Skip to main content

Using TFLint Behind a Corporate Firewall

· 3 min read
Justin O'Connor
Justin O'Connor
Founder @ Onward Platforms

There are times where you may not be able to initialize a plugin (aws, azurerm, etc.) for tflint because you are behind a corporate firewall. This can cause failures when running tflint --init.

Being able to lint code locally is helpful to ensure that you are meeting your team's quality standards before you push to the remote repo. This short post outlines how you can get around this issue on Mac.

The Solution

To make the process as simple as possible, I wrote a bash script that handles downloading the .zip file from GitHub for a given plugin. Here is the script:

setup_local_tflint_plugin() {
    for PLUGIN in ${PLUGINS[@]}; do
        TFLINT_PLUGIN_NAME=${PLUGIN%|*}
        TFLINT_PLUGIN_VERSION=${PLUGIN#*|}
 
        TFLINT_PLUGIN_DIR=~/.tflint.d/plugins/terraform-linters/tflint-ruleset-${TFLINT_PLUGIN_NAME}/${TFLINT_PLUGIN_VERSION}
        mkdir -p $TFLINT_PLUGIN_DIR
        FILE=$TFLINT_PLUGIN_DIR/tflint-ruleset-${TFLINT_PLUGIN_NAME}
        if [ ! -f "$FILE" ]; then
            echo "Downloading version ${TFLINT_PLUGIN_VERSION} of the ${TFLINT_PLUGIN_NAME} plugin."
            curl -L "https://github.com/terraform-linters/tflint-ruleset-${TFLINT_PLUGIN_NAME}/releases/download/v${TFLINT_PLUGIN_VERSION}/tflint-ruleset-${TFLINT_PLUGIN_NAME}_${PLATFORM_ARCHITECTURE}.zip" > ${TFLINT_PLUGIN_DIR}/provider.zip
            yes yes | unzip "${TFLINT_PLUGIN_DIR}/provider.zip" -d ${TFLINT_PLUGIN_DIR} | rm ${TFLINT_PLUGIN_DIR}/provider.zip
        fi
    done
    chmod -R +x ~/.tflint.d/plugins
}
 
# Valid values for PLATFORM_ARCHITECTURE are:
# 'darwin_amd64', 'darwin_arm64', 'linux_386', 'linux_amd64',
# 'linux_arm', 'linux_arm64', 'windows_386', 'windows_amd64'
PLATFORM_ARCHITECTURE="darwin_amd64"
PLUGINS=("azurerm|0.16.0" "aws|0.16.0")
 
setup_local_tflint_plugin

This script allows you to:

  • Select a platform architecture (defaulted to darwin_amd64)
  • Provide a list of plugins and versions you want to download
  • Automatically handle plugin installation and updates

Setting Up Your Environment

You can add this to your .zshrc file to ensure the plugins you want are always installed:

  1. Open a new terminal window
  2. Run open ~/.zshrc. If this file does not exist, run touch ~/.zshrc to create it first
  3. Paste the code above in the text file and save

The next time you open your terminal, you should see the selected plugins being installed. After this initial installation, you will not see the install happen again unless you add new plugins and versions to the .zshrc file.

Configuring TFLint

Next, you'll need to create a .tflint.hcl file for local code linting. Here's an example configuration:

config {
    module = true
    force = false
    disabled_by_default = false
 
    plugin_dir = "~/.tflint.d/plugins/terraform-linters/tflint-ruleset-azurerm/0.16.0"
}
 
plugin "azurerm" {
    enabled = true
}

Note the plugin_dir attribute that points to the plugin you want to use locally.

Running TFLint

Assuming this file is created in the same folder as your Terraform code, you can now run TFLint using:

tflint . --config ./.tflint.hcl

Unless your code is perfect, you should get some linting feedback! Here's an example:

Warning: provider 'google' is declared in required_providers but not used by the module (terraform_unused_required_providers)
 
  on versions.tf line 13:
  13:     google = {
  14:       source = "hashicorp/google"
  15:       version = "4.0.0"
  16:     }
 
Reference: https://github.com/terraform-linters/tflint/blob/v0.39.3/docs/rules/terraform_unused_required_providers.md

This setup ensures you can maintain high code quality standards even when working in environments with restricted internet access.