TFLint

TFLint is a Terraform linter focused on possible errors, best practices, etc.

Why TFLint is required?

Terraform is a great tool for Infrastructure as Code. However, many of these tools don't validate provider-specific issues. For example, see the following configuration file:

resource "aws_instance" "foo" {
  ami           = "ami-0ff8a91507f77f867"
  instance_type = "t1.2xlarge" # invalid type!
}

Since t1.2xlarge is a nonexistent instance type, an error will occur when you run terraform apply. But terraform plan and terraform validate cannot find this possible error beforehand. That's because it's an AWS provider-specific issue and it's valid as a Terraform configuration.

TFLint finds such errors in advance:

Installation

You can download the binary built for your architecture from the latest release. The following is an example of installation on macOS:

$ curl --location https://github.com/terraform-linters/tflint/releases/download/v0.18.0/tflint_darwin_amd64.zip --output tflint_darwin_amd64.zip
$ unzip tflint_darwin_amd64.zip
Archive:  tflint_darwin_amd64.zip
  inflating: tflint
$ install tflint /usr/local/bin
$ tflint -v

For Linux based OS, you can use the install_linux.sh to automate the installation process, or try the following oneliner to download latest binary for AMD64 architecture.

$ curl -L "$(curl -Ls https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" -o tflint.zip && unzip tflint.zip && rm tflint.zip

Homebrew

macOS users can also use Homebrew to install TFLint:

$ brew install tflint

Chocolatey

Windows users can use Chocolatey:

choco install tflint

Docker

You can also use TFLint via Docker.

$ docker run --rm -v $(pwd):/data -t wata727/tflint

Features

700+ rules are available. See Rules.

Providers

TFLint supports multiple providers via plugins. The following is the Major Cloud support status.

name	status	description
AWS	Available	Inspections for AWS resources are now built into TFLint. So, it is not necessary to install the plugin separately. In the future, these will be cut out to the plugin, but all are in progress.
Azure	Experimental	Experimental support has been started. You can inspect Azure resources by installing the plugin.
Google Cloud Platform	Work in Progress	Everything is working and not available.

Please see the documentation about the plugin system.

Limitations

TFLint load configurations in the same way as Terraform v0.12. This means that it cannot inspect configurations that cannot be parsed on Terraform v0.12.

See Compatibility with Terraform for details.

Usage

TFLint inspects all configurations under the current directory by default. You can also change the behavior with the following options:

$ tflint --help
Usage:
  tflint [OPTIONS] [FILE or DIR...]

Application Options:
  -v, --version                                   Print TFLint version
      --langserver                                Start language server
  -f, --format=[default|json|checkstyle|junit]    Output format (default: default)
  -c, --config=FILE                               Config file name (default: .tflint.hcl)
      --ignore-module=SOURCE                      Ignore module sources
      --enable-rule=RULE_NAME                     Enable rules from the command line
      --disable-rule=RULE_NAME                    Disable rules from the command line
      --var-file=FILE                             Terraform variable file name
      --var='foo=bar'                             Set a Terraform variable
      --module                                    Inspect modules
      --deep                                      Enable deep check mode
      --aws-access-key=ACCESS_KEY                 AWS access key used in deep check mode
      --aws-secret-key=SECRET_KEY                 AWS secret key used in deep check mode
      --aws-profile=PROFILE                       AWS shared credential profile name used in deep check mode
      --aws-creds-file=FILE                       AWS shared credentials file path used in deep checking
      --aws-region=REGION                         AWS region used in deep check mode
      --force                                     Return zero exit status even if issues found
      --no-color                                  Disable colorized output
      --loglevel=[trace|debug|info|warn|error]    Change the loglevel (default: none)

Help Options:
  -h, --help                                      Show this help message

See User guide for each option.

Exit Statuses

TFLint returns the following exit statuses on exit:

0: No issues found
2: Errors occurred
3: No errors occurred, but issues found

FAQ

Does TFLint check modules recursively?

No. TFLint always checks only the current root module (no recursive check)

Do I need to install Terraform for TFLint to work?

No. TFLint works as a single binary because Terraform is embedded as a library. Note that this means that the version of Terraform used is determined for each TFLint version. See also Compatibility with Terraform.

TFLint causes a loading error in my code that is valid in Terraform. Why?

First, check the version of Terraform you are using. Terraform v0.12 introduced a major syntax change, and unfortunately TFLint only supports that new syntax.

Debugging

If you don't get the expected behavior, you can see the detailed logs when running with TFLINT_LOG environment variable.

$ TFLINT_LOG=debug tflint

Developing

See Developer guide.

ololabs / tflint Goto Github PK

tflint's Introduction