MCPcopy Index your code
hub / github.com/terraform-linters/tflint

github.com/terraform-linters/tflint @v0.63.1 sqlite

repository ↗ · DeepWiki ↗ · release v0.63.1 ↗
1,015 symbols 3,709 edges 201 files 462 documented · 46%
README

TFLint

Build Status GitHub release Terraform Compatibility License: MPL 2.0 + BUSL 1.1 Go Report Card

A Pluggable Terraform Linter

Features

TFLint is a framework and each feature is provided by plugins, the key features are as follows:

  • Find possible errors (like invalid instance types) for Major Cloud providers (AWS/Azure/GCP).
  • Warn about deprecated syntax, unused declarations.
  • Enforce best practices, naming conventions.

Installation

Download the appropriate archive from the latest release, verify it, and install the binary:

curl -sSLO https://github.com/terraform-linters/tflint/releases/latest/download/tflint_linux_amd64.zip
curl -sSLO https://github.com/terraform-linters/tflint/releases/latest/download/checksums.txt
gh attestation verify checksums.txt -R terraform-linters/tflint
sha256sum --ignore-missing -c checksums.txt
unzip tflint_linux_amd64.zip
sudo install -c -v tflint /usr/local/bin/

Homebrew (macOS):

brew install terraform-linters/tap/tflint

WinGet (Windows):

winget install -e --id TerraformLinters.tflint

Verification

GitHub CLI (Recommended)

Artifact Attestations are available that can be verified using the GitHub CLI.

gh attestation verify checksums.txt -R terraform-linters/tflint
sha256sum --ignore-missing -c checksums.txt

Cosign (Deprecated)

[!WARNING] Cosign signatures are now deprecated. Please use GitHub CLI.

Cosign verify-blob command ensures that the release was built with GitHub Actions in this repository.

cosign verify-blob --certificate=checksums.txt.pem --signature=checksums.txt.keyless.sig --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" --certificate-oidc-issuer=https://token.actions.githubusercontent.com checksums.txt
sha256sum --ignore-missing -c checksums.txt

Docker

Instead of installing directly, you can use the Docker image:

docker run --rm -v $(pwd):/data -t ghcr.io/terraform-linters/tflint

To download plugins, you can override the entrypoint to a shell (sh) to run --init and the main command in a single docker run command:

 docker run --rm -v $(pwd):/data -t --entrypoint /bin/sh ghcr.io/terraform-linters/tflint -c "tflint --init && tflint"

GitHub Actions

If you want to run on GitHub Actions, setup-tflint action is available.

Getting Started

First, enable rules for Terraform Language (e.g. warn about deprecated syntax, unused declarations). TFLint Ruleset for Terraform Language is bundled with TFLint, so you can use it without installing it separately.

The bundled plugin enables the "recommended" preset by default, but you can disable the plugin or use a different preset. Declare the plugin block in .tflint.hcl like this:

plugin "terraform" {
  enabled = true
  preset  = "recommended"
}

See the tflint-ruleset-terraform documentation for more information.

Next, If you are using an AWS/Azure/GCP provider, it is a good idea to install the plugin and try it according to each usage:

If you want to extend TFLint with other plugins, you can declare the plugins in the config file and easily install them with tflint --init.

plugin "foo" {
  enabled = true
  version = "0.1.0"
  source  = "github.com/org/tflint-ruleset-foo"
}

See also Configuring Plugins.

You can discover plugins from other organizations on GitHub via the tflint-ruleset topic.

If you want to add custom rules that are not in existing plugins, you can build your own plugin or write your own policy in Rego. See Writing Plugins or OPA Ruleset.

Usage

TFLint inspects files under the current directory by default. You can change the behavior with the following options/arguments:

$ tflint --help
Usage:
  tflint --chdir=DIR/--recursive [OPTIONS]

Application Options:
  -v, --version                                                 Print TFLint version
      --init                                                    Install plugins
      --langserver                                              Start language server
  -f, --format=[default|json|checkstyle|junit|compact|sarif]    Output format
  -c, --config=FILE                                             Config file name (default: .tflint.hcl)
      --ignore-module=SOURCE                                    Ignore module sources
      --enable-rule=RULE_NAME                                   Enable rules from the command line
      --disable-rule=RULE_NAME                                  Disable rules from the command line
      --only=RULE_NAME                                          Enable only this rule, disabling all other defaults. Can be specified multiple times
      --enable-plugin=PLUGIN_NAME                               Enable plugins from the command line
      --var-file=FILE                                           Terraform variable file name
      --var='foo=bar'                                           Set a Terraform variable
      --call-module-type=[all|local|none]                       Types of module to call (default: local)
      --chdir=DIR                                               Switch to a different working directory before executing the command
      --recursive                                               Run command in each directory recursively
      --filter=FILE                                             Filter issues by file names or globs
      --force                                                   Return zero exit status even if issues found
      --minimum-failure-severity=[error|warning|notice]         Sets minimum severity level for exiting with a non-zero error code
      --color                                                   Enable colorized output
      --no-color                                                Disable colorized output
      --fix                                                     Fix issues automatically
      --no-parallel-runners                                     Disable per-runner parallelism
      --max-workers=N                                           Set maximum number of workers in recursive inspection (default: number of CPUs)

Help Options:
  -h, --help                                                    Show this help message

See User Guide for details.

Debugging

If you don't get the expected behavior, you can see the detailed logs when running with TFLINT_LOG environment variable.

$ TFLINT_LOG=debug tflint

Developing

See Developer Guide.

Security

If you find a security vulnerability, please refer our security policy.

License

Please note that although much of this project is licensed under MPL 2.0, some files in the terraform package are licensed under BUSL 1.1.

For the reasons stated above, the executable forms (release binaries) is bound by both licenses.

See also https://discuss.hashicorp.com/t/hashicorp-projects-changing-license-to-business-source-license-v1-1/57106/7

Stargazers over time

Stargazers over time

Extension points exported contracts — how you extend this code

Rule (Interface)
Rule is interface for building the issue [22 implementers]
tflint/runner.go
Annotation (Interface)
Annotation represents comments with special meaning in TFLint [2 implementers]
tflint/annotation.go
RuleSet (Interface)
RuleSet is an interface to handle plugin's RuleSet. The real impl is github.com/terraform-linters/tflint-plugin-sdk/plug [2 …
tflint/config.go
Data (Interface)
Data is an interface whose implementations can provide cty.Value representations of objects identified by referenceable [2 …
terraform/lang/data.go
ModuleWalker (Interface)
A ModuleWalker knows how to find and load a child module given details about the module to be loaded and a reference to
terraform/config.go
UniqueKey (Interface)
UniqueKey represents a value that is comparable and uniquely identifies another value of type T. The Go type system off
terraform/collections/unique_key.go
ModuleSource (Interface)
ModuleSource is the general type for all three of the possible module source address types. The concrete implementations
terraform/addrs/module_source.go
ModuleWalkerFunc (FuncType)
ModuleWalkerFunc is an implementation of ModuleWalker that directly wraps a callback function, for more convenient use o
terraform/config.go

Core symbols most depended-on inside this repo

Run
called by 176
cmd/cli.go
String
called by 91
tflint/annotation.go
EmptyConfig
called by 53
tflint/config.go
NewInstallConfig
called by 39
plugin/install.go
Name
called by 37
tflint/runner.go
ParseIP
called by 37
terraform/ipaddr/ip.go
String
called by 27
terraform/addrs/instance_key.go
NewLoader
called by 24
terraform/loader.go

Shape

Function 500
Method 367
Struct 119
TypeAlias 18
Interface 10
FuncType 1

Languages

Go100%

Modules by API surface

plugin/install.go24 symbols
tflint/runner.go21 symbols
terraform/loader_test.go21 symbols
tflint/config.go19 symbols
terraform/lang/funcs/crypto.go18 symbols
tflint/runner_test.go16 symbols
terraform/lang/funcs/crypto_test.go16 symbols
terraform/parser.go15 symbols
terraform/addrs/instance_key.go15 symbols
tflint/config_test.go14 symbols
tflint/annotation.go14 symbols
terraform/tfhcl/expand_body.go13 symbols

Dependencies from manifests, versioned

cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/monitoringv1.24.3 · 1×
cloud.google.com/go/storagev1.61.3 · 1×
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcpv1.31.0 · 1×
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metricv0.55.0 · 1×
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemappingv0.55.0 · 1×
github.com/Masterminds/semver/v3v3.5.0 · 1×

For agents

$ claude mcp add tflint \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact