Skip to content
Latchkey

tflint --init: Install TFLint Plugins

tflint --init downloads and installs every plugin listed in .tflint.hcl so later tflint runs can use them.

The cloud rulesets (AWS, GCP, Azure) ship as TFLint plugins. You must run tflint --init once to fetch them before linting, and in CI that download often needs a GitHub token.

What it does

tflint --init reads the plugin blocks in .tflint.hcl, downloads each plugin release from GitHub, verifies its checksum, and caches it under the TFLint plugin directory. Subsequent tflint runs load the cached plugins. Without init, the cloud rules are simply not active.

Common usage

Terminal
# .tflint.hcl declares the plugins; then:
tflint --init
tflint
# in CI, give init a token so GitHub does not rate-limit
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} tflint --init

Options

ItemWhat it does
--initDownload and install plugins from .tflint.hcl
GITHUB_TOKEN envAuthenticates plugin downloads; avoids rate limits
TFLINT_PLUGIN_DIR envOverride where plugins are cached
plugin "aws" { ... }A plugin block in .tflint.hcl naming source and version

In CI

Anonymous GitHub API calls are rate-limited to 60/hour per IP, and shared runner IPs blow through that fast, so always set GITHUB_TOKEN before tflint --init. Cache the plugin directory keyed on .tflint.hcl so you do not re-download the ruleset on every run.

Common errors in CI

"Failed to install a plugin; API rate limit exceeded" means init ran without a token; set GITHUB_TOKEN. "Plugin ... not found" after init means a plugin block is missing for a ruleset you reference. "checksum mismatch" usually means a corrupted cache; clear the plugin directory and re-init.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →