If you want to add custom rules, you can write ruleset plugins.
Plugins are independent binaries and use go-plugin to communicate with TFLint over gRPC. TFLint executes the binary when the plugin is enabled, and the plugin process must act as an gRPC server for TFLint.
If you want to create a new plugin, The template repository is available to satisfy these specification. You can create your own repository from "Use this template" and easily add rules based on some reference rules.
The template repository uses the SDK that wraps the go-plugin for communication with TFLint. See also the Architecture section for the architecture of the plugin system.
Visit tflint-ruleset-template and click the "Use this template" button. Repository name must be tflint-ruleset-*
.
The created repository can be installed locally with make install
. Enable the plugin as follows and verify that the installed plugin works.
plugin "template" {
enabled = true
}
$ make install
go build
mkdir -p ~/.tflint.d/plugins
mv ./tflint-ruleset-template ~/.tflint.d/plugins
$ tflint -v
TFLint version 0.28.1
+ ruleset.template (0.1.0)
Rename the ruleset and add/edit rules. After making changes, you can check the behavior with make install
. See also the tflint-plugin-sdk API reference for communication with the host process.
You can build and install your own ruleset locally as described above, but you can also install it automatically with tflint --init
.
The requirements to support automatic installation are as follows:
- The built plugin binaries must be published on GitHub Release
- The release must be tagged with a name like
v1.1.1
- The release must contain an asset with a name like
tflint-ruleset-{name}_{GOOS}_{GOARCH}.zip
- The zip file must contain a binary named
tflint-ruleset-{name}
(tflint-ruleset-{name}.exe
in Windows) - The release must contain a checksum file for the zip file with the name
checksums.txt
- The checksum file must contain a sha256 hash and filename
When signing a release, one of the following requirements must be met:
- PGP signing key
- The release must contain a signature file for the checksum file with the name
checksums.txt.sig
- The signature file must be binary OpenPGP format
- The release must contain a signature file for the checksum file with the name
- Artifact Attestation
- Include a step in your GitHub Actions workflow that uses the
attest-build-provenance
action forchecksums.txt
.
- Include a step in your GitHub Actions workflow that uses the
Releases that meet these requirements can be easily created by following the GoReleaser config in the template repository.