Using TFLint Behind a Corporate Firewall

There are times where you may not be able to initialize a plugin (aws, azurerm, etc.) for tflint because you are behind a corporate firewall. This can cause failures when running tflint --init.

Being able to lint code locally is helpful to ensure that you are meeting your teams quality standards before you push to the remote repo. This short post outlines how you can get around this issues on Mac.

To make the process as simple as possible, I wrote a bash script that handles downloading the .zip file from GitHub for a given plugin. Here is the script:

setup_local_tflint_plugin() {
    for PLUGIN in ${PLUGINS[@]}; do

        mkdir -p $TFLINT_PLUGIN_DIR
        if [ ! -f "$FILE" ]; then
            echo "Downloading version ${TFLINT_PLUGIN_VERSION} of the ${TFLINT_PLUGIN_NAME} plugin."
            curl -L "${TFLINT_PLUGIN_NAME}/releases/download/v${TFLINT_PLUGIN_VERSION}/tflint-ruleset-${TFLINT_PLUGIN_NAME}_${PLATFORM_ARCHITECTURE}.zip" > ${TFLINT_PLUGIN_DIR}/
            yes yes | unzip "${TFLINT_PLUGIN_DIR}/" -d ${TFLINT_PLUGIN_DIR} | rm ${TFLINT_PLUGIN_DIR}/
    chmod -R +x ~/.tflint.d/plugins

# Valid values for PLATFORM_ARCHITECTURE are:
# 'darwin_amd64', 'darwin_arm64', 'linux_386', 'linux_amd64',
# 'linux_arm', 'linux_arm64', 'windows_386', 'windows_amd64'
PLUGINS=("azurerm|0.16.0" "aws|0.16.0")


This file allows you to select a platform architecture (defaulted to darwin_amd64) and provide a list of plugins and versions you want to download.

This can be added to your .zshrc file so that you are sure the plugins you want are always installed. To do that:

  1. Open a new terminal window
  2. Run open ~/.zshrc. If this file does not exist, run touch ~/.zshrc to create the file and then open it.
  3. Paste the code above in the text file and save.

The next time you open your terminal you should see the selected plugins being installed. After this initial installation, you will not see the install happen again, unless you add new plugins and versions to the .zshrc file.

Next you will need to create a .tflint.hcl file that you can use locally for linting your code. Here is an example configuration file.

config {
    module = true
    force = false
    disabled_by_default = false

    plugin_dir = "~/.tflint.d/plugins/terraform-linters/tflint-ruleset-azurerm/0.16.0"

plugin "azurerm" {
    enabled = true

In this example, the plugin_dir attribute is added that points to the plugin you want to use locally.

Assuming this file is created in the same folder as your Terraform code, you can now run tflint using tflint . --config ./.tflint.hcl. Unless your code is perfect, you should get an error! Here is an example:

Warning: provider 'google' is declared in required_providers but not used by the module (terraform_unused_required_providers)

  on line 13:
  13:     google = {
  14:       source = "hashicorp/google"
  15:       version = "4.0.0"
  16:     }


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: