Home

Awesome

TFLint Ruleset powered by Open Policy Agent (OPA)

Build Status GitHub release License: MPL 2.0

TFLint ruleset plugin for writing custom rules in Rego.

NOTE: This plugin is experimental. This means frequent breaking changes.

Requirements

Installation

You can install the plugin by adding a config to .tflint.hcl and running tflint --init:

plugin "opa" {
  enabled = true
  version = "0.7.0"
  source  = "github.com/terraform-linters/tflint-ruleset-opa"
}

Policy files are placed under ~/.tflint.d/policies or ./.tflint.d/policies. First create a directory:

$ mkdir -p .tflint.d/policies

For more configuration about the plugin, see Plugin Configuration.

Getting Started

TFLint plugin system allows you to add custom rules, but plugins can be a pain to maintain when applying a few simple organization policies. This ruleset plugin provides the ability to write policies in Rego, instead of building plugins in Go.

For example, your organization wants to enforce S3 bucket names to always start with example-com-*. You can write the following policy as ./.tflint.d/policies/bucket.rego:

package tflint

import rego.v1

deny_invalid_s3_bucket_name contains issue if {
	buckets := terraform.resources("aws_s3_bucket", {"bucket": "string"}, {})
	name := buckets[_].config.bucket
	not startswith(name.value, "example-com-")

	issue := tflint.issue(`Bucket names should always start with "example-com-"`, name.range)
}

This allows you to issue errors for Terraform configs such as:

resource "aws_s3_bucket" "invalid" {
  bucket = "example-corp-assets"
}

resource "aws_s3_bucket" "valid" {
  bucket = "example-com-assets"
}
$ tflint
1 issue(s) found:

Error: Bucket names should always start with "example-com-" (opa_deny_invalid_s3_bucket_name)

  on main.tf line 2:
   2:   bucket = "example-corp-assets"

Reference: .tflint.d/policies/bucket.rego:5

See the documentation and examples for details.

NOTE: This policy cannot be enforced in all cases. See Handling unknown/null/undefined values for details.

OPA Ruleset vs. Custom Ruleset

There are two options for providing custom rules: the OPA ruleset and a custom ruleset. Which is better?

If you want to enforce a small number of rules for a small team, or if your don't have a dedicated team to maintain your plugin, starting with the OPA ruleset is probably a good option.

On the other hand, building and maintaining a custom ruleset plugin is better when enforcing many complex rules or distributing to large teams.

Building the plugin

Clone the repository locally and run the following command:

$ make

You can easily install the built plugin with the following:

$ make install

You can run the built plugin like the following:

$ cat << EOS > .tflint.hcl
plugin "opa" {
  enabled = true
}
EOS
$ tflint