Configuration
Running TFLint
Section titled “Running TFLint”After installation and configuration, run TFLint as usual:
tflintEnabling Additional Rules
Section titled “Enabling Additional Rules”Most rules are disabled by default to avoid overwhelming existing codebases. You can enable specific rules by adding them to your .tflint.hcl:
plugin "aws-meta" { enabled = true version = "0.5.1" source = "github.com/myerscode/tflint-ruleset-aws-meta"}
# Enable specific rulesrule "aws_iam_policy_hardcoded_region" { enabled = true}
rule "aws_iam_policy_hardcoded_partition" { enabled = true}
rule "aws_provider_hardcoded_region" { enabled = true}Disabling Rules
Section titled “Disabling Rules”You can disable any rule, including the default ones:
# Disable a default rulerule "aws_meta_hardcoded" { enabled = false}Configuration Examples
Section titled “Configuration Examples”Minimal Configuration (Default Rules Only)
Section titled “Minimal Configuration (Default Rules Only)”plugin "aws-meta" { enabled = true version = "0.5.1" source = "github.com/myerscode/tflint-ruleset-aws-meta"}Comprehensive Configuration (All Rules Enabled)
Section titled “Comprehensive Configuration (All Rules Enabled)”plugin "aws-meta" { enabled = true version = "0.5.1" source = "github.com/myerscode/tflint-ruleset-aws-meta"}
rule "aws_iam_role_policy_hardcoded_region" { enabled = true}
rule "aws_iam_role_policy_hardcoded_partition" { enabled = true}
rule "aws_iam_policy_hardcoded_region" { enabled = true}
rule "aws_iam_policy_hardcoded_partition" { enabled = true}
rule "aws_provider_hardcoded_region" { enabled = true}Selective Configuration (IAM Rules Only)
Section titled “Selective Configuration (IAM Rules Only)”plugin "aws-meta" { enabled = true version = "0.5.1" source = "github.com/myerscode/tflint-ruleset-aws-meta"}
# Disable the comprehensive rulerule "aws_meta_hardcoded" { enabled = false}
# Enable specific IAM rulesrule "aws_iam_policy_hardcoded_region" { enabled = true}
rule "aws_iam_policy_hardcoded_partition" { enabled = true}
rule "aws_iam_role_policy_hardcoded_region" { enabled = true}
rule "aws_iam_role_policy_hardcoded_partition" { enabled = true}Verifying Configuration
Section titled “Verifying Configuration”You can verify the plugin is working by running it on the example configurations:
# Should show 0 issues from our rulescd examples/passing && tflint
# Should show multiple issues from our rulescd examples/failing && tflintDefault Rules
Section titled “Default Rules”Three rules are enabled by default when you install the plugin:
aws_meta_hardcoded- Comprehensive ARN validation across all AWS resourcesaws_service_principal_dns_suffix- Detects dns_suffix interpolation in service principalsaws_service_principal_hardcoded- Detects hardcoded DNS suffixes in service principals
All other rules are disabled by default to avoid overwhelming existing codebases with violations.
Rule Categories
Section titled “Rule Categories”Comprehensive Rules (Enabled by Default)
Section titled “Comprehensive Rules (Enabled by Default)”aws_meta_hardcoded- Checks all AWS resources for hardcoded regions/partitions in ARNsaws_service_principal_dns_suffix- Detects dns_suffix interpolationaws_service_principal_hardcoded- Detects hardcoded DNS suffixes in service principals
IAM Policy Rules (Disabled by Default)
Section titled “IAM Policy Rules (Disabled by Default)”aws_iam_policy_hardcoded_region- Hardcoded regions in IAM policiesaws_iam_policy_hardcoded_partition- Hardcoded partitions in IAM policiesaws_iam_role_policy_hardcoded_region- Hardcoded regions in IAM role policiesaws_iam_role_policy_hardcoded_partition- Hardcoded partitions in IAM role policies
Provider Rules (Disabled by Default)
Section titled “Provider Rules (Disabled by Default)”aws_provider_hardcoded_region- Hardcoded regions in provider configuration
ID Rules (Disabled by Default)
Section titled “ID Rules (Disabled by Default)”aws_hardcoded_ids- Hardcoded AWS account IDs and AMI IDs
Service Principal Rules (Enabled by Default)
Section titled “Service Principal Rules (Enabled by Default)”aws_service_principal_hardcoded- Hardcoded DNS suffixesaws_service_principal_dns_suffix- DNS suffix interpolation
Common Workflows
Section titled “Common Workflows”Gradual Adoption
Section titled “Gradual Adoption”Start with default rules and gradually enable more:
- Phase 1: Use default configuration
- Phase 2: Enable IAM rules for new policies
- Phase 3: Enable provider rules
- Phase 4: Enable comprehensive validation
Legacy Codebase Integration
Section titled “Legacy Codebase Integration”For existing codebases with many violations:
- Start with minimal configuration
- Fix violations incrementally
- Enable additional rules as violations are resolved
- Use selective configuration to focus on specific areas
CI/CD Integration
Section titled “CI/CD Integration”Add TFLint to your pipeline:
# GitHub Actions example- name: Run TFLint run: | tflint --init tflintMake sure your .tflint.hcl is committed to your repository for consistent results across environments.