Skip to content
Latchkey

TFLint Plugins: AWS, GCP, and Azure Rulesets

TFLint plugins are downloadable rulesets, the AWS plugin being the largest, that teach TFLint provider-specific rules.

The core TFLint ruleset is provider-agnostic. The real power comes from the cloud plugins, which validate instance types, IAM patterns, and resource arguments against the actual provider schema.

What it does

A plugin block in .tflint.hcl names a ruleset (for example terraform-linters/tflint-ruleset-aws), a version, and a source. After tflint --init downloads it, those rules run alongside the core set. The AWS plugin can optionally do "deep checking", calling AWS to validate values like AMI IDs, when given credentials.

Common usage

.tflint.hcl
plugin "aws" {
  enabled = true
  version = "0.43.0"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

plugin "terraform" {
  enabled = true
  preset  = "recommended"
}

Options

SettingWhat it does
enabledTurn the ruleset on or off
versionPin the plugin release (recommended in CI)
sourceGitHub repo the plugin is downloaded from
preset (terraform plugin)recommended or all for the bundled terraform rules
deep_check (aws, deprecated form)Validate values against the live AWS API

In CI

Pin version so a plugin release does not silently add failing rules mid-sprint. Deep checking needs cloud credentials and network access and is much slower; most pipelines leave it off and rely on the schema-based rules, which need no credentials.

Common errors in CI

"Failed to check ... deep checking requires AWS credentials" means deep_check is on without credentials; disable it or provide a role. "plugin version constraint ... not satisfied" means the pinned version is unavailable; check the release tag. Forgetting the plugin "terraform" { preset = "recommended" } block means the recommended core rules never run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →