// the find
terraform-linters/tflint
A Pluggable Terraform Linter
TFLint is a linter for Terraform that catches provider-specific errors (invalid AWS instance types, deprecated syntax, naming convention violations) that `terraform validate` won't find. It's plugin-based, so the core is just an evaluation framework — the actual rules live in separate rulesets for AWS, Azure, GCP, and others. Useful for any team running Terraform at more than toy scale.
The plugin architecture is genuinely well-designed: rules are isolated binaries communicating over gRPC, so a buggy ruleset can't crash the core, and you can write your own without forking the project. The `--recursive` flag plus parallel workers makes it practical to run across a monorepo of modules in CI without a shell loop. SARIF output means it drops straight into GitHub code scanning with zero glue code. The AWS ruleset in particular has deep coverage — it knows about valid EC2 instance families, RDS engine versions, and IAM condition keys, which are exactly the things that fail silently at plan time.
The license situation is a quiet landmine: the `terraform` package inside TFLint is BUSL 1.1 (HashiCorp's commercial-use-restricted license), which means the release binaries inherit that restriction. Most teams won't notice until legal asks. Plugin versioning is manual — you pin a version in `.tflint.hcl` and run `--init`, but there's no lockfile equivalent, so a fresh CI runner silently fetches whatever the plugin registry serves if you forget to commit the version. Module inspection is limited by default (`--call-module-type=local` only) and enabling remote module inspection requires running `terraform init` first, which is an annoying prerequisite in a lint-only workflow.