diff --git a/cli/assets/terraform.yml b/cli/assets/terraform.yml
index a41d1a1..d3196b5 100644
--- a/cli/assets/terraform.yml
+++ b/cli/assets/terraform.yml
@@ -633,17 +633,6 @@ rules:
     tags:
       - ami
 
-  - id: EBS_BLOCK_DEVICE_ENCRYPTED
-    message: EBS block devices should use encryption
-    resource: aws_instance
-    severity: FAILURE
-    assertions:
-      - every:
-          key: ebs_block_device
-          expressions:
-            - key: encrypted
-              op: is-true
-
   - id: CLOUDTRAIL_ENCRYPTION
     message: CloudTrail should use encryption
     resource: aws_cloudtrail
@@ -700,13 +689,19 @@ rules:
     tags:
       - rds
 
-  - id: ELB_ACCESS_LOGS
-    message: ELB should have access logs configured
-    resource: aws_elb
+  - id: EBS_BLOCK_DEVICE_ENCRYPTED
+    message: EBS block devices should use encryption
+    resource: aws_instance
     severity: FAILURE
     assertions:
-      - key: access_logs
-        op: present
+      - every:
+          key: ebs_block_device
+          expressions:
+            - key: encrypted
+              op: is-true
+    tags:
+      - ec2
+      - ebs
 
   - id: EBS_VOLUME_ENCRYPTION
     message: EBS Volume should be encrypted
diff --git a/cli/builtin_terraform_test.go b/cli/builtin_terraform_test.go
new file mode 100644
index 0000000..9b0b6f9
--- /dev/null
+++ b/cli/builtin_terraform_test.go
@@ -0,0 +1,121 @@
+package main
+
+import (
+	"fmt"
+	"github.com/stelligent/config-lint/assertion"
+	"github.com/stelligent/config-lint/linter"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func loadRules(t *testing.T, filename string) assertion.RuleSet {
+	r, err := loadBuiltInRuleSet(filename)
+	assert.Nil(t, err, "Cannot load ruleset file")
+	return r
+}
+
+type BuiltInTestCase struct {
+	Filename     string
+	RuleID       string
+	WarningCount int
+	FailureCount int
+}
+
+func numberOfWarnings(violations []assertion.Violation) int {
+	n := 0
+	for _, v := range violations {
+		if v.Status == "WARNING" {
+			n += 1
+		}
+	}
+	return n
+}
+func numberOfFailures(violations []assertion.Violation) int {
+	n := 0
+	for _, v := range violations {
+		if v.Status == "FAILURE" {
+			n += 1
+		}
+	}
+	return n
+}
+
+func TestTerraformBuiltInRules(t *testing.T) {
+	ruleSet := loadRules(t, "assets/terraform.yml")
+	testCases := []BuiltInTestCase{
+		{"security-groups.tf", "SG_WORLD_INGRESS", 1, 0},
+		{"security-groups.tf", "SG_WORLD_EGRESS", 2, 0},
+		{"security-groups.tf", "SG_SSH_WORLD_INGRESS", 0, 1},
+		{"security-groups.tf", "SG_RD_WORLD_INGRESS", 0, 0},
+		{"security-groups.tf", "SG_NON_32_INGRESS", 2, 0},
+		{"security-groups.tf", "SG_INGRESS_PORT_RANGE", 0, 0},
+		{"security-groups.tf", "SG_EGRESS_PORT_RANGE", 0, 0},
+		{"security-groups.tf", "SG_MISSING_EGRESS", 0, 0},
+		{"cloudfront.tf", "CLOUDFRONT_DISTRIBUTION_LOGGING", 0, 1},
+		{"cloudfront.tf", "CLOUDFRONT_DISTRIBUTION_ORIGIN_POLICY", 0, 0},
+		{"cloudfront.tf", "CLOUDFRONT_DISTRIBUTION_DISTRIBUTION_PROTOCOl", 0, 0},
+		{"iam.tf", "IAM_ROLE_POLICY_NOT_ACTION", 0, 0},
+		{"iam.tf", "IAM_ROLE_POLICY_NOT_RESOURCE", 0, 0},
+		{"iam.tf", "IAM_ROLE_POLICY_WILDCARD_ACTION", 0, 0},
+		{"iam.tf", "IAM_ROLE_POLICY_WILDCARD_RESOURCE", 0, 0},
+		{"iam.tf", "IAM_POLICY_NOT_ACTION", 0, 0},
+		{"iam.tf", "IAM_POLICY_NOT_RESOURCE", 0, 0},
+		{"iam.tf", "IAM_POLICY_WILDCARD_ACTION", 0, 1},
+		{"iam.tf", "IAM_POLICY_WILDCARD_RESOURCE", 1, 0},
+		{"iam.tf", "IAM_USER", 0, 0},
+		{"iam.tf", "IAM_USER_POLICY_ATTACHMENT", 0, 1},
+		{"iam.tf", "IAM_USER_GROUP", 0, 0},
+		{"iam.tf", "POLICY_VERSION", 0, 1},
+		{"iam.tf", "ASSUME_ROLEPOLICY_VERSION", 0, 1},
+		{"elb.tf", "ELB_ACCESS_LOGGING", 1, 0},
+		{"s3.tf", "S3_BUCKET_ACL", 0, 0},
+		{"s3.tf", "S3_NOT_ACTION", 0, 0},
+		{"s3.tf", "S3_NOT_PRINCIPAL", 0, 0},
+		{"s3.tf", "S3_BUCKET_POLICY_WILDCARD_PRINCIPAL", 1, 0},
+		{"s3.tf", "S3_BUCKET_POLICY_WILDCARD_ACTION", 1, 0},
+		{"s3.tf", "S3_BUCKET_OBJECT_ENCRYPTION", 0, 1},
+		{"sns.tf", "SNS_TOPIC_POLICY_WILDCARD_PRINCIPAL", 1, 0},
+		{"sns.tf", "SNS_TOPIC_POLICY_NOT_ACTION", 0, 0},
+		{"sns.tf", "SNS_TOPIC_POLICY_NOT_PRINCIPAL", 0, 0},
+		{"sqs.tf", "SQS_QUEUE_POLICY_WILDCARD_PRINCIPAL", 1, 0},
+		{"sqs.tf", "SQS_QUEUE_POLICY_WILDCARD_ACTION", 0, 0},
+		{"sqs.tf", "SQS_QUEUE_POLICY_NOT_ACTION", 0, 0},
+		{"sqs.tf", "SQS_QUEUE_POLICY_NOT_PRINCIPAL", 0, 0},
+		{"sqs.tf", "SQS_QUEUE_ENCRYPTION", 0, 1},
+		{"lambda.tf", "LAMBDA_PERMISSION_INVOKE_ACTION", 0, 0},
+		{"lambda.tf", "LAMBDA_PERMISSION_WILDCARD_PRINCIPAL", 0, 0},
+		{"lambda.tf", "LAMBDA_FUNCTION_ENCRYPTION", 1, 0},
+		{"lambda.tf", "LAMBDA_ENVIRONMENT_SECRETS", 0, 1},
+		{"waf.tf", "WAF_WEB_ACL", 0, 0},
+		{"alb.tf", "ALB_LISTENER_HTTPS", 0, 3},
+		{"alb.tf", "ALB_ACCESS_LOGS", 0, 0},
+		{"ami.tf", "AMI_VOLUMES_ENCRYPTED", 0, 1},
+		{"ami.tf", "AMI_COPY_SNAPSHOTS_ENCRYPTED", 0, 1},
+		{"ec2.tf", "EBS_BLOCK_DEVICE_ENCRYPTED", 0, 0},
+		{"ec2.tf", "EBS_VOLUME_ENCRYPTION", 0, 2},
+		{"cloudtrail.tf", "CLOUDTRAIL_ENCRYPTION", 0, 1},
+		{"codebuild.tf", "CODEBUILD_PROJECT_ENCRYPTION", 0, 1},
+		{"codepipeline.tf", "CODEPIPELINE_ENCRYPTION", 0, 0},
+		{"db.tf", "DB_INSTANCE_ENCRYPTION", 0, 1},
+		{"db.tf", "RDS_CLUSTER_ENCYPTION", 0, 2},
+		{"efs.tf", "EFS_ENCRYPTED", 0, 1},
+		{"kinesis.tf", "KINESIS_FIREHOSE_DELIVERY_STREAM_ENCRYPTION", 0, 1},
+		{"redshift.tf", "REDSHIFT_CLUSTER_ENCRYPTION", 0, 1},
+		{"ecs.tf", "ECS_ENVIRONMENT_SECRETS", 0, 1},
+	}
+	for _, tc := range testCases {
+
+		filenames := []string{"testdata/builtin/terraform/" + tc.Filename}
+		options := linter.Options{
+			RuleIDs: []string{tc.RuleID},
+		}
+		vs := assertion.StandardValueSource{}
+		l, err := linter.NewLinter(ruleSet, vs, filenames)
+		report, err := l.Validate(ruleSet, options)
+		assert.Nil(t, err, "Validate failed for file")
+		warningMessage := fmt.Sprintf("Expecting %d warnings for RuleID %s in File %s", tc.WarningCount, tc.RuleID, tc.Filename)
+		assert.Equal(t, tc.WarningCount, numberOfWarnings(report.Violations), warningMessage)
+		failureMessage := fmt.Sprintf("Expecting %d failures for RuleID %s in File %s", tc.FailureCount, tc.RuleID, tc.Filename)
+		assert.Equal(t, tc.FailureCount, numberOfFailures(report.Violations), failureMessage)
+	}
+}
diff --git a/cli/testdata/builtin/terraform/alb.tf b/cli/testdata/builtin/terraform/alb.tf
new file mode 100644
index 0000000..a886713
--- /dev/null
+++ b/cli/testdata/builtin/terraform/alb.tf
@@ -0,0 +1,134 @@
+resource "aws_security_group" "alb_sg" {
+  vpc_id = "${aws_vpc.website.id}"
+  name = "load balancer"
+  ingress {
+    protocol = "tcp"
+    from_port = 80
+    to_port = 80
+    cidr_blocks = [ "0.0.0.0/0" ]
+  }
+  egress {
+    protocol = "tcp"
+    from_port = 0
+    to_port = 65535
+    cidr_blocks = [ "0.0.0.0/0" ]
+  }
+}
+
+resource "aws_alb" "alb" {
+  name = "web-alb"
+  internal = false
+  load_balancer_type = "application"
+  security_groups = [ "${aws_security_group.alb_sg.id}" ]
+  subnets = [
+    "${aws_subnet.public1.id}",
+    "${aws_subnet.public2.id}"
+  ]
+  access_logs {
+    bucket = "${aws_s3_bucket.alb_logs.bucket}"
+    enabled = true
+  }
+}
+
+resource "aws_s3_bucket" "alb_logs" {}
+
+resource "aws_s3_bucket_policy" "bucket_policy" {
+    bucket = "${aws_s3_bucket.alb_logs.bucket}"
+    policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "AllowAccessLogs",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "929392832123"
+      },
+      "Action": "s3:PutObject",
+      "Resource": [
+        "${aws_s3_bucket.alb_logs.arn}",
+        "${aws_s3_bucket.alb_logs.arn}/*"
+      ]
+    } 
+  ]
+}
+POLICY
+}
+
+resource "aws_security_group" "ec2_sg" {
+  vpc_id = "${aws_vpc.website.id}"
+  name = "instance"
+  ingress {
+    protocol = "tcp"
+    from_port = 22
+    to_port = 22
+    cidr_blocks = [ "${var.ssh_cidr_block}" ]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 80
+    to_port = 80
+    security_groups = [ "${aws_security_group.alb_sg.id}" ]
+  }
+  egress {
+    protocol = "tcp"
+    from_port = 0
+    to_port = 65535
+    cidr_blocks = [ "0.0.0.0/0" ]
+  }
+}
+
+data "template_file" "user_data" {
+  template = "${file("user_data.tpl")}"
+  vars {
+    title = "${var.title}"
+  }
+}
+
+resource "aws_launch_configuration" "webserver" {
+  image_id = "${var.ami}"
+  instance_type = "t2.micro"
+  lifecycle {
+    create_before_destroy = true
+  }
+  key_name = "${var.key_name}"
+  associate_public_ip_address = true
+  security_groups = [ "${aws_security_group.ec2_sg.id}" ]
+  user_data = "${data.template_file.user_data.rendered}"
+}
+
+resource "aws_autoscaling_group" "asg" {
+  name = "terraform-test"
+  min_size = 1
+  max_size = 2
+  health_check_grace_period = 300
+  health_check_type = "ELB"
+  desired_capacity = 2
+  launch_configuration = "${aws_launch_configuration.webserver.name}"
+  vpc_zone_identifier = [ "${aws_subnet.public1.id}", "${aws_subnet.public2.id}" ]
+  target_group_arns = [ "${aws_alb_target_group.tg.arn}" ]
+  tag {
+    key = "Name"
+    value = "${var.name_tag}"
+    propagate_at_launch = true
+  }
+}
+
+resource "aws_alb_target_group" "tg" {
+  name = "webserver-target"
+  port = 80
+  protocol = "HTTP"
+  vpc_id = "${aws_vpc.website.id}"
+}
+
+resource "aws_alb_listener" "l" {
+  load_balancer_arn = "${aws_alb.alb.id}"
+  port = 80
+  protocol = "HTTP"
+  default_action {
+    type = "forward"
+    target_group_arn = "${aws_alb_target_group.tg.arn}"
+  }
+}
+
diff --git a/cli/testdata/builtin/terraform/ami.tf b/cli/testdata/builtin/terraform/ami.tf
new file mode 100644
index 0000000..107dace
--- /dev/null
+++ b/cli/testdata/builtin/terraform/ami.tf
@@ -0,0 +1,17 @@
+resource "aws_ami" "my-ami" {
+    name = "nginx-example"
+    virtualization_type = "hvm"
+    root_device_name = "/dev/xvda"
+    ebs_block_device {
+        device_name = "/dev/xvda"
+        snapshot_id = "${var.snapshot_id}"
+        volume_size = 8
+    }
+}
+
+resource "aws_ami_copy" "my-ami-copy" {
+  name              = "nginx-example-copy"
+  description       = "A copy of nginx-example"
+  source_ami_id     = "${aws_ami.my-ami.id}"
+  source_ami_region = "us-east-1"
+}
diff --git a/cli/testdata/builtin/terraform/cloudfront.tf b/cli/testdata/builtin/terraform/cloudfront.tf
new file mode 100644
index 0000000..9cba674
--- /dev/null
+++ b/cli/testdata/builtin/terraform/cloudfront.tf
@@ -0,0 +1,75 @@
+resource "aws_s3_bucket" "content" {}
+
+resource "aws_cloudfront_origin_access_identity" "example" {
+  comment = "Testing"
+}
+
+resource "aws_s3_bucket_policy" "policy" {
+    bucket = "${aws_s3_bucket.content.bucket}"
+    policy = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": " CloudFront Origin Identity",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${aws_cloudfront_origin_access_identity.example.id}"
+            },
+            "Action": "s3:GetObject",
+            "Resource": "arn:aws:s3:::${aws_s3_bucket.content.bucket}/*"
+        }
+    ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_object" "index" {
+    bucket = "${aws_s3_bucket.content.bucket}"
+    key = "index.html"
+    content = "Hello, world!"
+    content_type = "text/html"
+}
+
+variable "origin_id" {
+    default = "website_origin"
+}
+
+resource "aws_cloudfront_distribution" "s3_distribution" {
+    origin {
+        domain_name = "${aws_s3_bucket.content.bucket_regional_domain_name}"
+        origin_id = "${var.origin_id}"
+        s3_origin_config {
+            origin_access_identity = "origin-access-identity/cloudfront/${aws_cloudfront_origin_access_identity.example.id}"
+        }
+    }
+    enabled = true
+    default_root_object = "index.html"
+    default_cache_behavior {
+        allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+        cached_methods   = ["GET", "HEAD"]
+        target_origin_id = "${var.origin_id}"
+
+        forwarded_values {
+          query_string = false
+
+          cookies {
+            forward = "none"
+          }
+        }
+
+        viewer_protocol_policy = "allow-all"
+        min_ttl                = 0
+        default_ttl            = 3600
+        max_ttl                = 86400
+    }
+    restrictions {
+        geo_restriction {
+            restriction_type = "whitelist"
+            locations        = ["US"]
+        }
+    }
+    viewer_certificate {
+        cloudfront_default_certificate = true
+    }
+}
diff --git a/cli/testdata/builtin/terraform/codebuild.tf b/cli/testdata/builtin/terraform/codebuild.tf
new file mode 100644
index 0000000..890db27
--- /dev/null
+++ b/cli/testdata/builtin/terraform/codebuild.tf
@@ -0,0 +1,63 @@
+resource "aws_iam_role" "build" {
+  name = "build"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codebuild.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "build" {
+  role        = "${aws_iam_role.build.name}"
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Resource": [
+        "*"
+      ],
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ]
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_codebuild_project" "example" {
+  name         = "example_project"
+  description  = "example_project"
+  build_timeout      = "5"
+  service_role = "${aws_iam_role.build.arn}"
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type = "BUILD_GENERAL1_SMALL"
+    image        = "aws/codebuild/nodejs:6.3.1"
+    type         = "LINUX_CONTAINER"
+  }
+
+  source {
+    type            = "GITHUB"
+    location        = "https://gist.github.com/blahblahblah.git"
+  }
+}
diff --git a/cli/testdata/builtin/terraform/codepipeline.tf b/cli/testdata/builtin/terraform/codepipeline.tf
new file mode 100644
index 0000000..e899ade
--- /dev/null
+++ b/cli/testdata/builtin/terraform/codepipeline.tf
@@ -0,0 +1,216 @@
+data "aws_kms_alias" "pipeline" {
+  name = "alias/pipeline-key"
+}
+
+resource "aws_s3_bucket" "project" {
+    versioning {
+      enabled = true
+    }
+}
+
+resource "aws_s3_bucket_object" "zip" {
+    bucket = "${aws_s3_bucket.project.id}"
+    key = "app.zip"
+    source = "app.zip"
+    kms_key_id = "${data.aws_kms_alias.pipeline.arn}"
+}
+
+resource "aws_iam_role" "build" {
+  name = "build"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codebuild.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "build" {
+  role        = "${aws_iam_role.build.name}"
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": [
+        "*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.artifact.arn}",
+        "${aws_s3_bucket.artifact.arn}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_codebuild_project" "example" {
+  name         = "example_project"
+  description  = "example_project"
+  build_timeout      = "5"
+  service_role = "${aws_iam_role.build.arn}"
+
+  artifacts {
+    type = "CODEPIPELINE"
+  }
+
+  environment {
+    compute_type = "BUILD_GENERAL1_SMALL"
+    image        = "aws/codebuild/golang:1.10"
+    type         = "LINUX_CONTAINER"
+  }
+
+  source {
+    type = "CODEPIPELINE"
+  }
+
+  encryption_key = "${data.aws_kms_alias.pipeline.arn}"
+}
+
+resource "aws_s3_bucket" "artifact" {}
+
+resource "aws_iam_role" "pipeline" {
+  name = "test-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codepipeline.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "pipeline" {
+  name = "codepipeline_policy"
+  role = "${aws_iam_role.pipeline.id}"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect":"Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "${aws_s3_bucket.project.arn}",
+        "${aws_s3_bucket.project.arn}/*",
+        "${aws_s3_bucket.artifact.arn}",
+        "${aws_s3_bucket.artifact.arn}/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "codebuild:BatchGetBuilds",
+        "codebuild:StartBuild"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_codepipeline" "demo" {
+  name     = "tf-test-pipeline"
+  role_arn = "${aws_iam_role.pipeline.arn}"
+
+  artifact_store {
+    location = "${aws_s3_bucket.artifact.bucket}"
+    type     = "S3"
+    encryption_key {
+      id   = "${data.aws_kms_alias.pipeline.arn}"
+      type = "KMS"
+    }
+  }
+
+  stage {
+    name = "Source"
+
+    action {
+      name             = "Source"
+      category         = "Source"
+      owner            = "AWS"
+      provider         = "S3"
+      version          = "1"
+      output_artifacts = ["source"]
+
+      configuration {
+        S3Bucket      = "${aws_s3_bucket.project.bucket}"
+        S3ObjectKey   = "app.zip"
+      }
+    }
+  }
+
+  stage {
+    name = "Lint"
+
+    action {
+      name            = "Build"
+      category        = "Build"
+      owner           = "AWS"
+      provider        = "CodeBuild"
+      input_artifacts = ["source"]
+      version         = "1"
+
+      configuration {
+        ProjectName = "${aws_codebuild_project.example.id}"
+      }
+    }
+  }
+}
+
diff --git a/cli/testdata/builtin/terraform/db.tf b/cli/testdata/builtin/terraform/db.tf
new file mode 100644
index 0000000..6e3cdad
--- /dev/null
+++ b/cli/testdata/builtin/terraform/db.tf
@@ -0,0 +1,22 @@
+resource "aws_db_instance" "db1" {
+  allocated_storage    = 10
+  storage_type         = "gp2"
+  engine               = "mysql"
+  engine_version       = "5.7"
+  instance_class       = "db.t2.micro"
+  name                 = "mydb"
+  username             = "foo"
+  password             = "foobarbaz"
+  parameter_group_name = "default.mysql5.7"
+}
+
+resource "aws_rds_cluster" "c1" {
+  cluster_identifier      = "aurora-cluster-demo"
+  engine                  = "aurora-mysql"
+  availability_zones      = ["us-west-2a", "us-west-2b", "us-west-2c"]
+  database_name           = "mydb"
+  master_username         = "dbmaster"
+  master_password         = "foobarbaz"
+  backup_retention_period = 5
+  preferred_backup_window = "07:00-09:00"
+}
diff --git a/cli/testdata/builtin/terraform/ec2.tf b/cli/testdata/builtin/terraform/ec2.tf
new file mode 100644
index 0000000..62fe781
--- /dev/null
+++ b/cli/testdata/builtin/terraform/ec2.tf
@@ -0,0 +1,44 @@
+data "template_file" "user_data" {
+  template = "${file("user_data.tpl")}"
+  vars {
+    title = "${var.title}"
+  }
+}
+
+resource "aws_instance" "web" {
+    availability_zone = "${var.availability_zone}"
+    ami = "${var.ami}"
+    instance_type = "t2.micro"
+    security_groups = [ "${aws_security_group.sg1.name}" ]
+    user_data = "${data.template_file.user_data.rendered}"
+    tags {
+        name = "website"
+    }
+    tags {
+        environment = "development"
+    }
+}
+
+resource "aws_ebs_volume" "volume1" {
+    availability_zone = "${var.availability_zone}"
+    size = 10
+}
+
+resource "aws_security_group" "sg1" {
+  name        = "allow_http"
+  description = "Allow HTTP traffic"
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks     = ["0.0.0.0/0"]
+  }
+}
diff --git a/cli/testdata/builtin/terraform/ecs.tf b/cli/testdata/builtin/terraform/ecs.tf
new file mode 100644
index 0000000..36098bf
--- /dev/null
+++ b/cli/testdata/builtin/terraform/ecs.tf
@@ -0,0 +1,26 @@
+resource "aws_ecs_task_definition" "task1" {
+  family = "application"
+
+  container_definitions = <<DEFINITION
+[
+  {
+    "cpu": 128,
+    "environment": [
+        {
+            "name": "AWS_ACCESS_KEY_ID",
+            "value": "AKIAIOSFODNN7EXAMPLE"
+        },
+        {
+            "name": "AWS_SECRET_ACCESS_KEY",
+            "value": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+        }
+    ],
+    "essential": true,
+    "image": "application:latest",
+    "memory": 128,
+    "memoryReservation": 64,
+    "name": "application"
+  }
+]
+DEFINITION
+}
diff --git a/cli/testdata/builtin/terraform/efs.tf b/cli/testdata/builtin/terraform/efs.tf
new file mode 100644
index 0000000..99b0118
--- /dev/null
+++ b/cli/testdata/builtin/terraform/efs.tf
@@ -0,0 +1,10 @@
+variable "aws_kms_alias" {}
+
+resource "aws_efs_file_system" "fs" {
+  creation_token = "my-efs"
+  encrypted = true
+  kms_key_id = "${var.aws_kms_alias}"
+  tags {
+    Name = "MyProduct"
+  }
+}
diff --git a/cli/testdata/builtin/terraform/elb.tf b/cli/testdata/builtin/terraform/elb.tf
new file mode 100644
index 0000000..5ba86ca
--- /dev/null
+++ b/cli/testdata/builtin/terraform/elb.tf
@@ -0,0 +1,56 @@
+resource "aws_instance" "web" {
+    availability_zone = "us-west-2a"
+    ami = "ami-0fcd5791ba781e98f"
+    instance_type = "t2.micro"
+    security_groups = [ "${aws_security_group.ec2_sg.name}" ]
+    user_data = <<USER_DATA
+#!/bin/bash
+yum update -y
+amazon-linux-extras install -y nginx1.12
+service nginx start
+USER_DATA
+}
+
+resource "aws_security_group" "ec2_sg" {
+  name = "web"
+  ingress {
+    protocol = "tcp"
+    from_port = 80
+    to_port = 80
+    cidr_blocks = [ "0.0.0.0/0" ]
+    # can classic elb have a sg?
+  }
+  egress {
+    protocol = "tcp"
+    from_port = 0
+    to_port = 65535
+    cidr_blocks = [ "0.0.0.0/0" ]
+  }
+}
+
+resource "aws_elb" "elb1" {
+  name               = "test-terraform-elb"
+  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
+
+  listener {
+    instance_port     = 80
+    instance_protocol = "http"
+    lb_port           = 80
+    lb_protocol       = "http"
+  }
+
+  health_check {
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    timeout             = 3
+    target              = "HTTP:80/"
+    interval            = 30
+  }
+
+  instances                   = ["${aws_instance.web.id}"]
+  cross_zone_load_balancing   = true
+  idle_timeout                = 400
+  connection_draining         = true
+  connection_draining_timeout = 400
+
+}
diff --git a/cli/testdata/builtin/terraform/iam.tf b/cli/testdata/builtin/terraform/iam.tf
new file mode 100644
index 0000000..50141c5
--- /dev/null
+++ b/cli/testdata/builtin/terraform/iam.tf
@@ -0,0 +1,149 @@
+resource "aws_iam_policy" "policy_ok" {
+    name = "policy_ok"
+    path = "/"
+    policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:ListObjects"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::my_corporate_bucket/exampleobject.png"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_policy" "policy_with_wildcard_resource" {
+    name = "policy_with_wildcard_resource"
+    path = "/"
+    policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:DescribeInstance"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_policy" "policy_with_wildcard_action" {
+    name = "policy_with_wildcard_action"
+    path = "/"
+    policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:*"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:ec2:us-west-2:123456789012:instance/i-123"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_user" "user1" {
+    name = "lint"
+}
+
+resource "aws_iam_user_policy_attachment" "attachment1" {
+    user = "${aws_iam_user.user1.id}"
+    policy_arn = "${aws_iam_policy.policy1.arn}"
+}
+
+resource "aws_iam_group" "group1" {
+    name = "test"
+}
+
+resource "aws_iam_group_membership" "membership1" {
+    name = "test_membership"
+    group = "${aws_iam_group.group1.id}"
+    users = [ "${aws_iam_user.user1.id}" ]
+}
+
+resource "aws_iam_role" "role1" {
+    name = "test_role"
+    assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy" "role_policy" {
+    role = "${aws_iam_role.role1.id}"
+    policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:ListObjects"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn::aws::blah::blah"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy" "role_policy_old_version" {
+    role = "${aws_iam_role.role1.id}"
+    policy = <<POLICY
+{
+  "Version": "2008-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:ListObjects"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn::aws::blah::blah"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role" "role_with_old_version" {
+    name = "test_role"
+    assume_role_policy = <<POLICY
+{
+  "Version": "2008-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+POLICY
+}
diff --git a/cli/testdata/builtin/terraform/kinesis.tf b/cli/testdata/builtin/terraform/kinesis.tf
new file mode 100644
index 0000000..6512cf1
--- /dev/null
+++ b/cli/testdata/builtin/terraform/kinesis.tf
@@ -0,0 +1,36 @@
+variable "aws_kms_alias" {}
+
+resource "aws_s3_bucket" "bucket" {
+  acl    = "private"
+}
+
+resource "aws_iam_role" "firehose_role" {
+  name = "firehose_test_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "firehose.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "test_stream" {
+  name        = "terraform-kinesis-firehose-test-stream"
+  destination = "s3"
+
+  s3_configuration {
+    role_arn   = "${aws_iam_role.firehose_role.arn}"
+    bucket_arn = "${aws_s3_bucket.bucket.arn}"
+    kms_key_arn = "${var.aws_kms_alias}"
+  }
+}
diff --git a/cli/testdata/builtin/terraform/lambda.tf b/cli/testdata/builtin/terraform/lambda.tf
new file mode 100644
index 0000000..9df4645
--- /dev/null
+++ b/cli/testdata/builtin/terraform/lambda.tf
@@ -0,0 +1,55 @@
+
+#resource "aws_api_gateway" "gateway1" {
+#}
+#
+resource "aws_iam_role" "iam_for_lambda" {
+  name = "iam_for_lambda"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_lambda_function" "test_lambda" {
+  filename         = "lambda_function_payload.zip"
+  function_name    = "example"
+  role             = "${aws_iam_role.iam_for_lambda.arn}"
+  handler          = "handler.handler"
+  source_code_hash = "${base64sha256(file("lambda_function_payload.zip"))}"
+  runtime          = "nodejs8.10"
+
+  environment {
+    variables = {
+      key = "AKIAIOSFODNN7EXAMPLE"
+      secret = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+    }
+  }
+}
+
+resource "aws_lambda_alias" "test_alias" {
+  name             = "testalias"
+  description      = "a sample description"
+  function_name    = "${aws_lambda_function.test_lambda.function_name}"
+  function_version = "$LATEST"
+}
+
+resource "aws_lambda_permission" "permission1" {
+  statement_id   = "AllowExecutionFromCloudWatch"
+  action         = "lambda:InvokeFunction"
+  function_name  = "${aws_lambda_function.test_lambda.function_name}"
+  principal      = "events.amazonaws.com"
+  source_arn     = "arn:aws:events:us-west-2:111122223333:rule/RunDaily"
+  qualifier      = "${aws_lambda_alias.test_alias.name}"
+}
diff --git a/cli/testdata/builtin/terraform/redshift.tf b/cli/testdata/builtin/terraform/redshift.tf
new file mode 100644
index 0000000..0c64ec5
--- /dev/null
+++ b/cli/testdata/builtin/terraform/redshift.tf
@@ -0,0 +1,8 @@
+resource "aws_redshift_cluster" "cluster" {
+  cluster_identifier = "my-redshift-cluster"
+  database_name      = "mydb"
+  master_username    = "admin"
+  master_password    = "foobarbaz"
+  node_type          = "dc2.large"
+  cluster_type       = "single-node"
+}
diff --git a/cli/testdata/builtin/terraform/s3.tf b/cli/testdata/builtin/terraform/s3.tf
new file mode 100644
index 0000000..3dbe298
--- /dev/null
+++ b/cli/testdata/builtin/terraform/s3.tf
@@ -0,0 +1,31 @@
+resource "aws_s3_bucket" "bucket1" {
+}
+
+resource "aws_s3_bucket_policy" "policy1" {
+    bucket = "${aws_s3_bucket.bucket1.bucket}"
+    policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.bucket1.bucket}/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "10.10.1.10/32"}
+      } 
+    } 
+  ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_object" "object1" {
+    bucket = "${aws_s3_bucket.bucket1.bucket}"
+    key = "index.html"
+    content = "Hello, world"
+    content_type = "text/html"
+}
diff --git a/cli/testdata/builtin/terraform/security-groups.tf b/cli/testdata/builtin/terraform/security-groups.tf
new file mode 100644
index 0000000..4994b7e
--- /dev/null
+++ b/cli/testdata/builtin/terraform/security-groups.tf
@@ -0,0 +1,33 @@
+resource "aws_security_group" "sg_ok" {
+  name        = "allow_http"
+  description = "Allow HTTP traffic"
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["1.2.3.4/32"]
+  }
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks     = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_security_group" "sg_ssh" {
+  name        = "allow_ssh"
+  description = "Allow SSH traffic"
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks     = ["0.0.0.0/0"]
+  }
+}
diff --git a/cli/testdata/builtin/terraform/sns.tf b/cli/testdata/builtin/terraform/sns.tf
new file mode 100644
index 0000000..3726579
--- /dev/null
+++ b/cli/testdata/builtin/terraform/sns.tf
@@ -0,0 +1,84 @@
+variable "account-id" {}
+
+resource "aws_sns_topic" "topic1" {}
+
+resource "aws_sns_topic_policy" "policy1" {
+    arn = "${aws_sns_topic.topic1.arn}"
+    policy = "${data.aws_iam_policy_document.sns-topic-policy.json}"
+}
+
+data "aws_iam_policy_document" "sns-topic-policy" {
+  policy_id = "__default_policy_ID"
+
+  statement {
+    actions = [
+      "SNS:Subscribe",
+      "SNS:SetTopicAttributes",
+      "SNS:RemovePermission",
+      "SNS:Receive",
+      "SNS:Publish",
+      "SNS:ListSubscriptionsByTopic",
+      "SNS:GetTopicAttributes",
+      "SNS:DeleteTopic",
+      "SNS:AddPermission",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceOwner"
+
+      values = [
+        "${var.account-id}",
+      ]
+    }
+
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    resources = [
+      "${aws_sns_topic.topic1.arn}",
+    ]
+
+    sid = "__default_statement_ID"
+  }
+}
+
+resource "aws_sns_topic" "topic2" {}
+
+resource "aws_sns_topic_policy" "policy2" {
+    arn = "${aws_sns_topic.topic2.arn}"
+    policy = <<POLICY
+{
+  "Version": "2008-10-17",
+  "Id": "__default_policy_ID",
+  "Statement": [
+    {
+      "Sid": "__default_statement_ID",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": [
+        "SNS:GetTopicAttributes",
+        "SNS:SetTopicAttributes",
+        "SNS:AddPermission",
+        "SNS:RemovePermission",
+        "SNS:DeleteTopic",
+        "SNS:Subscribe",
+        "SNS:ListSubscriptionsByTopic",
+        "SNS:Publish",
+        "SNS:Receive"
+      ],
+      "Resource": "${aws_sns_topic.topic2.arn}",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "67.170.33.247/32"}
+      } 
+    }
+  ]
+}
+POLICY
+}
diff --git a/cli/testdata/builtin/terraform/sqs.tf b/cli/testdata/builtin/terraform/sqs.tf
new file mode 100644
index 0000000..23b85db
--- /dev/null
+++ b/cli/testdata/builtin/terraform/sqs.tf
@@ -0,0 +1,28 @@
+resource "aws_sqs_queue" "q1" {}
+
+resource "aws_sqs_queue_policy" "policy1" {
+    queue_url = "${aws_sqs_queue.q1.id}"
+    policy = <<POLICY
+{   
+   "Version": "2012-10-17",
+   "Id": "IPAllow",
+   "Statement" : [{
+      "Sid": "1", 
+      "Effect": "Allow",           
+      "Principal": {
+         "AWS": [
+            "*"
+         ]
+      },
+      "Action": [
+         "sqs:SendMessage",
+         "sqs:ReceiveMessage"
+      ], 
+      "Resource": "${aws_sqs_queue.q1.arn}",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "10.10.1.10/32"}
+      } 
+   }]
+}
+POLICY
+}
diff --git a/cli/testdata/builtin/terraform/waf.tf b/cli/testdata/builtin/terraform/waf.tf
new file mode 100644
index 0000000..865b73a
--- /dev/null
+++ b/cli/testdata/builtin/terraform/waf.tf
@@ -0,0 +1,42 @@
+variable "myip" {}
+
+resource "aws_waf_ipset" "ipset" {
+  name = "tfIPSet"
+
+  ip_set_descriptors {
+    type  = "IPV4"
+    value = "${var.myip}/32"
+  }
+}
+
+resource "aws_waf_rule" "wafrule" {
+  depends_on  = ["aws_waf_ipset.ipset"]
+  name        = "tfWAFRule"
+  metric_name = "tfWAFRule"
+
+  predicates {
+    data_id = "${aws_waf_ipset.ipset.id}"
+    negated = false
+    type    = "IPMatch"
+  }
+}
+
+resource "aws_waf_web_acl" "waf_acl" {
+  depends_on  = ["aws_waf_ipset.ipset", "aws_waf_rule.wafrule"]
+  name        = "tfWebACL"
+  metric_name = "tfWebACL"
+
+  default_action {
+    type = "BLOCK"
+  }
+
+  rules {
+    action {
+      type = "ALLOW"
+    }
+
+    priority = 1
+    rule_id  = "${aws_waf_rule.wafrule.id}"
+    type     = "REGULAR"
+  }
+}