feat(INT-83): dial in configs for tflint

[westonplatter]

what

• docs: update README with list of trunk plugins we're using
• add a .trunk/configs/.tflint file
• adjust the trunk check GHA to expose the GITHUB_TOKEN for running tflint --init operations

Summary by CodeRabbit

• New Features

  • Introduced a configuration file to enable and customize Terraform linting rules and plugins.

• Chores

  • Updated linting workflow to improve reliability and prevent rate limiting.
  • Upgraded the Terraform linter to a newer version and defined a custom configuration path.
  • Expanded the README with a detailed list of included open source tools and improved formatting.
  • Updated .gitignore to exclude additional editor directories.
  • Added a required Terraform version constraint to example configuration for improved compatibility.

[coderabbitai]

Walkthrough

This set of changes introduces a new .tflint.hcl configuration file for TFLint, specifying plugins, rules, and environment setup instructions for Terraform linting. The .trunk/trunk.yaml file is updated to use TFLint version 0.57.0 and to define the TFLINT_CONFIG_FILE environment variable. The GitHub Actions workflow for linting is modified to inject the GITHUB_TOKEN secret for Trunk-managed TFLint runs. The .gitignore is updated to exclude .cursor/, and the README.md receives expanded documentation on included tools. The example Terraform configuration now enforces a minimum Terraform version.

Possibly related PRs

• feat: actualize README template #15: Updates to the README.md in the current PR align with comprehensive enhancements and restructuring of the README template in this related PR.

Suggested reviewers

• Gowiem

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (9)

examples/complete/variables.tf (1)

2-4: Enforce Terraform CLI version constraint
Good addition of required_version = ">= 1.0.0" to ensure compatibility. Consider also specifying required_providers within this block for completeness if not declared elsewhere.

README.md (3)

11-14: Clarify repository purpose
Clear description added. Consider minor rephrasing or punctuation for readability and consistent capitalization (e.g., "Terraform modules").

---

16-17: Improve grammar and capitalization
The phrase "while when writing terraform + open tofu" is awkward. Suggest:

-It comes pre-packaged with Masterpoint's standard Open Source tool set that our
-team uses to operate effectively while when writing terraform + open tofu.
+It comes pre-packaged with Masterpoint's standard open source tool set that our
+team uses when writing Terraform and OpenTofu, helping us operate effectively.

---

19-30: Ensure consistent tool name casing
Tool names should follow official branding. For example, capitalize acronyms and product names:

- trunk: Trunk CLI for managing code quality and automation (linters and pre-commit actions)
- tflint: Terraform linter for best practices and errors
- renovate: Automated dependency updates
- tofu: OpenTofu linter for Terraform alternative
- actionlint: Linter for GitHub Actions workflows
- checkov: Infrastructure as Code (IaC) security scanner
- git-diff-check: Checks for issues in git diffs
- markdownlint: Linter for Markdown files
- prettier: Code formatter for consistent style
- trivy: Vulnerability scanner for containers and other artifacts
- trufflehog: Secret and sensitive data scanner
- yamllint: Linter for YAML files
+ Trunk: Trunk CLI for managing code quality and automation (linters and pre-commit actions)
+ TFLint: Terraform linter for best practices and errors
+ Renovate: Automated dependency updates
+ OpenTofu: OpenTofu linter for Terraform alternative
+ ActionLint: Linter for GitHub Actions workflows
+ Checkov: Infrastructure as Code (IaC) security scanner
+ git-diff-check: Checks for issues in git diffs
+ markdownlint: Linter for Markdown files
+ Prettier: Code formatter for consistent style
+ Trivy: Vulnerability scanner for containers and other artifacts
+ TruffleHog: Secret and sensitive data scanner
+ yamllint: Linter for YAML files

.trunk/configs/.tflint.hcl (5)

1-4: Consider refining the Terraform plugin preset
Using preset = "all" enables every rule (including deprecated ones) and can generate noise. If you want a more focused set of checks, consider using the recommended preset and then explicitly enabling additional rules as needed.

---

6-11: Remove redundant default settings in config block
The fields force = false and disabled_by_default = false are the defaults in TFLint; you can omit them for brevity. Keeping only non-default configurations (e.g., format and call_module_type) improves readability.

---

13-26: Clarify AWS plugin installation instructions and consider enabling deep checks
The comment correctly explains the need for GITHUB_TOKEN to fetch the AWS ruleset. You may also want to enable deep_check = true for more thorough linting of nested AWS module configurations, at the cost of performance.
Diff suggestion:

 plugin "aws" {
   enabled    = true
   version    = "0.39.0"
   source     = "github.com/terraform-linters/tflint-ruleset-aws"
-  deep_check = false
+  deep_check = true
 }

---

29-71: Consolidate and organize Terraform core rule definitions
Since you have preset = "all", many of these rules are already enabled by default. To reduce maintenance overhead, consider removing redundant enabled = true entries for rules covered by the preset, or switch to preset = "recommended". Additionally, grouping rules alphabetically or by category (core vs. AWS) and standardizing indentation (e.g., 2 spaces vs. 4 spaces) will improve readability.

---

82-98: Standardize grouping and indentation of additional rules
These rules (terraform_typed_variables, terraform_unused_declarations, etc.) enhance code quality. For consistency, align their indentation with earlier blocks and consider grouping them under a clear header (e.g., “Core Rules” vs. “AWS Rules”) to make future updates more discoverable.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5292ae3 and bca14cd.

📒 Files selected for processing (6)

• .github/workflows/lint.yaml (1 hunks)
• .gitignore (2 hunks)
• .trunk/configs/.tflint.hcl (1 hunks)
• .trunk/trunk.yaml (1 hunks)
• README.md (3 hunks)
• examples/complete/variables.tf (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

`**/*.tf`: You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.or...

**/*.tf: You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/.
You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions.
As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines.

• examples/complete/variables.tf

🔇 Additional comments (5)

.gitignore (1)

19-19: Exclude .cursor/ artifacts
Adding .cursor/ is helpful to ignore editor-specific cursor cache files. Ensure this aligns with other IDE/Editor sections.

.github/workflows/lint.yaml (1)

23-27: Inject GITHUB_TOKEN for Trunk-managed TFLint
Nice update to pass GITHUB_TOKEN and avoid rate limiting for TFLint plugin installation. The existing permissions (checks: write, etc.) support this usage.

.trunk/trunk.yaml (2)

30-30: Upgrade TFLint to v0.57.0
Upgrading to 0.57.0 ensures the latest linter rules and fixes. Confirm compatibility with existing .tflint.hcl configurations.

---

34-38: Define TFLINT_CONFIG_FILE environment variable
Centralizing the TFLint config path via TFLINT_CONFIG_FILE aligns with Trunk conventions. Ensure ${workspace} resolves correctly in CI context.

.trunk/configs/.tflint.hcl (1)

78-80: Disabling terraform_standard_module_structure is valid for contextual variable files
Given your module layout use cases, disabling this rule makes sense. Ensure that team members are aware of this exception to avoid surprises.

[westonplatter]

Note to self while out and about:
– call out where the winter specific configurations are.

• Change wording and read me from set up to pre-configured.

[Gowiem]

Looking great! I love to see it. Few small requests, but let's ship it.

[Gowiem]

Instead of doing this, do we just want to include it at the root of the project so that it can be picked up like other configs and isn't hidden in the trunk folder?

[westonplatter]

I wondered about that.

I looked at a other linter configs in the .trunk/configs folder, and thought bending the configurations to keep the convention of storing the configs in the same place would be valuable for downstream consumers.

[westonplatter]

@Gowiem did you have an opinion on this approach? I am reviewing what else needs to be take care before merging this PR.

[Gowiem]

Let's keep this for now and ship it, but two things for us in the future to follow up on:

1. Let's make sure this gets picked up by the OSS sync tasks we have in taskit
2. We have config spread around and our more important configs like terraform-docs.yaml, aqua.yaml, .editorconfig and similar are top level. I like that personally because in the future we could rip out trunk and not changes to these configs would need to be made.

[Gowiem]

What do these two do?

[westonplatter]

call_module_type = "local" - ignore values passed into modules. I think we actually want to lint the values in module blocks; changing this to all. More details here.

force = false - If set to true, tflint process will "return zero exit status even if issues found". My guess is that this setting could be used to keep a CI/CD pipeline running regardless of lint issues. I think we do want the pipeline to fail if linting issues exist?

disabled_by_default = false - false means all rules in the rule sets are active. More info.

[gberenice]

LGTM!

[Gowiem]

@westonplatter !

[Gowiem]

Let's keep this for now and ship it, but two things for us in the future to follow up on:

1. Let's make sure this gets picked up by the OSS sync tasks we have in taskit
2. We have config spread around and our more important configs like terraform-docs.yaml, aqua.yaml, .editorconfig and similar are top level. I like that personally because in the future we could rip out trunk and not changes to these configs would need to be made.

[westonplatter]

#39 (comment)

1. Yep, can follow up on the sync task front.
2. I see your point with keeping configs top level so we can move away from trunk if needed. Will open a PR for that.