TFLint - custom rule

It’s good to have well-defined IAM policies, AWS gives a lot of flexibility in this area. Let’s imagine that one of these policies could limit the selection of EC2 instances types, you can apply it at different levels at the organization level as Service Control Policy like that or as a single policy within a selected AWS account. You also probably have some automation around the creation of those EC2 instances like Terraform, so it’s good to have some early warning signs before using incorrect instance types as a separate step in CI/CD system. In Terraform ecosystem one of the tools that can be used in this area is TFlint, it all allows you to use predefined rules to enforce your internal policies or develop your own rules. The second approach can be used to warn you before using incorrect types. TFlint gives you a nice template to start writing your own plugin, I use it to create PoC to enforce using selected EC2 instances types. To verify how it’s running just clone the repo and:

$ make install
go build
mkdir -p ~/.tflint.d/plugins
mv ./tflint-ruleset-template ~/.tflint.d/plugins
$ cat ~/.tflint.hcl
plugin "template" {
    enabled = true
}

rule "aws_instance_enforce_type" {
  enabled = true
  types   = ["t2.micro", "t3.micro"]
}
$ cat test.tf
resource "aws_instance" "web" {
    instance_type = "t2.nano"
}
$ tflint test.tf
1 issue(s) found:

Error: wrong instance type t2.nano, should be one of: [t2.micro t3.micro] (aws_instance_enforce_type)

  on test.tf line 2:
   2:     instance_type = "t2.nano"

It’s only PoC and doesn’t provide option to download this plugin from github. TFLint provides a nice option to allow you to put custom .tflint.hcl inside the directory, so when your infrastructure is split into different directories each env can have its own configuration.