Skip to content

Add Terraform validation and linting workflow with TFLint config#6

Closed
devin-ai-integration[bot] wants to merge 2 commits into
mainfrom
devin/1774877505-terraform-validate-lint
Closed

Add Terraform validation and linting workflow with TFLint config#6
devin-ai-integration[bot] wants to merge 2 commits into
mainfrom
devin/1774877505-terraform-validate-lint

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Mar 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a GitHub Actions workflow and shared TFLint configuration to validate and lint all Terraform modules and environment configs on every PR to main that touches terraform/**.

New files:

  • terraform/.tflint.hcl — Shared TFLint config enabling the terraform (recommended preset) and aws (v0.31.0) plugins, plus rules for naming conventions, documented variables/outputs, unused declarations, and standard module structure.
  • .github/workflows/terraform-validate.yml — CI workflow with 4 jobs:
    1. discover-modules — Dynamically finds all directories under terraform/modules/ for a matrix strategy (currently: dns, ecr, eks-cluster, namespaces, networking).
    2. validate — Per-module: terraform fmt -check, terraform init -backend=false, terraform validate, TFLint init + run.
    3. validate-environments — Per-environment (dev, prod, staging): terraform fmt -check, terraform init -backend=false, terraform validate.
    4. summary — Fails if any of the above jobs failed.

Minor fix:

  • terraform/modules/namespaces/variables.tf — Fixed terraform fmt alignment (pre-existing formatting issue where resource_quota_enabled caused misaligned = signs).

Updates since initial revision

  • TFLint now runs with --minimum-failure-severity=error so that pre-existing warnings (e.g. missing required_version, missing required_providers version constraints in several modules) are surfaced in CI output but do not block the build. Only errors will cause failure.
  • Fixed the terraform fmt violation in namespaces/variables.tf.
  • All 11 CI checks now pass (5 module validations, 3 environment validations, module discovery, summary, and Devin Review).

Review & Testing Checklist for Human

  • Pre-existing TFLint warnings are intentionally non-blocking. Several modules (ecr, dns, networking, eks-cluster) emit warnings for missing required_version and/or required_providers version constraints. These are real issues worth fixing in a follow-up, but are allowed to pass here via --minimum-failure-severity=error. Verify this trade-off is acceptable for your team.
  • Relative TFLint config path (../../.tflint.hcl from terraform/modules/<name>/) — works today given the 2-level nesting, but is brittle if modules are restructured. Consider whether a symlink or CI-level path resolution would be more robust.
  • Environment matrix is hardcoded ([dev, prod, staging]) unlike the dynamic module discovery. If new environments are added, this list must be updated manually.
  • Test with a follow-up PR that intentionally introduces a Terraform issue (e.g. bad formatting, invalid resource) to confirm the workflow catches it and blocks correctly.

Notes

  • terraform init -backend=false is used intentionally so CI doesn't need AWS credentials or state backend access.
  • Environments only get fmt/init/validate (no TFLint), since TFLint is primarily useful for module-level linting.
  • The AWS TFLint plugin is pinned to v0.31.0 — may need periodic updates.
  • TFLint uses latest version — consider pinning to a specific version to avoid unexpected breakage from future releases.

Link to Devin session: https://partner-workshops.devinenterprise.com/sessions/86ed7cfd49eb437d94693401b56b2879


Open with Devin

- Add .tflint.hcl with terraform and aws plugins, naming convention,
  documented variables/outputs, unused declarations, and standard
  module structure rules
- Add GitHub Actions workflow that runs on PRs to main touching terraform/**
- Dynamic module discovery via matrix strategy for terraform/modules/*
- Validate all environments (dev, prod, staging) with fmt, init, validate
- Summary job aggregates results across all modules and environments
@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

- Fix terraform fmt alignment in namespaces/variables.tf
- Add --minimum-failure-severity=error to TFLint so pre-existing
  warnings (missing required_version, required_providers) don't
  fail the build

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

Closing: this PR is older than 3 weeks. Reopen if still needed.

@devin-ai-integration devin-ai-integration Bot deleted the devin/1774877505-terraform-validate-lint branch April 24, 2026 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant