exit status even if issues found
--minimum-failure-severity=[error|warning|notice] Sets minimum severity level for exiting with a non-zero error code
--color Enable colorized output
--no-color Disable colorized output
--fix Fix issues automatically
--no-parallel-runners Disable per-runner parallelism
--max-workers=N Set maximum number of workers in recursive inspection (default: number of CPUs)
Help Options:
-h, --help Show this help message
See User Guide for details.
If you don't get the expected behavior, you can see the detailed logs when running with TFLINT_LOG
environment variable.
$ TFLINT_LOG=debug tflint
See Developer Guide.
If you find a security vulnerability, please refer our security policy.
Please note that although much of this project is licensed under MPL 2.0, some files in the terraform
package are licensed under BUSL 1.1.
For the reasons stated above, the executable forms (release binaries) is bound by both licenses.