3 files changed, 64 insertions, 1 deletions

diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml
new file mode 100644
index 0000000..2ba60c4
--- /dev/null
+++ b/.github/workflows/tflint.yaml
@@ -0,0 +1,42 @@
+name: tflint
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - "terraform/**"
+      - ".github/workflows/tflint.yaml"
+  pull_request:
+    paths:
+      - "terraform/**"
+      - ".github/workflows/tflint.yaml"
+  workflow_dispatch:
+
+jobs:
+  scan:
+    name: Scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v16
+        with:
+          diagnostic-endpoint: ""
+
+      - name: Build tflint report
+        id: tflint-run
+        run: |
+          echo "sarif-file=$(nix build --no-link --print-build-logs --print-out-paths .#tflint)" >> "$GITHUB_OUTPUT"
+
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.tflint-run.outputs.sarif-file }}
+          wait-for-processing: true
diff --git a/.tflint.hcl b/.tflint.hcl
new file mode 100644
index 0000000..427121c
--- /dev/null
+++ b/.tflint.hcl
@@ -0,0 +1,4 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
diff --git a/flake/ci.nix b/flake/ci.nix
index e8a1373..30cbd06 100644
--- a/flake/ci.nix
+++ b/flake/ci.nix
@@ -8,7 +8,8 @@
 
 {
   perSystem =
-    { pkgs, ... }:
+    { config, pkgs, ... }:
+
     {
       quickChecks = {
         actionlint = {
@@ -21,6 +22,11 @@
           script = "deadnix --fail ${self}";
         };
 
+        hclfmt = {
+          dependencies = [ pkgs.hclfmt ];
+          script = "hclfmt -require-no-change ${self}/terraform/*.tf";
+        };
+
         just = {
           dependencies = [ pkgs.just ];
           script = ''
@@ -39,6 +45,17 @@
           dependencies = [ pkgs.statix ];
           script = "statix check ${self}";
         };
+
+        tflint = {
+          dependencies = [ pkgs.tflint ];
+          script = ''
+            tflint --chdir=${self}/terraform --format=sarif |& tee $out || true
+          '';
+        };
+      };
+
+      legacyPackages = {
+        tflint = config.quickChecks.tflint.package;
       };
     };