TFLint Plugins: AWS, GCP, and Azure Rulesets
TFLint plugins are downloadable rulesets, the AWS plugin being the largest, that teach TFLint provider-specific rules.
The core TFLint ruleset is provider-agnostic. The real power comes from the cloud plugins, which validate instance types, IAM patterns, and resource arguments against the actual provider schema.
What it does
A plugin block in .tflint.hcl names a ruleset (for example terraform-linters/tflint-ruleset-aws), a version, and a source. After tflint --init downloads it, those rules run alongside the core set. The AWS plugin can optionally do "deep checking", calling AWS to validate values like AMI IDs, when given credentials.
Common usage
plugin "aws" {
enabled = true
version = "0.43.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
plugin "terraform" {
enabled = true
preset = "recommended"
}Options
| Setting | What it does |
|---|---|
| enabled | Turn the ruleset on or off |
| version | Pin the plugin release (recommended in CI) |
| source | GitHub repo the plugin is downloaded from |
| preset (terraform plugin) | recommended or all for the bundled terraform rules |
| deep_check (aws, deprecated form) | Validate values against the live AWS API |
In CI
Pin version so a plugin release does not silently add failing rules mid-sprint. Deep checking needs cloud credentials and network access and is much slower; most pipelines leave it off and rely on the schema-based rules, which need no credentials.
Common errors in CI
"Failed to check ... deep checking requires AWS credentials" means deep_check is on without credentials; disable it or provide a role. "plugin version constraint ... not satisfied" means the pinned version is unavailable; check the release tag. Forgetting the plugin "terraform" { preset = "recommended" } block means the recommended core rules never run.