TFLint AWS Meta Ruleset
A TFLint ruleset for AWS best practices, focusing on preventing hardcoded values and promoting flexible, maintainable Terraform code.
This ruleset helps enforce multi-region and multi-partition compatibility by detecting hardcoded AWS regions and partitions in your Terraform configurations. It provides comprehensive coverage across IAM policies, provider configurations, and all AWS resource types where hardcoded values prevent flexible deployments.
Why These Rules Matter
Section titled “Why These Rules Matter”Multi-Region Deployments: Hardcoded regions prevent your Terraform configurations from being deployed to different AWS regions without modification.
Multi-Partition Support: Hardcoded partitions prevent deployment to AWS GovCloud (aws-us-gov) or AWS China (aws-cn) regions.
Security: Hardcoded credentials in provider configurations pose security risks and should be avoided.
Maintainability: Dynamic configurations using variables and data sources are easier to maintain and more flexible.
How It Works
Section titled “How It Works”This ruleset uses the aws-meta Go package to dynamically generate regex patterns for all AWS regions and partitions. Instead of maintaining hardcoded lists, the patterns are built at runtime from the latest AWS metadata.
Benefits:
- New AWS regions are automatically detected when the
aws-metapackage is updated - Covers all AWS partitions (commercial, GovCloud, China, isolated)
- No manual maintenance required for region lists
- Always up-to-date with AWS’s latest offerings
Best Practices
Section titled “Best Practices”- Use data sources:
data.aws_region.current.nameanddata.aws_partition.current.partition - Use variables: Define region and other parameters as variables
- Environment variables: Use
AWS_REGION,AWS_PROFILEenvironment variables - AWS profiles: Configure provider to use AWS CLI profiles
- IAM roles: Use IAM roles for authentication instead of hardcoded keys
Rules Overview
Section titled “Rules Overview”| Name | Description | Severity | Enabled By Default | Link |
|---|---|---|---|---|
| aws_hardcoded_ids | Validates that there are no hardcoded AWS account IDs or AMI IDs | WARNING | ❌ | docs |
| aws_iam_policy_hardcoded_partition | Validates that there are no hardcoded AWS partitions in IAM policy documents | WARNING | ❌ | docs |
| aws_iam_policy_hardcoded_region | Validates that there are no hardcoded AWS regions in IAM policy documents | WARNING | ❌ | docs |
| aws_iam_role_policy_hardcoded_partition | Validates that there are no hardcoded AWS partitions in IAM role policy documents | WARNING | ❌ | docs |
| aws_iam_role_policy_hardcoded_region | Validates that there are no hardcoded AWS regions in IAM role policy documents | WARNING | ❌ | docs |
| aws_meta_hardcoded | Validates that there are no hardcoded AWS regions or partitions in ARN values across all resource types | WARNING | ✅ | docs |
| aws_provider_hardcoded_region | Validates that there are no hardcoded AWS regions in provider configuration | WARNING | ❌ | docs |
| aws_service_principal_dns_suffix | Validates that service principals don’t use dns_suffix interpolation | WARNING | ✅ | docs |
| aws_service_principal_hardcoded | Validates that service principals don’t use hardcoded DNS suffixes (e.g., amazonaws.com) | WARNING | ✅ | docs |
For detailed documentation on each rule, see the Rules section.