github.com/terraform-linters/tflint@v0.51.2-0.20240520175844-3750771571b6/docs/user-guide/config.md

github.com/terraform-linters/tflint@v0.51.2-0.20240520175844-3750771571b6/docs/user-guide/config.md (about)

     1  # Configuring TFLint
     2  
     3  You can change the behavior not only in CLI flags but also in config files. TFLint loads config files according to the following priority order:
     4  
     5  1. File passed by the `--config` option
     6  2. File set by the `TFLINT_CONFIG_FILE` environment variable
     7  3. Current directory (`./.tflint.hcl`)
     8  4. Home directory (`~/.tflint.hcl`)
     9  
    10  The config file is written in [HCL](https://github.com/hashicorp/hcl). An example is shown below:
    11  
    12  ```hcl
    13  tflint {
    14    required_version = ">= 0.50"
    15  }
    16  
    17  config {
    18    format = "compact"
    19    plugin_dir = "~/.tflint.d/plugins"
    20  
    21    call_module_type = "local"
    22    force = false
    23    disabled_by_default = false
    24  
    25    ignore_module = {
    26      "terraform-aws-modules/vpc/aws"            = true
    27      "terraform-aws-modules/security-group/aws" = true
    28    }
    29  
    30    varfile = ["example1.tfvars", "example2.tfvars"]
    31    variables = ["foo=bar", "bar=[\"baz\"]"]
    32  }
    33  
    34  plugin "aws" {
    35    enabled = true
    36    version = "0.4.0"
    37    source  = "github.com/terraform-linters/tflint-ruleset-aws"
    38  }
    39  
    40  rule "aws_instance_invalid_type" {
    41    enabled = false
    42  }
    43  ```
    44  
    45  The file path is resolved relative to the module directory when `--chdir` or `--recursive` is used. To use a config file from the working directory when recursing, pass an absolute path:
    46  
    47  ```sh
    48  tflint --recursive --config "$(pwd)/.tflint.hcl"
    49  ```
    50  
    51  ### `required_version`
    52  
    53  Restrict the TFLint version used. This is almost the same as [Terraform's `required_version`](https://developer.hashicorp.com/terraform/language/settings#specifying-a-required-terraform-version).
    54  You can write version constraints in the same way.
    55  
    56  ### `format`
    57  
    58  CLI flag: `--format`
    59  
    60  Change the output format. The following values are valid:
    61  
    62  - default
    63  - json
    64  - checkstyle
    65  - junit
    66  - compact
    67  - sarif
    68  
    69  In recursive mode (`--recursive`), this field will be ignored in configuration files and must be set via a flag.
    70  
    71  ### `plugin_dir`
    72  
    73  Set the plugin directory. The default is `~/.tflint.d/plugins` (or `./.tflint.d/plugins`). See also [Configuring Plugins](plugins.md#advanced-usage)
    74  
    75  ### `call_module_type`
    76  
    77  CLI flag: `--call-module-type`
    78  
    79  Select types of module to call. The following values are valid:
    80  
    81  - all
    82  - local (default)
    83  - none
    84  
    85  If you select `all`, you can call all (local and remote) modules. See [Calling Modules](./calling-modules.md).
    86  
    87  ```hcl
    88  config {
    89    call_module_type = "all"
    90  }
    91  ```
    92  
    93  ```console
    94  $ tflint --call-module-type=all
    95  ```
    96  
    97  ### `force`
    98  
    99  CLI flag: `--force`
   100  
   101  Return zero exit status even if issues found. TFLint returns the following exit statuses on exit by default:
   102  
   103  - 0: No issues found
   104  - 1: Errors occurred
   105  - 2: No errors occurred, but issues found
   106  
   107  In recursive mode (`--recursive`), this field will be ignored in configuration files and must be set via a flag.
   108  
   109  ### `disabled_by_default`
   110  
   111  CLI flag: `--only`
   112  
   113  Only enable rules specifically enabled in the config or on the command line. All other rules, including defaults, are disabled. Note, usage of `--only` on the command line will ignore other rules passed in via `--enable-rule` or `--disable-rule`.
   114  
   115  ```hcl
   116  config {
   117    disabled_by_default = true
   118    # other options here...
   119  }
   120  
   121  rule "aws_instance_invalid_type" {
   122    enabled = true
   123  }
   124  
   125  rule "aws_instance_previous_type" {
   126    enabled = true
   127  }
   128  ```
   129  
   130  ```console
   131  $ tflint --only aws_instance_invalid_type --only aws_instance_previous_type
   132  ```
   133  
   134  ### `ignore_module`
   135  
   136  CLI flag: `--ignore-module`
   137  
   138  Adding a module source to `ignore_module` will cause it to be ignored when [calling modules](./calling-modules.md). Note that you need to specify module sources rather than module ids for backward compatibility.
   139  
   140  ```hcl
   141  config {
   142    module = true
   143    ignore_module = {
   144      "terraform-aws-modules/vpc/aws"            = true
   145      "terraform-aws-modules/security-group/aws" = true
   146    }
   147  }
   148  ```
   149  
   150  ```console
   151  $ tflint --ignore-module terraform-aws-modules/vpc/aws --ignore-module terraform-aws-modules/security-group/aws
   152  ```
   153  
   154  ### `varfile`
   155  
   156  CLI flag: `--var-file`
   157  
   158  Set Terraform variables from `tfvars` files. If `terraform.tfvars` or any `*.auto.tfvars` files are present, they will be automatically loaded.
   159  
   160  ```hcl
   161  config {
   162    varfile = ["example1.tfvars", "example2.tfvars"]
   163  }
   164  ```
   165  
   166  ```console
   167  $ tflint --var-file example1.tfvars --var-file example2.tfvars
   168  ```
   169  
   170  ### `variables`
   171  
   172  CLI flag: `--var`
   173  
   174  Set a Terraform variable from a passed value. This flag can be set multiple times.
   175  
   176  ```hcl
   177  config {
   178    variables = ["foo=bar", "bar=[\"baz\"]"]
   179  }
   180  ```
   181  
   182  ```console
   183  $ tflint --var "foo=bar" --var "bar=[\"baz\"]"
   184  ```
   185  
   186  ### `rule` blocks
   187  
   188  CLI flag: `--enable-rule`, `--disable-rule`
   189  
   190  You can configure TFLint rules using `rule` blocks. Each rule's implementation specifies whether it will be enabled by default. In some rulesets, the majority of rules are disabled by default. Use `rule` blocks to enable them:
   191  
   192  ```hcl
   193  rule "terraform_unused_declarations" {
   194    enabled = true
   195  }
   196  ```
   197  
   198  The `enabled` attribute is required for all `rule` blocks. For rules that are enabled by default, set `enabled = false` to disable the rule:
   199  
   200  ```hcl
   201  rule "aws_instance_previous_type" {
   202    enabled = false
   203  }
   204  ```
   205  
   206  Some rules support additional attributes that configure their behavior. See the documentation for each rule for details.
   207  
   208  ### `plugin` blocks
   209  
   210  You can declare the plugin to use. See [Configuring Plugins](plugins.md)
   211  
   212  ## Rule config priority
   213  
   214  The priority of rule configs is as follows:
   215  
   216  1. `--only` (CLI flag)
   217  2. `--enable-rule`, `--disable-rule` (CLI flag)
   218  3. `rule` blocks (config file)
   219  4. `preset` (config file, tflint-ruleset-terraform only)
   220  5. `disabled_by_default` (config file)