TFLint
Pluggable Terraform linter that goes beyond Terraform validate by catching provider-specific issues, deprecated resource types, invalid instance types, and best practice violations. TFLint uses provider-specific ruleset plugins (AWS, Azure, GCP, Kubernetes) to validate that resource configurations are valid for the target provider — catching errors before terraform plan that would otherwise fail with cryptic API errors. Catches bugs like invalid EC2 instance types, deprecated Azure VM SKUs, and unsupported GKE configurations.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
MPL 2.0, open source. Read-only static analysis — no code execution. Plugin ecosystem from community — review plugin source before use. Cloud credentials only required for schema validation, not code execution.
⚡ Reliability
Best When
You want to catch provider-specific configuration errors (invalid instance types, deprecated resources) in Terraform code before CI/CD runs, using provider-specific plugin rulesets.
Avoid When
You need security scanning or policy enforcement — TFLint is a linter for correctness, not a security scanner.
Use Cases
- • Catch invalid AWS EC2 instance types, RDS instance classes, and other provider-specific configuration errors before running terraform plan
- • Enforce Terraform naming conventions, tagging standards, and module usage requirements as lint rules in CI/CD pipelines
- • Find deprecated provider resources and attributes before they cause production failures — provider plugins track current vs deprecated
- • Validate Terraform code style and structure in pre-commit hooks or CI/CD using TFLint's machine-readable JSON output
- • Run as part of agent IaC generation workflows to validate generated Terraform code before plan/apply
Not For
- • Security scanning — use Checkov, tfsec, or Trivy for security policy violations; TFLint focuses on correctness, not security
- • Policy enforcement (OPA/Sentinel rules) — use Conftest or Terraform Cloud Sentinel for policy-as-code
- • Non-Terraform IaC — TFLint is Terraform-specific
Interface
Authentication
TFLint is a CLI tool — no auth required for the linter itself. Provider rule plugins may require cloud credentials to fetch provider schemas. AWS plugin uses standard AWS credential chain.
Pricing
MPL 2.0 licensed open source. Provider rule plugins are also free and community/vendor maintained. No commercial version.
Agent Metadata
Known Gotchas
- ⚠ Plugin installation required before first run — agents must run 'tflint --init' to download configured plugins
- ⚠ .tflint.hcl configuration file required for plugin specification — TFLint without config only runs basic rules
- ⚠ Provider-specific plugins (tflint-ruleset-aws) require matching version with provider — plugin version mismatch can cause false positives
- ⚠ Some rules require cloud credentials to validate against provider schema — agents running in CI without cloud access may see schema validation errors
- ⚠ --format json output structure changed between versions — pin TFLint version in CI to avoid parsing breakage
- ⚠ TFLint does not run Terraform itself — it does static analysis only; some runtime validation requires actual terraform validate/plan
- ⚠ Module source linting requires module content to be downloaded — 'terraform init' must be run before TFLint for accurate module analysis
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for TFLint.
Scores are editorial opinions as of 2026-03-06.