TFLint interprets the Terraform language with its own parser which is a fork of the Terraform's native one. This allows it to be parsed correctly even if Terraform is not installed at runtime.
The parser supports Terraform v1.x syntax and semantics. The language compatibility on Terraform v1.x is defined by Compatibility Promises. TFLint follows this promise. New features are only supported in newer TFLint versions, and bug and experimental features compatibility are not guaranteed.
Like Terraform, TFLint supports the --var
, --var-file
options, environment variables (TF_VAR_*
), and automatically loading variable definitions (terraform.tfvars
and *.auto.tfvars
) files. See Input Variables.
Input variables are evaluated just like in Terraform:
variable "instance_type" {
default = "t2.micro"
resource "aws_instance" "foo" {
instance_type = var.instance_type # => "t2.micro"
Unknown variables (e.g. no default) are ignored:
variable "instance_type" {}
resource "aws_instance" "foo" {
instance_type = var.instance_type # => ignored
Sensitive variables are ignored. This is to avoid unintended disclosure.
variable "instance_type" {
sensitive = true
default = "t2.micro"
resource "aws_instance" "foo" {
instance_type = var.instance_type # => ignored
TFLint supports Local Values.
variable "foo" {
default = "variable value"
locals {
static = "static value"
variable =
local = local.static
resource = aws_instance.main.arn
local.static # => "static value"
local.variable # => "variable value"
local.local # => "static value"
local.resource # => ignored (unknown)
TFLint supports the count
and for_each
resource "aws_instance" "foo" {
count = 0
instance_type = "invalid" # => ignored because ths resource is not created
resource "aws_instance" "foo" {
count = 2
instance_type = "t${count.index}.micro" # => "t0.micro" and "t1.micro"
Note that this behavior may differ depending on a rule. Rules like terraform_deprecated_syntax
will check resources regardless of the meta-argument values.
If the meta-arguments are unknown, the resource/module is ignored:
variable "count" {}
resource "aws_instance" "foo" {
count = var.count
instance_type = "invalid" # => ignored
TFLint supports filesystem and workspace info.
The values below are state-dependent and cannot be determined statically, so TFLint resolves them to unknown values.
module.<MODULE NAME>
Built-in Functions are fully supported.
TFLint supports dynamic blocks.
resource "aws_instance" "dynamic" {
dynamic "ebs_block_device" {
for_each = toset([
{ size = 10 },
{ size = 20 }
content {
volume_size = ebs_block_device.value["size"] # => 10 and 20
Similar to support for meta-arguments, some rules may process a dynamic block as-is without expansion. If the for_each
is unknown, the block will be empty.
TFLint doesn't automatically inspect the content of modules themselves. However, by default, it will analyze their content in order to raise any issues that arise from attributes in module calls.
resource "aws_instance" "static" {
ebs_block_device {
encrypted = false # => Must be encrypted
module "aws_instance" {
source = "./module/aws_instance"
encrypted = false # => Must be encrypted
Remote modules can also be inspected. See Calling Modules for details.
The following environment variables are supported: