A Pluggable Terraform Linter

TFLint is a framework and each feature is provided by plugins, the key features are as follows:

• Find possible errors (like invalid instance types) for Major Cloud providers (AWS/Azure/GCP).
• Warn about deprecated syntax, unused declarations.
• Enforce best practices, naming conventions.

Bash script (Linux):

curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash

Homebrew (macOS):

brew install tflint

Chocolatey (Windows):

choco install tflint

GnuPG

gpg --import 8CE69160EB3F2FE9.key
gpg --verify checksum.txt.sig checksum.txt
sha256sum --ignore-missing -c checksums.txt

Cosign

cosign verify-blob --cert checksums.txt.pem --signature checksums.txt.keyless.sig --certificate-github-workflow-repository=terraform-linters/tflint checksums.txt
sha256sum --ignore-missing -c checksums.txt

Instead of installing directly, you can use the Docker images:

Example:

docker run --rm -v $(pwd):/data -t ghcr.io/terraform-linters/tflint

If you want to run on GitHub Actions, setup-tflint action is available.

First, enable rules for Terraform Language (e.g. warn about deprecated syntax, unused declarations). TFLint Ruleset for Terraform Language is bundled with TFLint, so you can use it without installing it separately.

The bundled plugin enables the "recommended" preset by default, but you can disable the plugin or use a different preset. Declare the plugin block in .tflint.hcl like this:

plugin "terraform" {
  enabled = true
  preset  = "recommended"
}

See the tflint-ruleset-terraform documentation for more information.

Next, If you are using an AWS/Azure/GCP provider, it is a good idea to install the plugin and try it according to each usage:

• Amazon Web Services
• Microsoft Azure
• Google Cloud Platform

If you want to extend TFLint with other plugins, you can declare the plugins in the config file and easily install them with tflint --init.

plugin "foo" {
  enabled = true
  version = "0.1.0"
  source  = "github.com/org/tflint-ruleset-foo"

  signing_key = <<-KEY
  -----BEGIN PGP PUBLIC KEY BLOCK-----

  mQINBFzpPOMBEADOat4P4z0jvXaYdhfy+UcGivb2XYgGSPQycTgeW1YuGLYdfrwz
  9okJj9pMMWgt/HpW8WrJOLv7fGecFT3eIVGDOzyT8j2GIRJdXjv8ZbZIn1Q+1V72
  AkqlyThflWOZf8GFrOw+UAR1OASzR00EDxC9BqWtW5YZYfwFUQnmhxU+9Cd92e6i
  ...
  KEY
}

See also Configuring Plugins.

TFLint inspects files under the current directory by default. You can change the behavior with the following options/arguments:

$ tflint --help
Usage:
  tflint [OPTIONS] [FILE or DIR...]

Application Options:
  -v, --version                                                 Print TFLint version
      --init                                                    Install plugins
      --langserver                                              Start language server
  -f, --format=[default|json|checkstyle|junit|compact|sarif]    Output format
  -c, --config=FILE                                             Config file name (default: .tflint.hcl)
      --ignore-module=SOURCE                                    Ignore module sources
      --enable-rule=RULE_NAME                                   Enable rules from the command line
      --disable-rule=RULE_NAME                                  Disable rules from the command line
      --only=RULE_NAME                                          Enable only this rule, disabling all other defaults. Can be specified multiple times
      --enable-plugin=PLUGIN_NAME                               Enable plugins from the command line
      --var-file=FILE                                           Terraform variable file name
      --var='foo=bar'                                           Set a Terraform variable
      --module                                                  Inspect modules
      --force                                                   Return zero exit status even if issues found
      --color                                                   Enable colorized output
      --no-color                                                Disable colorized output

Help Options:
  -h, --help                                                    Show this help message

See User Guide for details.

No. TFLint always checks only the current root module (no recursive check). However, you can check calling child modules based on module arguments by enabling Module Inspection. This allows you to check that you are not passing illegal values to the module.

Note that if you want to recursively inspect local modules, you need to run them in each directory. This is a limitation that occurs because Terraform always works for one directory. TFLint tries to emulate Terraform's semantics, so cannot perform recursive inspection.

No. TFLint works as a single binary because Terraform is embedded as a library. Note that this means that the version of Terraform used is determined for each TFLint version. See also Compatibility with Terraform.

If you don't get the expected behavior, you can see the detailed logs when running with TFLINT_LOG environment variable.

$ TFLINT_LOG=debug tflint

See Developer Guide.