TFLint is a Terraform linter focused on possible errors, best practices, etc.
Terraform is a great tool for Infrastructure as Code. However, many of these tools don't validate provider-specific issues. For example, see the following configuration file:
resource "aws_instance" "web" {
ami = "ami-b73b63a0"
instance_type = "t1.2xlarge" # invalid type!
tags {
Name = "HelloWorld"
}
}
Since t1.2xlarge
is a nonexistent instance type, an error will occur when you run terraform apply
. But terraform plan
and terraform validate
cannot find this possible error beforehand. That's because it's an AWS provider-specific issue and it's valid as a Terraform configuration.
TFLint finds such errors in advance:
$ tflint
template.tf
ERROR:3 instance_type is not a valid value (aws_instance_invalid_type)
Result: 2 issues (1 errors , 0 warnings , 1 notices)
You can download the binary built for your architecture from the latest release. The following is an example of installation on macOS:
$ wget https://github.com/wata727/tflint/releases/download/v0.9.1/tflint_darwin_amd64.zip
$ unzip tflint_darwin_amd64.zip
Archive: tflint_darwin_amd64.zip
inflating: tflint
$ mkdir -p /usr/local/tflint/bin
$ export PATH=/usr/local/tflint/bin:$PATH
$ install tflint /usr/local/tflint/bin
$ tflint -v
For Linux based OS, you can use the install_linux.sh
to automate the installation process.
macOS users can also use Homebrew to install TFLint:
$ brew tap wata727/tflint
$ brew install tflint
You can also use TFLint via Docker.
$ docker run --rm -v $(pwd):/data -t wata727/tflint
700+ rules are available. See Rules.
TFLint currently only inspects Terraform-specific issues and AWS issues.
Also, load configurations in the same way as Terraform v0.12. This means that it cannot inspect configurations that cannot be parsed on Terraform v0.12.
See Compatibility with Terraform for details.
TFLint inspects all configurations under the current directory by default. You can also change the behavior with the following options:
$ tflint --help
Usage:
tflint [OPTIONS] [FILE or DIR...]
Application Options:
-v, --version Print TFLint version
-f, --format=[default|json|checkstyle] Output format (default: default)
-c, --config=FILE Config file name (default: .tflint.hcl)
--ignore-module=SOURCE1,SOURCE2... Ignore module sources
--ignore-rule=RULE1,RULE2... Ignore rule names
--var-file=FILE1,FILE2... Terraform variable file names
--var='foo=bar' Set a Terraform variable
--module Inspect modules
--deep Enable deep check mode
--aws-access-key=ACCESS_KEY AWS access key used in deep check mode
--aws-secret-key=SECRET_KEY AWS secret key used in deep check mode
--aws-profile=PROFILE AWS shared credential profile name used in deep check mode
--aws-region=REGION AWS region used in deep check mode
--force Return zero exit status even if issues found
-q, --quiet Do not output any message when no issues are found (default format only)
Help Options:
-h, --help Show this help message
See User guide for each option.
TFLint returns the following exit statuses on exit:
- 0: No issues found
- 1: Errors occurred
- 2: No errors occurred, but issues found
If you don't get the expected behavior, you can see the detailed logs when running with TFLINT_LOG
environment variable.
$ TFLINT_LOG=debug tflint
See Developer guide.