github.com/jpreese/tflint@v0.19.2-0.20200908152133-b01686250fb6/docs/rules/terraform_module_pinned_source.md (about) 1 # terraform_module_pinned_source 2 3 Disallow specifying a git or mercurial repository as a module source without pinning to a version. 4 5 ## Configuration 6 7 Name | Default | Value 8 --- | --- | --- 9 enabled | true | Boolean 10 style | `flexible` | `flexible`, `semver` 11 12 ```hcl 13 rule "terraform_module_pinned_source" { 14 enabled = true 15 style = "flexible" 16 } 17 ``` 18 19 ## Example 20 21 ### style = "flexible" 22 23 In the "flexible" style, all sources must be pinned to non-default version. 24 25 ```hcl 26 module "unpinned" { 27 source = "git://hashicorp.com/consul.git" 28 } 29 30 module "default_git" { 31 source = "git://hashicorp.com/consul.git?ref=master" 32 } 33 34 module "default_mercurial" { 35 source = "hg::http://hashicorp.com/consul.hg?rev=default" 36 } 37 38 module "pinned_git" { 39 source = "git://hashicorp.com/consul.git?ref=feature" 40 } 41 ``` 42 43 ``` 44 $ tflint 45 3 issue(s) found: 46 47 Warning: Module source "git://hashicorp.com/consul.git" is not pinned (terraform_module_pinned_source) 48 49 on template.tf line 2: 50 2: source = "git://hashicorp.com/consul.git" 51 52 Reference: https://github.com/terraform-linters/tflint/blob/v0.15.0/docs/rules/terraform_module_pinned_source.md 53 54 Warning: Module source "git://hashicorp.com/consul.git?ref=master" uses default ref "master" (terraform_module_pinned_source) 55 56 on template.tf line 6: 57 6: source = "git://hashicorp.com/consul.git?ref=master" 58 59 Reference: https://github.com/terraform-linters/tflint/blob/v0.15.0/docs/rules/terraform_module_pinned_source.md 60 61 Warning: Module source "hg::http://hashicorp.com/consul.hg?rev=default" uses default rev "default" (terraform_module_pinned_source) 62 63 on template.tf line 10: 64 10: source = "hg::http://hashicorp.com/consul.hg?rev=default" 65 66 Reference: https://github.com/terraform-linters/tflint/blob/v0.15.0/docs/rules/terraform_module_pinned_source.md 67 68 ``` 69 70 ### style = "semver" 71 72 In the "semver" style, all sources must be pinned to semantic version reference. This is stricter than the "flexible" style. 73 74 ```hcl 75 module "unpinned" { 76 source = "git://hashicorp.com/consul.git" 77 } 78 79 module "pinned_to_branch" { 80 source = "git://hashicorp.com/consul.git?ref=feature" 81 } 82 83 module "pinned_to_version" { 84 source = "git://hashicorp.com/consul.git?ref=v1.2.0" 85 } 86 ``` 87 88 ``` 89 $ tflint 90 2 issue(s) found: 91 92 Warning: Module source "git://hashicorp.com/consul.git" is not pinned (terraform_module_pinned_source) 93 94 on template.tf line 2: 95 2: source = "git://hashicorp.com/consul.git" 96 97 Reference: https://github.com/terraform-linters/tflint/blob/v0.15.0/docs/rules/terraform_module_pinned_source.md 98 99 Warning: Module source "git://hashicorp.com/consul.git?ref=feature" uses a ref which is not a version string (terraform_module_pinned_source) 100 101 on template.tf line 6: 102 6: source = "git://hashicorp.com/consul.git?ref=feature" 103 104 Reference: https://github.com/terraform-linters/tflint/blob/v0.15.0/docs/rules/terraform_module_pinned_source.md 105 106 ``` 107 108 ## Why 109 110 Terraform allows you to source modules from source control repositories. If you do not pin the revision to use, the dependency you require may introduce unexpected breaking changes. To prevent this, always specify an explicit version to check out. 111 112 Pinning to a mutable reference, such as a branch, still allows for unintended breaking changes. Semver style can help avoid this. 113 114 ## How To Fix 115 116 Specify a version pin. For git repositories, it should not be "master". For Mercurial repositories, it should not be "default". 117 118 In the "semver" style: specify a semantic version pin of the form `vX.Y.Z`. The leading `v` is optional.