Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Uncategorised

Terraform Tutorials: TFLint, covering installation, configuration, usage

March 5, 2025 Leave a Comment

Comprehensive Guide to TFLint

Introduction to TFLint

TFLint is an open-source Terraform linter (static analysis tool) that checks Terraform configurations for errors, potential bugs, and stylistic or best-practice violations. It helps developers identify issues that Terraform’s built-in validation (terraform validate) might not catch, especially provider-specific problems like invalid AWS instance types or missing required Terraform versions.

Key Benefits of TFLint:

  • Early Error Detection – Catches issues before deployment, preventing costly failures.
  • Best Practice Enforcement – Ensures configurations align with Terraform and provider recommendations.
  • Security & Compliance Checks – Detects security risks like open security groups.
  • CI/CD Integration – Works in development workflows to maintain high-quality infrastructure as code (IaC).

Installation

TFLint is available for macOS, Linux, and Windows. You can install it using package managers or download the binary.

macOS (Homebrew):

brew install tflint

Linux:

curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash

Alternatively, install it via Snap:

sudo snap install tflint

Windows (Chocolatey):

choco install tflint

Docker (Alternative):

docker run --rm -v $(pwd):/data -t ghcr.io/terraform-linters/tflint

Verify Installation:

tflint --version

Basic Usage

TFLint is straightforward to use. Navigate to your Terraform project directory and run:

tflint

If using provider-specific rules, initialize plugins first:

tflint --init

Example Output:

1 issue(s) found:
Warning: terraform "required_version" attribute is required.

Configuration

TFLint can be customized using a .tflint.hcl configuration file.

Example .tflint.hcl Configuration:

tflint {
  required_version = ">= 0.50"
}

config {
  format = "compact"
  plugin_dir = "~/.tflint.d/plugins"
  call_module_type = "local"
}

plugin "aws" {
  enabled = true
  version = "0.4.0"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

rule "terraform_required_version" {
  enabled = false
}

Rules and Plugins

TFLint has built-in Terraform language rules and provider-specific plugins.

Built-in Rules:

  • Required Terraform Version – Ensures required_version is defined.
  • Type Constraints – Checks explicit type constraints on variables.
  • Deprecated Syntax – Flags usage of removed Terraform features.
  • Unused Declarations – Identifies unused variables and outputs.

Provider Plugins:

  • AWS Plugin – Checks instance types, security group configurations, and more.
  • Azure Plugin – Validates Azure-specific configurations.
  • GCP Plugin – Ensures Google Cloud best practices.

Enabling a Plugin:

plugin "aws" {
  enabled = true
  version = "0.24.1"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

Run:

tflint --init

CI/CD Integration

TFLint should be incorporated into CI/CD pipelines to enforce Terraform quality standards.

GitHub Actions Example:

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: tflint --init
      - run: tflint

GitLab CI Example:

lint:terraform:
  image: terraform-linters/tflint:latest
  script:
    - tflint --init
    - tflint

Best Practices

  1. Run TFLint Early – Use it during development, not just in CI/CD.
  2. Customize Rules – Enable or disable rules in .tflint.hcl based on project needs.
  3. Use Provider Plugins – AWS, Azure, and GCP plugins catch cloud-specific issues.
  4. Inline Rule Ignoring – Use # tflint-ignore: rule_name for exceptions.
  5. Enforce in CI/CD – Make TFLint a required step before merging code.
  6. Keep TFLint Updated – Regularly update TFLint and its plugins.
  7. Combine with Other Tools – Use it alongside terraform fmt, terraform validate, and security scanners like tfsec.

Conclusion

TFLint is an essential tool for ensuring Terraform code quality, catching errors early, enforcing best practices, and integrating seamlessly into CI/CD workflows. Implement it in your Terraform projects to maintain consistent and error-free infrastructure as code.

Here’s a comprehensive tutorial for using TFLint, a powerful linter for Terraform code:

Installation

  1. Install TFLint using one of the following methods:
  • macOS: brew install tflint
  • Windows: choco install tflint
  • Linux: curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash13
  1. Verify the installation by running: texttflint --version

Setup and Configuration

  1. Navigate to your Terraform project directory.
  2. Create a .tflint.hcl configuration file in your project root: textplugin "terraform" { enabled = true preset = "recommended" }
  3. Initialize TFLint in your project: texttflint --init This command will download and install necessary plugins based on your configuration1.

Using TFLint

  1. Run TFLint in your project directory: texttflint This will scan your Terraform files and report any issues it finds1.
  2. For a more detailed report, use the JSON format: texttflint --format=json

Adding Cloud Provider Plugins

To lint configurations for specific cloud providers, add the relevant plugins to your .tflint.hcl file:

textplugin "aws" {
  enabled = true
  version = "0.24.0"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

plugin "azurerm" {
  enabled = true
  version = "0.24.0"
  source  = "github.com/terraform-linters/tflint-ruleset-azurerm"
}

After adding plugins, run tflint --init again to download and install them2.

Advanced Usage

  1. To run TFLint recursively in subdirectories: texttflint --recursive
  2. To enable specific rules from the command line: texttflint --enable-rule=aws_resource_missing_tags
  3. To disable specific rules: texttflint --disable-rule=terraform_deprecated_syntax
  4. To use a custom configuration file: texttflint --config=custom_tflint.hcl

Integrating with CI/CD

For GitHub Actions, you can use the setup-tflint action:

text- uses: terraform-linters/setup-tflint@v3
  name: Setup TFLint
- run: tflint

Docker Usage

If you prefer using Docker, you can run TFLint without installation:

textdocker run --rm -v $(pwd):/data -t ghcr.io/terraform-linters/tflint

To download plugins and run TFLint in a single command:

textdocker run --rm -v $(pwd):/data -t --entrypoint /bin/sh ghcr.io/terraform-linters/tflint -c "tflint --init && tflint"

By following this tutorial, you’ll be able to effectively use TFLint to improve the quality and reliability of your Terraform code.

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x