terraform-linters / tflint Goto Github PK
View Code? Open in Web Editor NEWA Pluggable Terraform Linter
License: Mozilla Public License 2.0
A Pluggable Terraform Linter
License: Mozilla Public License 2.0
V.0.3.5 on MacOS Sierra, installed via brew.
Log output:
Panic: interface conversion: interface {} is *evaluator.Evaluator, not string
-> 0: main.main.func1: /main.go(17)
-> 1: runtime.call32: /asm_amd64.s(514)
-> 2: runtime.gopanic: /panic.go(489)
-> 3: runtime.panicdottype: /iface.go(172)
-> 4: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalOutput).Eval: /eval.go(399)
-> 5: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).visit: /eval.go(207)
-> 6: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).(github.com/wata727/tflint/vendor/github.com/hashicorp/hil.visit)-fm: /eval.go(167)
-> 7: github.com/wata727/tflint/vendor/github.com/hashicorp/hil/ast.(*Output).Accept: /output.go(23)
-> 8: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).Visit: /eval.go(167)
-> 9: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.internalEval: /eval.go(145)
-> 10: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.Eval: /eval.go(52)
-> 11: github.com/wata727/tflint/evaluator.(*Evaluator).Eval: /evaluator.go(65)
-> 12: github.com/wata727/tflint/detector.(*Detector).evalToString: /detector.go(222)
-> 13: github.com/wata727/tflint/detector.(*AwsInstanceInvalidAMIDetector).Detect: /aws_instance_invalid_ami.go(47)
-> 14: runtime.call64: /asm_amd64.s(515)
-> 15: reflect.Value.call: /value.go(434)
-> 16: reflect.Value.Call: /value.go(302)
-> 17: github.com/wata727/tflint/detector.(*Detector).detect: /detector.go(216)
-> 18: github.com/wata727/tflint/detector.(*Detector).Detect: /detector.go(170)
-> 19: main.(*CLI).Run: /cli.go(116)
-> 20: main.main: /main.go(30)
-> 21: runtime.main: /proc.go(185)
-> 22: runtime.goexit: /asm_amd64.s(2197)
TFLint crached... :(
////////////
It crashes on this minimalistic terraform file:
module "saras_ec2" {
ami = "${module.first_ima.id}"
name = "saras_ec2"
instance_type = "t2.nano"
subnet_id = "${module.first_private_subnet.id}"
source = "./modules/ec2"
security_groups = "${module.first_sg.id}"
}
////////////
It works fine without the --deep option, and provides this output for the same file:
./modules/ec2/main.tf
NOTICE:35 "iam_instance_profile" is not specified. If you want to change it, you need to recreate instance. (Only less than Terraform 0.8.8)
Result: 1 issues (0 errors , 0 warnings , 1 notices)
Hi there.
I was very excited to test the new version of tflint
on our project as it ran on my machine so I decided to put it on our CI. Unfortunately things didn't go well :/
Long story short: I think there was something different/strange regarding linking libraries when generating this new version.
These are some steps one can do to reproduce the issue:
Version 0.4.3 - Everything working
$ docker run --entrypoint /bin/sh -ti hashicorp/terraform:0.10.6
# curl -L -o /tmp/tflint.zip https://github.com/wata727/tflint/releases/download/v0.4.3/tflint_linux_amd64.zip && unzip /tmp/tflint.zip -d /usr/local/bin
...
# tflint
Awesome! Your code is following the best practices :)
# apk add --upgrade file
...
# file /usr/local/bin/tflint
/usr/local/bin/tflint: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, with debug_info, not stripped
# ldd /usr/local/bin/tflint
ldd: /usr/local/bin/tflint: Not a valid dynamic program
Version 0.5.0 - with terraform 0.10.6
$ docker run --entrypoint /bin/sh -ti hashicorp/terraform:0.10.6
# curl -L -o /tmp/tflint.zip https://github.com/wata727/tflint/releases/download/v0.5.0/tflint_linux_amd64.zip && unzip /tmp/tflint.zip -d /usr/local/bin
...
# tflint
/bin/sh: tflint: not found
# apk add --upgrade file
...
# file /usr/local/bin/tflint
/usr/local/bin/tflint: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, with debug_info, not stripped
# ldd /usr/local/bin/tflint
/lib64/ld-linux-x86-64.so.2 (0x5605e5ca0000)
libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x5605e5ca0000)
libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x5605e5ca0000)
Error relocating /usr/local/bin/tflint: __vfprintf_chk: symbol not found
Error relocating /usr/local/bin/tflint: __fprintf_chk: symbol not found
Version 0.5.0 - with terraform 0.10.7
$ docker run --entrypoint /bin/sh -ti hashicorp/terraform:0.10.7
# curl -L -o /tmp/tflint.zip https://github.com/wata727/tflint/releases/download/v0.5.0/tflint_linux_amd64.zip && unzip /tmp/tflint.zip -d /usr/local/bin
...
# tflint
/bin/sh: tflint: not found
# apk add --upgrade file
...
# file /usr/local/bin/tflint
/usr/local/bin/tflint: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, with debug_info, not stripped
# ldd /usr/local/bin/tflint
/lib64/ld-linux-x86-64.so.2 (0x55e51813d000)
libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x55e51813d000)
libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x55e51813d000)
Error relocating /usr/local/bin/tflint: __vfprintf_chk: symbol not found
Error relocating /usr/local/bin/tflint: __fprintf_chk: symbol not found
Please ping if there is something I can do to help.
When running tflint for the first time there is a high CPU spike after some time and system gets stuck for a while
OS:
Fedora 24 4.9.13-201.fc25.x86_64
Using https://github.com/wata727/tflint/releases/download/v0.3.1/tflint_linux_amd64.zip this binary
The config settings for ignoring rules seem to be per-project. Is it possible to ignore rules per-file or per-resource?
I have a set of existing resources that break some of the recommendations -- I'd like to catch if I add something that breaks these, but thats hard to spot with the baseline noise that comes from the existing resources.
Hi there! Just stumbled across this project when it got added to the Visual Studio Code Terraform plugin. Awesome idea!
Question: is the following apply
error on an aws_cloudwatch_metric_alarm
incorrect unit
something this project would support? If so, would you implement it or accept a pull request? Thanks!
* aws_cloudwatch_metric_alarm.rds-writer-memory: Creating metric alarm failed: ValidationError: 1 validation error detected: Value 'GB' at 'unit' failed to satisfy constraint: Member must satisfy enum value set: [Gigabits/Second, Gigabits, Percent, Terabits, Bits, Kilobits, Megabytes/Second, Kilobytes, Megabits/Second, Terabytes, Bytes, Count, Gigabytes, Milliseconds, Count/Second, Gigabytes/Second, None, Terabytes/Second, Bytes/Second, Megabits, Kilobytes/Second, Megabytes, Microseconds, Kilobits/Second, Terabits/Second, Bits/Second, Seconds]
status code: 400, request id: --OMITTED--
Here's the configuration that generated the error (note unit
field, changing to Gigabytes
worked):
resource "aws_cloudwatch_metric_alarm" "rds-writer-memory" {
alarm_name = "${var.env}-rds-writer-memory"
alarm_actions = [
"${data.aws_sns_topic.PagerDuty.arn}",
]
comparison_operator = "LessThanOrEqualToThreshold"
evaluation_periods = "2"
metric_name = "FreeableMemory"
namespace = "AWS/RDS"
ok_actions = [
"${data.aws_sns_topic.PagerDuty.arn}",
]
period = "300"
statistic = "Average"
threshold = "1"
unit = "GB"
dimensions = {
DBClusterIdentifer = "${aws_rds_cluster.rds.cluster_identifier}"
Role = "WRITER"
}
}
This is what I've got
Panic: interface conversion: interface {} is int, not string
-> 0: main.main.func1: /main.go(17)
-> 1: runtime.call32: /asm_amd64.s(514)
-> 2: runtime.gopanic: /panic.go(489)
-> 3: runtime.panicdottype: /iface.go(172)
-> 4: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalOutput).Eval: /eval.go(399)
-> 5: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).visit: /eval.go(207)
-> 6: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).(github.com/wata727/tflint/vendor/github.com/hashicorp/hil.visit)-fm: /eval.go(167)
-> 7: github.com/wata727/tflint/vendor/github.com/hashicorp/hil/ast.(*Output).Accept: /output.go(23)
-> 8: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).Visit: /eval.go(167)
-> 9: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.internalEval: /eval.go(145)
-> 10: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.Eval: /eval.go(52)
-> 11: github.com/wata727/tflint/evaluator.(*Evaluator).Eval: /evaluator.go(67)
-> 12: github.com/wata727/tflint/evaluator.(*Evaluator).evalModuleAttr: /module.go(44)
-> 13: github.com/wata727/tflint/evaluator.(*Evaluator).initModule: /module.go(24)
-> 14: github.com/wata727/tflint/evaluator.NewEvaluator: /evaluator.go(35)
-> 15: github.com/wata727/tflint/detector.NewDetector: /detector.go(88)
-> 16: main.(*CLI).Run: /cli.go(116)
-> 17: main.main: /main.go(30)
-> 18: runtime.main: /proc.go(185)
-> 19: runtime.goexit: /asm_amd64.s(2197)
TFLint crached... :(
Please attach an output log, describe the situation and version that occurred and post an issue to https://github.com/wata727/tflint/issues
version 0.4.0
not sure if I need to attach anything else to help debugging this
If the AWS API requires strict formatting then maybe tflint could/should catch this?
tflint
and terraform plan
completed successfully but terraform apply
produced:
2 error(s) occurred:
* aws_route.nat-ngw-a: 1 error(s) occurred:
* aws_route.nat-ngw-a: Error creating route: InvalidRouteTableId.Malformed: Invalid id: "rtb-nat-gw-a"
status code: 400, request id: 9eff0fe5-d8ec-468d-98a8-bd4b72ebe851
* aws_route.nat-ngw-b: 1 error(s) occurred:
* aws_route.nat-ngw-b: Error creating route: InvalidRouteTableId.Malformed: Invalid id: "rtb-nat-gw-b"
status code: 400, request id: 8c0392c6-dd45-4f38-851f-7f316f84e589```
For example, If you use the latest Terraform version, do not have to think about aws_instance_not_specified_iam_profile
rule. (In the new Terraform, it is possible to replace the IAM profile later.)
For this purpose we introduce terraform_version
in configuration file. This option will optimize issues.
I am a resource set like this:
resource "aws_instance" "ec2" {
ami = "${var.ami}"
instance_type = "${var.instance_type}"
subnet_id = "${var.app_subnet}"
vpc_security_group_ids = ["${aws_security_group.vnow_sg.id}"]
key_name = "${var.ssh_key}"
root_block_device {
volume_type = "standard"
volume_size = "${var.volume_size}"
delete_on_termination = true
}
iam_instance_profile = "${var.instance_profile}"
associate_public_ip_address = false
user_data = "${data.template_file.user_data.rendered}"
tags {
Name = "${var.tag_name}"
Owner = "${var.tag_owner}"
ExpirationDate = "${var.tag_date}"
}
}
In terraform.tfvars file I have set the instance profile. When i run tflint this is the output.
instance.tf
ERROR:12 "s3accesstoec2" is invalid IAM profile name.
Result: 1 issues (1 errors , 0 warnings , 0 notices)
but the instance profile already exists as per the aws cli command
aws iam list-instance-profiles | grep s3accesstoec2
O/P
"RoleName": "s3accesstoec2",
"Arn": "arn:aws:iam::111111111111:role/s3accesstoec2"
"InstanceProfileName": "s3accesstoec2",
"Arn": "arn:aws:iam::111111111111:instance-profile/s3accesstoec2"
I have being trying to use tflint but hit a roadblock when loading variables from env vars
> TF_VAR_THIS_THING=foo tflint
1:3: unknown variable accessed: var.THIS_THING
its common to use tfenv to manage terraform, $ brew install tfenv
instead of just installing terraform versions
the brew package for tflint has a dependency on terraform:
$ brew install tflint
==> Installing tflint from wata727/tflint
==> Installing dependencies for wata727/tflint/tflint: go, glide, terraform
==> Installing wata727/tflint/tflint dependency: go
==> Downloading https://homebrew.bintray.com/bottles/go-1.9.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring go-1.9.sierra.bottle.tar.gz
==> Caveats
A valid GOPATH is required to use the `go get` command.
If $GOPATH is not specified, $HOME/go will be used by default:
https://golang.org/doc/code.html#GOPATH
You may wish to add the GOROOT-based install location to your PATH:
export PATH=$PATH:/usr/local/opt/go/libexec/bin
==> Summary
๐บ /usr/local/Cellar/go/1.9: 7,639 files, 293.7MB
==> Installing wata727/tflint/tflint dependency: glide
==> Downloading https://homebrew.bintray.com/bottles/glide-0.12.3.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring glide-0.12.3.sierra.bottle.tar.gz
๐บ /usr/local/Cellar/glide/0.12.3: 6 files, 10MB
==> Installing wata727/tflint/tflint dependency: terraform
Error: Cannot install terraform because conflicting formulae are installed.
tfenv: because tfenv symlinks terraform binaries
Please `brew unlink tfenv` before continuing.
Unlinking removes a formula's symlinks from /usr/local. You can
link the formula again after the install finishes. You can --force this
install, but the build may fail or cause obscure side-effects in the
resulting software.
I'm not sure where or how the issue occurred but recently updating to terraform 0.10.6
, and using it in conjunction with tflint in our build pipeline has caused our builds to fail. This behavior was not present in 0.10.5
or 0.10.4
, so I'm wondering if it has something to do with the registry addition?
Output from 0.10.5
:
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # wget https://releases.hashicorp.com/terraform/0.10.5/terraform_0.10.5_linux_amd64.zip
--2017-09-25 16:23:28-- https://releases.hashicorp.com/terraform/0.10.5/terraform_0.10.5_linux_amd64.zip
Resolving releases.hashicorp.com... 151.101.53.183, 2a04:4e42:d::439
Connecting to releases.hashicorp.com|151.101.53.183|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13480473 (13M) [application/zip]
Saving to: 'terraform_0.10.5_linux_amd64.zip'
terraform_0.10.5_linux_amd64.zip 100%[====================================================================================================================>] 12.86M 25.5MB/s in 0.5s
2017-09-25 16:23:29 (25.5 MB/s) - 'terraform_0.10.5_linux_amd64.zip' saved [13480473/13480473]
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # unzip terraform_0.10.5_linux_amd64.zip
Archive: terraform_0.10.5_linux_amd64.zip
inflating: terraform
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # ls
Makefile backend.tf ec2-service-consul.tf module-concourse-worker.tf terraform variables-account.tf
autoscaling_groups.tf cloudwatch_alarms.tf global-provider.tf module-elasticsearch.tf terraform_0.10.4_linux_amd64.zip variables-global.tf
autoscaling_notifications.tf config.mk jenkins-master.tf security_groups.tf terraform_0.10.5_linux_amd64.zip variables-region.tf
autoscaling_policies.tf ec2-instances.tf launch_configurations.tf state.tf userdata variables.tf
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # chmod +x terraform
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # mv terraform /usr/local/bin/
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # rm -rf .terraform/
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform version
Terraform v0.10.5
Your version of Terraform is out of date! The latest version
is 0.10.6. You can update by downloading from www.terraform.io
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform init
Downloading modules...
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/service-consul
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/jenkins-master
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/concourse-worker
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/service-elasticsearch
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "consul" (0.1.0)...
- Downloading plugin for provider "vault" (0.1.0)...
- Downloading plugin for provider "terraform" (1.0.0)...
- Downloading plugin for provider "aws" (0.1.4)...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform validate
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # tflint
Awesome! Your code is following the best practices :)
And from 0.10.6
:
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # wget https://releases.hashicorp.com/terraform/0.10.6/terraform_0.10.6_linux_amd64.zip
--2017-09-25 16:24:38-- https://releases.hashicorp.com/terraform/0.10.6/terraform_0.10.6_linux_amd64.zip
Resolving releases.hashicorp.com... 151.101.53.183, 2a04:4e42:d::439
Connecting to releases.hashicorp.com|151.101.53.183|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13482562 (13M) [application/zip]
Saving to: 'terraform_0.10.6_linux_amd64.zip'
terraform_0.10.6_linux_amd64.zip 100%[====================================================================================================================>] 12.86M 29.2MB/s in 0.4s
2017-09-25 16:24:38 (29.2 MB/s) - 'terraform_0.10.6_linux_amd64.zip' saved [13482562/13482562]
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # unzip terraform_0.10.6_linux_amd64.zip
Archive: terraform_0.10.6_linux_amd64.zip
inflating: terraform
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # chmod +x terraform
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # mv terraform /usr/local/bin/
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # rm -rf .terraform/
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform version
Terraform v0.10.6
t/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform init
Downloading modules...
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/service-consul
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/jenkins-master
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/concourse-worker
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/service-elasticsearch
Initializing the backend...
Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "aws" (0.1.4)...
- Downloading plugin for provider "consul" (0.1.0)...
- Downloading plugin for provider "vault" (0.1.0)...
- Downloading plugin for provider "terraform" (1.0.0)...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform validate
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # tflint
ERROR: module `../../../../modules/mycompany/service-consul` not found. Did you run `terraform get`?
The modules are definitely present and downloaded:
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # ls -al .terraform/modules/
total 24
drwxr-xr-x 2 root root 4096 Sep 25 16:24 .
drwxr-xr-x 4 root root 4096 Sep 25 16:25 ..
lrwxrwxrwx 1 root root 71 Sep 25 16:24 2dada97fb16b13c172562f10af0e2c5c -> /tmp/build/d147a603/operations-terraform/modules/mycompany/service-consul
lrwxrwxrwx 1 root root 78 Sep 25 16:24 4b5207903722440c6caba86b6dcd1edf -> /tmp/build/d147a603/operations-terraform/modules/mycompany/service-elasticsearch
lrwxrwxrwx 1 root root 73 Sep 25 16:24 54fcf8b4e772f5398245d82180ef8372 -> /tmp/build/d147a603/operations-terraform/modules/mycompany/concourse-worker
lrwxrwxrwx 1 root root 71 Sep 25 16:24 c3bbf5350eba55d1d9316c839bcf312c -> /tmp/build/d147a603/operations-terraform/modules/mycompany/jenkins-master
I am trying to lint a piece of Terraform I have where I am specifying the AWS region in the provider block like:
provider "aws" {
region = "us-west-2"
}
When running tflint --deep
, I am getting the following error:
ERROR: error occurred in detecting. Please run with --debug option for details.
When running tflint --deep --debug
, I am getting the following output:
DEBUG:/loader.go:120 [INFO] Load environment...
DEBUG:/loader.go:128 [ERROR] open .terraform/environment: no such file or directory
DEBUG:/loader.go:131 [INFO] Load tfstate...
DEBUG:/loader.go:145 [INFO] Local state detected
DEBUG:/loader.go:161 [INFO] Load tfvars...
DEBUG:/loader.go:164 [INFO] Load `terraform.tfvars`
DEBUG:/loader.go:166 [ERROR] stat terraform.tfvars: no such file or directory
DEBUG:/loader.go:191 [INFO] Load HCL file: `main.tf`
DEBUG:/loader.go:53 [INFO] Load HCL file: `main.tf`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_type`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_previous_type`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_not_specified_iam_profile`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_default_standard_volume`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_iam_profile`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_ami`
DEBUG:/aws_instance_invalid_ami.go:31 [ERROR] MissingRegion: could not find region configuration
DEBUG:/aws_instance_invalid_ami.go:48 [ERROR] ERROR: `"${data.aws_ami.ec2_ami.image_id}"` is not evaluable
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_key_name`
DEBUG:/aws_instance_invalid_key_name.go:31 [ERROR] MissingRegion: could not find region configuration
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_subnet`
DEBUG:/aws_instance_invalid_subnet.go:31 [ERROR] MissingRegion: could not find region configuration
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_vpc_security_group`
DEBUG:/aws_instance_invalid_vpc_security_group.go:32 [ERROR] MissingRegion: could not find region configuration
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_alb_invalid_security_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_alb_invalid_subnet`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_alb_duplicate_name`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elb_invalid_security_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elb_invalid_subnet`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elb_invalid_instance`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elb_duplicate_name`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_default_parameter_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_vpc_security_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_db_subnet_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_parameter_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_option_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_type`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_previous_type`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_readable_password`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_duplicate_identifier`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_default_parameter_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_invalid_parameter_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_invalid_subnet_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_invalid_security_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_invalid_type`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_previous_type`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_duplicate_id`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_security_group_duplicate_name`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_route_table`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_not_specified_target`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_specified_multiple_targets`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_gateway`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_egress_only_gateway`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_nat_gateway`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_vpc_peering_connection`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_instance`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_network_interface`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_cloudwatch_metric_alarm_invalid_unit`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_ecs_cluster_duplicate_name`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `terraform_module_pinned_source`
ERROR: error occurred in detecting. Please run with --debug option for details.
Running tflint
on it's own does not give too much feedback at the moment.
$ tflint
1:3: unknown variable accessed: var.aws_allowed_account_ids
I'd like to know more specifically which files were inspected, so I've wrapped this command like so
find . -type f -not \( -path '*/.terraform/*' \) -name '*.tf' -exec \
/bin/bash -c "echo 'Linting {}' && tflint {} --deep --error-with-issues" \;
Linting ./main.tf
1:3: unknown variable accessed: var.aws_region
Linting ./output.tf
Awesome! Your code is following the best practices :)
Linting ./variables.tf
Awesome! Your code is following the best practices :)
but by linting one file at a time, it has no knowledge of the other files. So, is there a way to add more information about what was linted and which file is causing issues?
For example, If we create duplicate DNS records in Route53, an error will occur.
Hello.
I've found false error reporting on instance_type when use modules.
Test repo https://github.com/Nklya/tflint-example
TFLint version 0.3.4
tflint-example ๎ฐ tflint
./modules/test1/main.tf
NOTICE:1 "iam_instance_profile" is not specified. If you want to change it, you need to recreate instance. (Only less than Terra
form 0.8.8)
ERROR:3 "${var.instance_type}" is invalid instance type.
Result: 2 issues (1 errors , 0 warnings , 1 notices)
However, instance_type correctly set in variables.tf, modules/test1/variables.tf and terraform successfully apply this configuration.
Seems that if I give tflint
and invalid option such as aws_region
, placing it on the tail, the wrong argument is listed as wrong:
$ tflint --debug --deep --aws_region us-east-1
ERROR: `--debug` is unknown options. Please run `tflint --help`
I haven't looked at the code handling this, maybe you meant to list all the command line arguments in that error message?
Lastly, I'll quietly mention that "X is unknown options" isn't quite proper grammar usage.
Utterly minor bug I hate even reporting.
Hi,
I am using your tool for validating our terraform code which cannot be captured by terraform plan to avoid any issues while running the terraform apply. but while using it i am facing some issues in terms of validating, before jumping onto the issues, let me give you the context about our terraform code.
Context:
I am using two types of referencing in my terraform code:
../../../modules/route_tables/rt_routes/igw/main.tf
ERROR:11 "${data.terraform_remote_state.vpc.vpc_info["main_route_table_id"]}" is invalid route table ID.
ERROR:13 "${data.terraform_remote_state.vpc.vpc_info["igw_id"]}" is invalid internet gateway ID.
../../../modules/route_tables/rt_routes/nat_gw/main.tf
ERROR:11 "${module.apptier_1_route_table.route_table_id}" is invalid route table ID.
ERROR:11 "${module.apptier_2_route_table.route_table_id}" is invalid route table ID.
ERROR:13 "${data.terraform_remote_state.nat_gw.nat_gw_ids_list[0]}" is invalid NAT gateway ID.
ERROR:13 "${data.terraform_remote_state.nat_gw.nat_gw_ids_list[1]}" is invalid NAT gateway ID.
But there is one more catch in this, i am maintaining the terraform code in different directories and running tflint at each location to validate, terraform code at all locations having this referencing code, but tflint is not detecting these referencing's as an errors at all locations (our terraform code is working fine in terms provisioning aws resources with these types of referencing's).
Queries:
Let me know if anything else is required in same from my side.
Thx.
This is my .tflint.hcl file
config {
deep_check = true
aws_credentials = {
profile = "master"
region = "us-east-1"
}
}
I have no default profile set in .aws/credentials and I have multiple profiles in the file. Any profile other than default produces this error
[ERROR] NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
Hi,
This is an awesome wrapper to perform the lint analysis on terraform code. In my case we are using terragrunt wrapper to perform the terraform activities.
We were trying to use tflint for terragrunt but it seems tflint does not support terragrunt semantics. Is it possible to add the support for terragrunt?
It will be a great enhancement.
Thanks,
Sanjiv
Introduce schema
package. This makes it easier to add new detectors.
This issue is also related to #86, to make it easier to merge resources too.
The exit status of tflint is always zero whether the test has failed or successful.
It seems I made tflint crash with the following code (some pieces redacted):
provider "aws" {
region = "<redacted a valid region>"
}
variable "vpc_id" {
type = "string"
default = "vpc-<redacted a valid vpc id>"
description = "<redacted a valid description>"
}
# testing security group
resource "aws_security_group" "testing" {
name = "testing"
description = "Testing Security Group"
vpc_id = "${var.vpc_id}"
tags {
"owner" = "Testing"
}
}
Here is the tail of the output, let me know if you need more:
DEBUG:/detector.go:143 [INFO] detect by `aws_security_group_duplicate_name`
Panic: runtime error: invalid memory address or nil pointer dereference
-> 0: main.main.func1: /main.go(17)
-> 1: runtime.call32: /asm_amd64.s(514)
-> 2: runtime.gopanic: /panic.go(489)
-> 3: runtime.panicmem: /panic.go(63)
-> 4: runtime.sigpanic: /signal_unix.go(290)
-> 5: github.com/wata727/tflint/detector.(*AwsSecurityGroupDuplicateDetector).PreProcess: /aws_security_group_duplicate_name.go(45)
-> 6: runtime.call32: /asm_amd64.s(514)
-> 7: reflect.Value.call: /value.go(434)
-> 8: reflect.Value.Call: /value.go(302)
-> 9: github.com/wata727/tflint/detector.(*Detector).detect: /detector.go(181)
-> 10: github.com/wata727/tflint/detector.(*Detector).Detect: /detector.go(144)
-> 11: main.(*CLI).Run: /cli.go(144)
-> 12: main.main: /main.go(30)
-> 13: runtime.main: /proc.go(185)
-> 14: runtime.goexit: /asm_amd64.s(2197)
TFLint crached... :(
Please attach an output log, describe the situation and version that occurred and post an issue to https://github.com/wata727/tflint/issues
Needless to say, this code works fine for plan and apply. Thanks for the awesome project, by the way!
Hi,
When I run
docker run -it \
--volume `pwd`:/app \
--workdir /app/ \
--env AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
--env AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
--env AWS_REGION=eu-west-1 \
wata727/tflint:0.5.1 --deep --debug --error-with-issues
I get errors such as:
DEBUG:/aws_security_group_duplicate_name.go:33 [ERROR] RequestError: send request failed
caused by: Post https://ec2.eu-west-1.amazonaws.com/: x509: failed to load system roots and no roots provided
DEBUG:/aws_security_group_duplicate_name.go:75 [ERROR] ERROR: `"${aws_vpc.app.id}"` is not evaluable
DEBUG:/aws_ecs_cluster_duplicate_name.go:31 [ERROR] RequestError: send request failed
caused by: Post https://ecs.eu-west-1.amazonaws.com/: x509: failed to load system roots and no roots provided
This also passes returns 0, when I guess it should fail as there were some form of errors?
To fix the x509, just need to add
RUN apk add --no-cache ca-certificates
to the Dockerfile.
I'll quickly get a PR going for this ^^
Hi @wata727
we use overrides (https://www.terraform.io/docs/configuration/override.html) quite extensively - because it suits our CI/CD tooling - but this causes issues for TFlint...
-- main.tf
module "foo" {
a = "b"
c = "d"
}
-- main_override.tf
module "foo" {
source = "git::http://some_git_url.git?ref=master"
}
I get:
ERROR: Invalid module source in foo
Thanks again for the lovely TFlint tool. We love it.
N
I see a way to exclude custom modules, but don't see any documentation on how to add custom modules/validations. I would like to add some custom validations for my custom Terraform provider and resources.. Is this possible?
ERROR:
module [email protected]:chanzuckerberg/shared-infra//terraform/modules/aws-env?ref=master
not found. Did you run terraform get
?
From line:
https://github.com/wata727/tflint/blob/5865a74a904ebdbc26387ba671a005861142b234/schema/module.go#L45
My current setup works so it seems that this check is too naive?
I have the following variable of type list:
variable "domains" {
default = []
}
Which makes tflint to fail with the following error message (tried with the latest version 0.3.1):
cd tf/staging && ../../tflint --error-with-issues
Panic: reflect: slice index out of range
-> 0: main.main.func1: /main.go(17)
-> 1: runtime.call32: /asm_amd64.s(514)
-> 2: runtime.gopanic: /panic.go(489)
-> 3: reflect.Value.Index: /value.go(865)
-> 4: github.com/wata727/tflint/evaluator.parseVariable: /variable.go(137)
-> 5: github.com/wata727/tflint/evaluator.detectVariables: /variable.go(42)
-> 6: github.com/wata727/tflint/evaluator.NewEvaluator: /evaluator.go(20)
-> 7: github.com/wata727/tflint/detector.NewDetector: /detector.go(69)
-> 8: github.com/wata727/tflint/detector.(*Detector).Detect: /detector.go(152)
-> 9: main.(*CLI).Run: /cli.go(142)
-> 10: main.main: /main.go(30)
-> 11: runtime.main: /proc.go(185)
-> 12: runtime.goexit: /asm_amd64.s(2197)
TFLint crached... :(
Please attach an output log, describe the situation and version that occurred and post an issue to https://github.com/wata727/tflint/issues
cd tf/staging && ../../tflint --error-with-issues returned exit code 2
I tried adding explicit type = "list"
but this doesn't seem to help.
terraform.env is not recognised as a valid terraform variable.
$ tflint
1:3: unknown variable accessed: terraform.env
$ tflint -v
TFLint version 0.3.5
It would be extremely useful to be able to set the shared credentials path (default and the only acceptable by tflint is ~/.aws/credentials). In my specific usecase, Jenkins has a secret file with AWS credentials that simply can't be at that location, but I do receive an environment variable with its location.
To be clear, it's an option to create another, tflint-specific, secret Jenkins file with the credentials but that would be a duplication effort I'd prefer to avoid.
I've never touched Go, but can probably put together a working pull request for this.
Additionally, is there any reason that the region isn't being parsed out of the credentials file as well? It seems I have to either specify it on command line or via .tflint.hcl.
Thank you!
Ref #8
Currently, as the number of modules increases, the deep check will be delayed. Because TFLint calls the detector method for each module.
Hello,
I'm thinking of working on and submitting a pull request for a feature to recurse into directories, e.g. tflint -r .
to visit all of my subdirectories of Terraform recipes and lint each one.
Is that a good feature? Any pros/cons to implementing such a thing?
Hello, congratulations for your work, TFLint is a great tool and we use it a lot.
Our DevOps team wants use TFLint to enforce some internal policies related to internal naming conventions on the resources, require the addition of tags that should be always present (for AWS-related resources) etc. So, we want extend/customize TFLint (we can write Go code)
Could you please provide me a few "development guidelines" to start my work on that project? I mean, what is the cleanest and easiest way to extend/customize TFLint to add more checks?
Thank you very much in advance!
Best Regards,
Leo
Currently, it support HCL interpolation syntax, but only variables (ex. ${var.name}
etc).
By parsing tfstate, will support attributes of resource, built-in functions etc.
I have followed the installation steps on CentOS but I have received the error when ran "./tflint -v"
bash: ./tflint: cannot execute binary file
Check for AWS resources which are tagable but doesn't have any tags specified.
A bonus point would be to check for specific tag keys like Name
and Team
.
TBD
For example:
Pretty Print
template.tf
NOTICE:1 "iam_instance_profile" is not specified. If you want to change it, you need to recreate it (aws_instance_not_specified_iam_profile)
ERROR:3 "t1.2xlarge" is invalid instance type. (aws_instance_invalid_type)
Result: 2 issues (1 errors , 0 warnings , 1 notices)
JSON
[
{
"detecot": "aws_instance_not_specified_iam_profile",
"type": "NOTICE",
"message": "\"iam_instance_profile\" is not specified. If you want to change it, you need to recreate it ",
"line": 1,
"file": "template.tf",
"link": "https://github.com/wata727/tflint/blob/master/docs/aws_instance_not_specified_iam_profile.md",
},
{
"detector": "aws_instance_invalid_type",
"type": "ERROR",
"message": "\"t1.2xlarge\" is invalid instance type.",
"line": 3,
"file": "template.tf",
"link": "https://github.com/wata727/tflint/blob/master/docs/aws_instance_invalid_type.md",
}
]
SpotFleet start and delete EC2 spot instances using IAM role associated with appropriate policy. Because it cannot delete instances if remove policy association before it is deleted.
Currently, call API in whatever template when enabled deep checking. Even if the target resources are not found. So, it takes time to detect simple template.
At first, make sure that resources are in template. do not call API when target resources are not found.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.