Feature request: ignore file/directory

[raxod502-plaid]

We have a repository with lots of manually written Terraform code that conforms to linting rules, and a few files that are autogenerated and do not conform. We'd like to run tflint on the repository, but configure it to ignore the Terraform in the autogenerated directory.

Unfortunately, although #142 was resolved, I still don't see a way to ignore on a file or directory basis. We can't add annotations into specific resources because the files are autogenerated.

[raxod502-plaid]

Our workaround in the meantime:

lint-ft:
	@find . -type f -name '*.tf' \
		-not -path '*.terraform*' \
		-not -path '*modules*' \
		-not -path '*.git*' \
		-not -path '*.cache*' \
		-not -path '*.local*' \
		-exec dirname {} \; | sort -Vu \
		| xargs -I{} -P16 tflint --loglevel=error {}

[bendrucker]

I'm confused by the phrasing, a bit more detail and config examples would be helpful. Initially I thought you were generating certain files within hand-authored modules, but on second read it sounds more like you're generating entire modules.

Would also be helpful to hear which rules you're trying to suppress.

We'd like to run tflint on the repository, but configure it to ignore the Terraform in the autogenerated directory.

If you're looking to find Terraform modules recursively and run TFLint in each, but exclude certain modules, you should implement that logic outside of TFLint, as you're doing above.

If you're looking to exclude specific files within a given module, that would either require using --format json and filtering yourself or having a config option so that TFLint can filter for you. If you can explain the use case more clearly we might accept a PR for that.

[raxod502-plaid]

Sorry, I misunderstood the command-line usage and was under the impression that tflint supported linting a directory recursively. Since that's not the case, I agree it's nonsensical to have an option to ignore directories. We don't need to ignore specific files within a directory in our use case, but that does seem like something that might come up for others (you are auto-generating some repeated Terraform resources in such a way that they do not conform to one or another linting rules).

However, since I do not have a concrete example of the single-file exclusion use case, it's fine to close this ticket until someone who does shows up.

Sorry for the noise.

[bendrucker]

All good! TFLint doesn't handle recursion itself in part because of this sort of complexity.

If someone else is interested in this in the future, independent of recursion, I'd be keen to hear which rules are a sticking point. JSON is the preferred format for generated code in TF. I could imagine someone might want to lint tf and ignore tf.json, though even then I can't envision why generated config shouldn't conform to rules imposed on non-generated parts of the same module.

[Sayrus]

Sorry, I misunderstood the command-line usage and was under the impression that tflint supported linting a directory recursively. Since that's not the case, I agree it's nonsensical to have an option to ignore directories. We don't need to ignore specific files within a directory in our use case, but that does seem like something that might come up for others (you are auto-generating some repeated Terraform resources in such a way that they do not conform to one or another linting rules).

However, since I do not have a concrete example of the single-file exclusion use case, it's fine to close this ticket until someone who does shows up.

Sorry for the noise.

All good! TFLint doesn't handle recursion itself in part because of this sort of complexity.

If someone else is interested in this in the future, independent of recursion, I'd be keen to hear which rules are a sticking point. JSON is the preferred format for generated code in TF. I could imagine someone might want to lint tf and ignore tf.json, though even then I can't envision why generated config shouldn't conform to rules imposed on non-generated parts of the same module.

If this can help, I have a concrete use-case for single-file exclusion. Finding files and passing them to TFLint worked as a workaround.

In our case, we have a common files that contains helpers variables (locals mainly) that is injected in our different terraform folders. Due to this, there are a lot of terraform_unused_declarations coming from this file. I've been looking for a way to exclude this file from the result (which basically would be a negative --filter) but haven't been able to do it with TFLint directly.

A simplified directory structure for this would be the following:

includes/injected-values.tf
project1/main.tf
project1/injected-values.tf -> ../includes/injected-values.tf
project2/main.tf
project2/injected-values.tf -> ../includes/injected-values.tf

It is possible to annotate each local with a tflint-ignore but the file quickly becomes less readable.

Or we could dynamically pull these with data but it's easier to have them readily readable, versioned and auditable. However, in doing so, most of the locals defined in this injected-values.tf are unused.

If you think this is an interesting use-case, I'd be happy to try my hand at creating a PR for something like a --exclude.

[cep21]

Hi @Sayrus we have the exact same setup and are wondering if you had any workarounds?

[cdobbyn]

I'm running into this with terraform_standard_module_structure. In our case we heavily leverage the cloudposse null label module which has a pre-generated context.tf file. I would love to ignore this entire file without having to add multiple changes into it.

It would be helpful to be able to ignore an entire file by name, or at worst by a comment at the very top of the file.

[nwalters512]

#1622 introduced for --recursive. @bendrucker given that tflint now does handle recursion itself, would you consider reopening this? Alternatively, being able to pass a specific set of directories to lint (e.g. tflint --recursive ./terraform) would be valuable to avoid the need to much around with the working directory every time I want to lint the terraform directory of my monorepo. I can open a new issue if you'd consider implementing something like that.

[bendrucker]

We've generally been reserving issues for concrete proposals and using discussions for ideation. Feel free to search for an existing discussion or open a new one.

#1920

A vague feature proposal that sits open isn't valuable but a thorough explanation of how you organize your modules and exactly which you want to select and why is helpful. We have no shortage of people taking stabs at what the CLI would look like but a distinct lack of clearly explained use cases.

There's the include vs exclude question, CLI versus flat config versus per-module config, and a lot of other unanswered questions. Those are what's between us and adding these types of features, not a tracking ticket.

File level ignores are now handled by #1909. I'd certainly prefer that over any magic based on a particular filename (context.tf).

I'm going to lock this thread. Any further comments can be included in discussions until we can get some clarity around the various options. And then as a specific ideas emerge we will open issue(s) to track them.

[bendrucker]

Oh and the problem you're specifically referencing doesn't involve passing a set of directories, it's just one. It's prohibited currently but tflint --chdir ./terraform --recursive would seem to really be what you need. I'm not sure that's been discussed so feel free to open a discussion around that and maybe that's a smaller/easier change that would address your use case.

The idea of passing in a set of directories to recurse into has been raised a few times but I've yet to hear a use case that actually requires that. #1929 tries to describe an approach that works for a monorepo with sprawling configuration complexity but that requires a lot more thought and research.