github.com/jpreese/tflint@v0.19.2-0.20200908152133-b01686250fb6/docs/guides/advanced.md

github.com/jpreese/tflint@v0.19.2-0.20200908152133-b01686250fb6/docs/guides/advanced.md (about)

     1  # Advanced Inspection
     2  
     3  ## Deep Checking
     4  
     5  When deep checking is enabled, TFLint invokes the provider's API to do a more detailed inspection. For example, find a non-existent IAM profile name etc. You can enable it with the `--deep` option.
     6  
     7  ```console
     8  $ tflint --deep
     9  2 issue(s) found:
    10  
    11  Error: instance_type is not a valid value (aws_instance_invalid_type)
    12  
    13    on template.tf line 3:
    14     3:   instance_type        = "t1.2xlarge"
    15  
    16  Error: "invalid_profile" is invalid IAM profile name. (aws_instance_invalid_iam_profile)
    17  
    18    on template.tf line 4:
    19     4:   iam_instance_profile = "invalid_profile"
    20  
    21  ```
    22  
    23  In order to enable deep checking, [credentials](credentials.md) are needed.
    24  
    25  ## Module Inspection
    26  
    27  TFLint can also inspect [modules](https://www.terraform.io/docs/configuration/modules.html). In this case, it checks based on the input variables passed to the calling module.
    28  
    29  ```hcl
    30  module "aws_instance" {
    31    source        = "./module"
    32  
    33    ami           = "ami-b73b63a0"
    34    instance_type = "t1.2xlarge"
    35  }
    36  ```
    37  
    38  ```console
    39  $ tflint --module
    40  1 issue(s) found:
    41  
    42  Error: instance_type is not a valid value (aws_instance_invalid_type)
    43  
    44    on template.tf line 5:
    45     5:   instance_type = "t1.2xlarge"
    46  
    47  Callers:
    48     template.tf:5,19-31
    49     module/instance.tf:5,19-36
    50  
    51  ```
    52  
    53  Module inspection is disabled by default. Inspection is enabled by running with the `--module` option. Note that you need to run `terraform init` first because of TFLint loads modules in the same way as Terraform. 
    54  
    55  You can use the `--ignore-module` option if you want to skip inspection for a particular module. Note that you need to pass module sources rather than module ids for backward compatibility.
    56  
    57  ```
    58  $ tflint --ignore-module=./module
    59  ```
    60  
    61  ## Only Mode
    62  
    63  TFLint allows you to specifically enable *only* certain rules, and disable all other rules including the default ruleset. This can be useful for splitting up linting workflows, by separating which rules to inspect at which stage.
    64  
    65  For example, you might want a centralized tag-keys linter, checking that all taggable AWS resources contain a set of tags across multiple repositories. You might want to separate that from your other TFLint workflows, because each repo may also have a varying set of rule configurations it wants to apply.
    66  
    67  To use Only Mode, you can pass rules on the CLI like so:
    68  ```
    69  $ tflint --only aws_instance_invalid_type --only aws_instance_invalid_ami
    70  ```
    71  **Note:** usage of `--only` will ignore any other rules defined via command line via `--enable-rule` or `--disable-rule`.
    72  
    73  You can also set `disabled_by_default = true` in the config file. Using this method, any rules enabled in your config file will implicitly become `--only` rules, and all other defaults will be ignored.
    74  
    75  ```hcl
    76  config {
    77    disabled_by_default = true
    78    # other options here...
    79  }
    80  
    81  rule "aws_instance_previous_type" {
    82    enabled = true
    83  }
    84  ```