TFLint interprets the Terraform language with its own parser which is a fork of the Terraform's native one. This allows it to be parsed correctly even if Terraform is not installed at runtime.
The parser supports Terraform v1.x syntax and semantics. The language compatibility on Terraform v1.x is defined by Compatibility Promises. TFLint follows this promise. New features are only supported in newer TFLint versions, and bug and experimental features compatibility are not guaranteed.
The latest supported version is Terraform v1.10.
Like Terraform, TFLint supports the --var, --var-file options, environment variables (TF_VAR_*), and automatically loading variable definitions (terraform.tfvars and *.auto.tfvars) files. See Input Variables.
Input variables are evaluated just like in Terraform:
variable "instance_type" {
default = "t2.micro"
}
resource "aws_instance" "foo" {
instance_type = var.instance_type # => "t2.micro"
}Unknown variables (e.g. no default) are ignored:
variable "instance_type" {}
resource "aws_instance" "foo" {
instance_type = var.instance_type # => ignored
}Sensitive or ephemeral variables are ignored. This is to avoid unintended disclosure.
variable "instance_type" {
sensitive = true
default = "t2.micro"
}
resource "aws_instance" "foo" {
instance_type = var.instance_type # => ignored
}TFLint supports Local Values.
variable "foo" {
default = "variable value"
}
locals {
static = "static value"
variable = var.foo
local = local.static
resource = aws_instance.main.arn
}
local.static # => "static value"
local.variable # => "variable value"
local.local # => "static value"
local.resource # => ignored (unknown)TFLint supports the count and for_each meta-arguments.
resource "aws_instance" "foo" {
count = 0
instance_type = "invalid" # => ignored because the resource is not created
}resource "aws_instance" "foo" {
count = 2
instance_type = "t${count.index}.micro" # => "t0.micro" and "t1.micro"
}Note that this behavior may differ depending on a rule. Rules like terraform_deprecated_syntax will check resources regardless of the meta-argument values.
If the meta-arguments are unknown, the resource/module is ignored:
variable "count" {}
resource "aws_instance" "foo" {
count = var.count
instance_type = "invalid" # => ignored
}TFLint supports filesystem and workspace info.
path.modulepath.rootpath.cwdterraform.workspace.
The terraform.applying always resolves to false.
The values below are state-dependent or cannot be determined statically, so TFLint resolves them to unknown values.
<RESOURCE TYPE>.<NAME>resource.<RESOURCE TYPE>.<NAME>ephemeral.<RESOURCE TYPE>.<NAME>module.<MODULE NAME>data.<DATA TYPE>.<NAME>self.<NAME>
The ephemeral.<RESOURCE TYPE>.<NAME> always resolves to an unknown value marked as ephemeral, which is the same in most cases as anything else, but some rules may treat it differently.
Built-in Functions are fully supported. However, functions such as plantimestamp whose return value cannot be determined statically will return an unknown value.
Provider-defined functions always return unknown values, except for provider::terraform::* functions.
TFLint supports dynamic blocks.
resource "aws_instance" "dynamic" {
dynamic "ebs_block_device" {
for_each = toset([
{ size = 10 },
{ size = 20 }
])
content {
volume_size = ebs_block_device.value["size"] # => 10 and 20
}
}
}Similar to support for meta-arguments, some rules may process a dynamic block as-is without expansion.
If the for_each is unknown, the expanded block will be empty. If the for_each is sensitive or ephemeral, TFLint expands dynamic blocks like Terraform does, but the mark does not propagate to children and expressions containing iterators resolve to unknown. This is a backwards compatibility limitation that may be resolved in a future version.
TFLint doesn't automatically inspect the content of modules themselves. However, by default, it will analyze their content in order to raise any issues that arise from attributes in module calls.
resource "aws_instance" "static" {
ebs_block_device {
encrypted = false # => Must be encrypted
}
}
module "aws_instance" {
source = "./module/aws_instance"
encrypted = false # => Must be encrypted
}Remote modules can also be inspected. See Calling Modules for details.
The following environment variables are supported: