What's the best way to use tflint when writing a Terraform module for AWS?

[rquadling]

So, I've got a module that has no AWS credentials at all. It is a module that will be accessible as a remote module in any Terraform project that wants to use it. All nice and sensible, reusable, immutable versioning, etc. Everything developers are told to do.

I'd like to use TFLint. We already use it on are project repos (that, surprisingly, include the remote modules that I'm talking about).

Still, all is working well and good.

But (I got there eventually!), when running tflint, via pre-commit, on the module, with no AWS credentials in play at all, we get:

Terraform validate with tflint...........................................Failed
- hook id: terraform_tflint
- exit code: 1

Command 'tflint --init' successfully done:
Plugin `aws` is already installed



TFLint in ./:
Failed to check ruleset; no valid credential sources for tflint-ruleset-aws found.

Please see https://github.com/terraform-linters/tflint-ruleset-aws/blob/master/docs/deep_checking.md
for more information about providing credentials.

Error: NoCredentialProviders: no valid providers in chain
caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
SharedCredsLoad: failed to load profile, .
EC2RoleRequestError: no EC2 instance role found
caused by: RequestError: send request failed
caused by: Get "http://169.254.169.254/latest/meta-data/iam/security-credentials/": dial tcp 169.254.169.254:80: connect: host is down

Pretty much everything after Failed to check ruleset; no valid credential sources for tflint-ruleset-aws found. is fine. All how AWS tries its utmost to find credentials before giving up and telling us off for being naughty!

What is the best way to handle this situation?

It MAY be that tflint on a Terraform module is not practical. If that's the case, then we remove tflint from the pre-commit config and we're done. The downside to that is if there is an issue that tflint would/could/should identify within the module, it is now turning on alarms for all the consuming projects, which now means a LOAD of support and "help me"s and "fix this now or else"s.

As an additional thing on this, we also use gitleaks to ensure no repo has any credentials in.

[wata727]

So, I've got a module that has no AWS credentials at all. It is a module that will be accessible as a remote module in any Terraform project that wants to use it. All nice and sensible, reusable, immutable versioning, etc. Everything developers are told to do.

In the case, we recommend disabling deep checking. Deep checking is a feature that performs additional checks using the credentials actually used in a workspace that runs terraform plan. If it is the workspace's responsibility to pass credentials, there is no need to enable deep checking in the module.