TFLint — Pluggable Terraform Linter

Introduction

TFLint is a pluggable linter for Terraform that catches potential errors, deprecated syntax, and provider-specific misconfigurations that terraform validate and terraform plan do not detect. It runs quickly on local files and integrates into CI pipelines to enforce infrastructure code quality.

What TFLint Does

• Detects errors that terraform validate misses, such as invalid instance types or unavailable regions
• Enforces naming conventions and style rules across Terraform modules
• Validates provider-specific resources via downloadable ruleset plugins
• Supports HCL native syntax and JSON-based Terraform configurations
• Reports findings in human-readable, JSON, SARIF, or compact formats

Architecture Overview

TFLint parses Terraform configuration files using the HCL library, resolves variable references and module calls, and applies rules from its core ruleset and installed plugins. Plugins are standalone binaries that communicate with TFLint over gRPC, allowing provider-specific rules to be maintained independently. Configuration lives in a .tflint.hcl file that specifies which plugins to load and which rules to enable or disable.

Self-Hosting & Configuration

• Install via Homebrew, Chocolatey, Docker, or download prebuilt binaries from GitHub releases
• Create .tflint.hcl in the project root to declare plugins and rule overrides
• Run tflint --init to download declared plugins automatically
• Add --recursive to lint all modules in a Terraform project tree
• Integrate with pre-commit hooks or CI steps using the --format=sarif output

Key Features

• Provider plugins for AWS, Azure, GCP, and community-maintained rulesets
• Catches invalid resource attribute values before plan or apply
• Custom rules via the plugin SDK for organization-specific policies
• Module inspection that follows source references into child modules
• Compatible with Terraform, OpenTofu, and Terragrunt workflows

Comparison with Similar Tools

• terraform validate — checks syntax and provider schema; TFLint adds provider-specific and best-practice rules
• Checkov — policy-as-code scanner for security; TFLint focuses on correctness and configuration errors
• tfsec — security-focused static analysis; TFLint covers broader quality and validity checks
• Terrascan — compliance-oriented IaC scanner; TFLint provides finer-grained provider-specific linting
• Semgrep — generic code analysis; TFLint understands Terraform HCL semantics natively

FAQ

Q: Does TFLint replace terraform validate? A: No. Use both together. terraform validate checks syntax and schema, while TFLint applies deeper provider-specific and stylistic rules.

Q: Can I write custom rules? A: Yes. TFLint provides a Go-based plugin SDK for building custom rulesets distributed as standalone binaries.

Q: Does TFLint work with OpenTofu? A: Yes. TFLint parses the same HCL configuration format and works with OpenTofu projects without modification.

Q: How do I suppress a specific rule? A: Add a tflint-ignore comment annotation above the resource block, or disable the rule in .tflint.hcl.

Sources

• https://github.com/terraform-linters/tflint
• https://github.com/terraform-linters/tflint-ruleset-aws