terraform-linters · bendrucker · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,3 @@
-[submodule "rules/models/aws-sdk-ruby"]
-	path = rules/models/aws-sdk-ruby
-	url = https://github.com/aws/aws-sdk-ruby
+[submodule "rules/models/api-models-aws"]
+	path = rules/models/api-models-aws
+	url = https://github.com/aws/api-models-aws
diff --git a/docs/rules/README.md b/docs/rules/README.md
@@ -517,14 +517,6 @@ These rules enforce best practices and naming conventions:
 |aws_dms_endpoint_invalid_endpoint_type|✔|
 |aws_dms_endpoint_invalid_ssl_mode|✔|
 |aws_dms_replication_task_invalid_migration_type|✔|
-|aws_dms_s3_endpoint_invalid_canned_acl_for_objects|✔|
-|aws_dms_s3_endpoint_invalid_compression_type|✔|
-|aws_dms_s3_endpoint_invalid_data_format|✔|
-|aws_dms_s3_endpoint_invalid_date_partition_delimiter|✔|
-|aws_dms_s3_endpoint_invalid_date_partition_sequence|✔|
-|aws_dms_s3_endpoint_invalid_encoding_type|✔|
-|aws_dms_s3_endpoint_invalid_encryption_mode|✔|
-|aws_dms_s3_endpoint_invalid_parquet_version|✔|
 |aws_docdb_global_cluster_invalid_global_cluster_identifier|✔|
 |aws_dx_bgp_peer_invalid_address_family|✔|
 |aws_dx_hosted_private_virtual_interface_invalid_address_family|✔|
@@ -574,6 +566,7 @@ These rules enforce best practices and naming conventions:
 |aws_ecrpublic_repository_invalid_repository_name|✔|
 |aws_ecrpublic_repository_policy_invalid_policy|✔|
 |aws_ecrpublic_repository_policy_invalid_repository_name|✔|
+|aws_ecs_account_setting_default_invalid_name|✔|
 |aws_ecs_service_invalid_launch_type|✔|
 |aws_ecs_service_invalid_propagate_tags|✔|
 |aws_ecs_service_invalid_scheduling_strategy|✔|
@@ -713,6 +706,7 @@ These rules enforce best practices and naming conventions:
 |aws_guardduty_ipset_invalid_location|✔|
 |aws_guardduty_ipset_invalid_name|✔|
 |aws_guardduty_member_invalid_detector_id|✔|
+|aws_guardduty_member_invalid_email|✔|
 |aws_guardduty_organization_configuration_invalid_detector_id|✔|
 |aws_guardduty_publishing_destination_invalid_destination_type|✔|
 |aws_guardduty_publishing_destination_invalid_detector_id|✔|
@@ -1023,6 +1017,7 @@ These rules enforce best practices and naming conventions:
 |aws_route53_record_invalid_name|✔|
 |aws_route53_record_invalid_set_identifier|✔|
 |aws_route53_record_invalid_type|✔|
+|aws_route53_record_invalid_zone_id|✔|
 |aws_route53_resolver_dnssec_config_invalid_resource_id|✔|
 |aws_route53_resolver_endpoint_invalid_direction|✔|
 |aws_route53_resolver_firewall_config_invalid_firewall_fail_open|✔|

diff --git a/rules/models/api-models-aws b/rules/models/api-models-aws
diff --git a/rules/models/aws-sdk-ruby b/rules/models/aws-sdk-ruby
diff --git a/rules/models/aws_accessanalyzer_analyzer_invalid_type.go b/rules/models/aws_accessanalyzer_analyzer_invalid_type.go
@@ -26,11 +26,11 @@ func NewAwsAccessanalyzerAnalyzerInvalidTypeRule() *AwsAccessanalyzerAnalyzerInv
 		attributeName: "type",
 		enum: []string{
 			"ACCOUNT",
-			"ORGANIZATION",
-			"ACCOUNT_UNUSED_ACCESS",
-			"ORGANIZATION_UNUSED_ACCESS",
 			"ACCOUNT_INTERNAL_ACCESS",
+			"ACCOUNT_UNUSED_ACCESS",
+			"ORGANIZATION",
 			"ORGANIZATION_INTERNAL_ACCESS",
+			"ORGANIZATION_UNUSED_ACCESS",
 		},
 	}
 }

diff --git a/rules/models/aws_acmpca_certificate_invalid_signing_algorithm.go b/rules/models/aws_acmpca_certificate_invalid_signing_algorithm.go
@@ -25,11 +25,14 @@ func NewAwsAcmpcaCertificateInvalidSigningAlgorithmRule() *AwsAcmpcaCertificateI
 		resourceType:  "aws_acmpca_certificate",
 		attributeName: "signing_algorithm",
 		enum: []string{
+			"ML_DSA_44",
+			"ML_DSA_65",
+			"ML_DSA_87",
 			"SHA256WITHECDSA",
-			"SHA384WITHECDSA",
-			"SHA512WITHECDSA",
 			"SHA256WITHRSA",
+			"SHA384WITHECDSA",
 			"SHA384WITHRSA",
+			"SHA512WITHECDSA",
 			"SHA512WITHRSA",
 			"SM3WITHSM2",
 		},

diff --git a/rules/models/aws_alb_invalid_ip_address_type.go b/rules/models/aws_alb_invalid_ip_address_type.go
@@ -25,9 +25,9 @@ func NewAwsALBInvalidIPAddressTypeRule() *AwsALBInvalidIPAddressTypeRule {
 		resourceType:  "aws_alb",
 		attributeName: "ip_address_type",
 		enum: []string{
-			"ipv4",
 			"dualstack",
 			"dualstack-without-public-ipv4",
+			"ipv4",
 		},
 	}
 }

diff --git a/rules/models/aws_alb_invalid_load_balancer_type.go b/rules/models/aws_alb_invalid_load_balancer_type.go
@@ -26,8 +26,8 @@ func NewAwsALBInvalidLoadBalancerTypeRule() *AwsALBInvalidLoadBalancerTypeRule {
 		attributeName: "load_balancer_type",
 		enum: []string{
 			"application",
-			"network",
 			"gateway",
+			"network",
 		},
 	}
 }

diff --git a/rules/models/aws_alb_listener_invalid_protocol.go b/rules/models/aws_alb_listener_invalid_protocol.go
@@ -25,13 +25,13 @@ func NewAwsALBListenerInvalidProtocolRule() *AwsALBListenerInvalidProtocolRule {
 		resourceType:  "aws_alb_listener",
 		attributeName: "protocol",
 		enum: []string{
+			"GENEVE",
 			"HTTP",
 			"HTTPS",
 			"TCP",
+			"TCP_UDP",
 			"TLS",
 			"UDP",
-			"TCP_UDP",
-			"GENEVE",
 		},
 	}
 }

diff --git a/rules/models/aws_alb_target_group_invalid_protocol.go b/rules/models/aws_alb_target_group_invalid_protocol.go
@@ -25,13 +25,13 @@ func NewAwsALBTargetGroupInvalidProtocolRule() *AwsALBTargetGroupInvalidProtocol
 		resourceType:  "aws_alb_target_group",
 		attributeName: "protocol",
 		enum: []string{
+			"GENEVE",
 			"HTTP",
 			"HTTPS",
 			"TCP",
+			"TCP_UDP",
 			"TLS",
 			"UDP",
-			"TCP_UDP",
-			"GENEVE",
 		},
 	}
 }

diff --git a/rules/models/aws_alb_target_group_invalid_target_type.go b/rules/models/aws_alb_target_group_invalid_target_type.go
@@ -25,10 +25,10 @@ func NewAwsALBTargetGroupInvalidTargetTypeRule() *AwsALBTargetGroupInvalidTarget
 		resourceType:  "aws_alb_target_group",
 		attributeName: "target_type",
 		enum: []string{
+			"alb",
 			"instance",
 			"ip",
 			"lambda",
-			"alb",
 		},
 	}
 }

diff --git a/rules/models/aws_ami_invalid_architecture.go b/rules/models/aws_ami_invalid_architecture.go
@@ -25,11 +25,11 @@ func NewAwsAMIInvalidArchitectureRule() *AwsAMIInvalidArchitectureRule {
 		resourceType:  "aws_ami",
 		attributeName: "architecture",
 		enum: []string{
+			"arm64",
+			"arm64_mac",
 			"i386",
 			"x86_64",
-			"arm64",
 			"x86_64_mac",
-			"arm64_mac",
 		},
 	}
 }

diff --git a/rules/models/aws_amplify_app_invalid_platform.go b/rules/models/aws_amplify_app_invalid_platform.go
@@ -26,8 +26,8 @@ func NewAwsAmplifyAppInvalidPlatformRule() *AwsAmplifyAppInvalidPlatformRule {
 		attributeName: "platform",
 		enum: []string{
 			"WEB",
-			"WEB_DYNAMIC",
 			"WEB_COMPUTE",
+			"WEB_DYNAMIC",
 		},
 	}
 }

diff --git a/rules/models/aws_amplify_branch_invalid_stage.go b/rules/models/aws_amplify_branch_invalid_stage.go
@@ -25,10 +25,10 @@ func NewAwsAmplifyBranchInvalidStageRule() *AwsAmplifyBranchInvalidStageRule {
 		resourceType:  "aws_amplify_branch",
 		attributeName: "stage",
 		enum: []string{
-			"PRODUCTION",
 			"BETA",
 			"DEVELOPMENT",
 			"EXPERIMENTAL",
+			"PRODUCTION",
 			"PULL_REQUEST",
 		},
 	}

diff --git a/rules/models/aws_api_gateway_authorizer_invalid_type.go b/rules/models/aws_api_gateway_authorizer_invalid_type.go
@@ -25,9 +25,9 @@ func NewAwsAPIGatewayAuthorizerInvalidTypeRule() *AwsAPIGatewayAuthorizerInvalid
 		resourceType:  "aws_api_gateway_authorizer",
 		attributeName: "type",
 		enum: []string{
-			"TOKEN",
-			"REQUEST",
 			"COGNITO_USER_POOLS",
+			"REQUEST",
+			"TOKEN",
 		},
 	}
 }

diff --git a/rules/models/aws_api_gateway_gateway_response_invalid_response_type.go b/rules/models/aws_api_gateway_gateway_response_invalid_response_type.go
@@ -25,26 +25,26 @@ func NewAwsAPIGatewayGatewayResponseInvalidResponseTypeRule() *AwsAPIGatewayGate
 		resourceType:  "aws_api_gateway_gateway_response",
 		attributeName: "response_type",
 		enum: []string{
-			"DEFAULT_4XX",
-			"DEFAULT_5XX",
-			"RESOURCE_NOT_FOUND",
-			"UNAUTHORIZED",
-			"INVALID_API_KEY",
 			"ACCESS_DENIED",
-			"AUTHORIZER_FAILURE",
+			"API_CONFIGURATION_ERROR",
 			"AUTHORIZER_CONFIGURATION_ERROR",
-			"INVALID_SIGNATURE",
+			"AUTHORIZER_FAILURE",
+			"BAD_REQUEST_BODY",
+			"BAD_REQUEST_PARAMETERS",
+			"DEFAULT_4XX",
+			"DEFAULT_5XX",
 			"EXPIRED_TOKEN",
-			"MISSING_AUTHENTICATION_TOKEN",
 			"INTEGRATION_FAILURE",
 			"INTEGRATION_TIMEOUT",
-			"API_CONFIGURATION_ERROR",
-			"UNSUPPORTED_MEDIA_TYPE",
-			"BAD_REQUEST_PARAMETERS",
-			"BAD_REQUEST_BODY",
+			"INVALID_API_KEY",
+			"INVALID_SIGNATURE",
+			"MISSING_AUTHENTICATION_TOKEN",
+			"QUOTA_EXCEEDED",
 			"REQUEST_TOO_LARGE",
+			"RESOURCE_NOT_FOUND",
 			"THROTTLED",
-			"QUOTA_EXCEEDED",
+			"UNAUTHORIZED",
+			"UNSUPPORTED_MEDIA_TYPE",
 			"WAF_FILTERED",
 		},
 	}

diff --git a/rules/models/aws_api_gateway_integration_invalid_type.go b/rules/models/aws_api_gateway_integration_invalid_type.go
@@ -25,11 +25,11 @@ func NewAwsAPIGatewayIntegrationInvalidTypeRule() *AwsAPIGatewayIntegrationInval
 		resourceType:  "aws_api_gateway_integration",
 		attributeName: "type",
 		enum: []string{
-			"HTTP",
 			"AWS",
-			"MOCK",
-			"HTTP_PROXY",
 			"AWS_PROXY",
+			"HTTP",
+			"HTTP_PROXY",
+			"MOCK",
 		},
 	}
 }

diff --git a/rules/models/aws_api_gateway_rest_api_invalid_api_key_source.go b/rules/models/aws_api_gateway_rest_api_invalid_api_key_source.go
@@ -25,8 +25,8 @@ func NewAwsAPIGatewayRestAPIInvalidAPIKeySourceRule() *AwsAPIGatewayRestAPIInval
 		resourceType:  "aws_api_gateway_rest_api",
 		attributeName: "api_key_source",
 		enum: []string{
-			"HEADER",
 			"AUTHORIZER",
+			"HEADER",
 		},
 	}
 }

diff --git a/rules/models/aws_api_gateway_stage_invalid_cache_cluster_size.go b/rules/models/aws_api_gateway_stage_invalid_cache_cluster_size.go
@@ -26,13 +26,13 @@ func NewAwsAPIGatewayStageInvalidCacheClusterSizeRule() *AwsAPIGatewayStageInval
 		attributeName: "cache_cluster_size",
 		enum: []string{
 			"0.5",
-			"1.6",
-			"6.1",
+			"118",
 			"13.5",
+			"1.6",
+			"237",
 			"28.4",
 			"58.2",
-			"118",
-			"237",
+			"6.1",
 		},
 	}
 }

diff --git a/rules/models/aws_apigatewayv2_api_invalid_protocol_type.go b/rules/models/aws_apigatewayv2_api_invalid_protocol_type.go
@@ -25,8 +25,8 @@ func NewAwsApigatewayv2APIInvalidProtocolTypeRule() *AwsApigatewayv2APIInvalidPr
 		resourceType:  "aws_apigatewayv2_api",
 		attributeName: "protocol_type",
 		enum: []string{
-			"WEBSOCKET",
 			"HTTP",
+			"WEBSOCKET",
 		},
 	}
 }

diff --git a/rules/models/aws_apigatewayv2_authorizer_invalid_authorizer_type.go b/rules/models/aws_apigatewayv2_authorizer_invalid_authorizer_type.go
@@ -25,8 +25,8 @@ func NewAwsApigatewayv2AuthorizerInvalidAuthorizerTypeRule() *AwsApigatewayv2Aut
 		resourceType:  "aws_apigatewayv2_authorizer",
 		attributeName: "authorizer_type",
 		enum: []string{
-			"REQUEST",
 			"JWT",
+			"REQUEST",
 		},
 	}
 }

diff --git a/rules/models/aws_apigatewayv2_integration_invalid_integration_type.go b/rules/models/aws_apigatewayv2_integration_invalid_integration_type.go
@@ -26,10 +26,10 @@ func NewAwsApigatewayv2IntegrationInvalidIntegrationTypeRule() *AwsApigatewayv2I
 		attributeName: "integration_type",
 		enum: []string{
 			"AWS",
+			"AWS_PROXY",
 			"HTTP",
-			"MOCK",
 			"HTTP_PROXY",
-			"AWS_PROXY",
+			"MOCK",
 		},
 	}
 }

diff --git a/rules/models/aws_apigatewayv2_integration_invalid_passthrough_behavior.go b/rules/models/aws_apigatewayv2_integration_invalid_passthrough_behavior.go
@@ -25,8 +25,8 @@ func NewAwsApigatewayv2IntegrationInvalidPassthroughBehaviorRule() *AwsApigatewa
 		resourceType:  "aws_apigatewayv2_integration",
 		attributeName: "passthrough_behavior",
 		enum: []string{
-			"WHEN_NO_MATCH",
 			"NEVER",
+			"WHEN_NO_MATCH",
 			"WHEN_NO_TEMPLATES",
 		},
 	}

diff --git a/rules/models/aws_apigatewayv2_route_invalid_authorization_type.go b/rules/models/aws_apigatewayv2_route_invalid_authorization_type.go
@@ -25,10 +25,10 @@ func NewAwsApigatewayv2RouteInvalidAuthorizationTypeRule() *AwsApigatewayv2Route
 		resourceType:  "aws_apigatewayv2_route",
 		attributeName: "authorization_type",
 		enum: []string{
-			"NONE",
 			"AWS_IAM",
 			"CUSTOM",
 			"JWT",
+			"NONE",
 		},
 	}
 }

diff --git a/rules/models/aws_appautoscaling_policy_invalid_policy_type.go b/rules/models/aws_appautoscaling_policy_invalid_policy_type.go
@@ -25,9 +25,9 @@ func NewAwsAppautoscalingPolicyInvalidPolicyTypeRule() *AwsAppautoscalingPolicyI
 		resourceType:  "aws_appautoscaling_policy",
 		attributeName: "policy_type",
 		enum: []string{
+			"PredictiveScaling",
 			"StepScaling",
 			"TargetTrackingScaling",
-			"PredictiveScaling",
 		},
 	}
 }

diff --git a/rules/models/aws_appautoscaling_policy_invalid_scalable_dimension.go b/rules/models/aws_appautoscaling_policy_invalid_scalable_dimension.go
@@ -25,29 +25,29 @@ func NewAwsAppautoscalingPolicyInvalidScalableDimensionRule() *AwsAppautoscaling
 		resourceType:  "aws_appautoscaling_policy",
 		attributeName: "scalable_dimension",
 		enum: []string{
-			"ecs:service:DesiredCount",
-			"ec2:spot-fleet-request:TargetCapacity",
-			"elasticmapreduce:instancegroup:InstanceCount",
 			"appstream:fleet:DesiredCapacity",
-			"dynamodb:table:ReadCapacityUnits",
-			"dynamodb:table:WriteCapacityUnits",
-			"dynamodb:index:ReadCapacityUnits",
-			"dynamodb:index:WriteCapacityUnits",
-			"rds:cluster:ReadReplicaCount",
-			"sagemaker:variant:DesiredInstanceCount",
-			"custom-resource:ResourceType:Property",
-			"comprehend:document-classifier-endpoint:DesiredInferenceUnits",
-			"comprehend:entity-recognizer-endpoint:DesiredInferenceUnits",
-			"lambda:function:ProvisionedConcurrency",
 			"cassandra:table:ReadCapacityUnits",
 			"cassandra:table:WriteCapacityUnits",
-			"kafka:broker-storage:VolumeSize",
+			"comprehend:document-classifier-endpoint:DesiredInferenceUnits",
+			"comprehend:entity-recognizer-endpoint:DesiredInferenceUnits",
+			"custom-resource:ResourceType:Property",
+			"dynamodb:index:ReadCapacityUnits",
+			"dynamodb:index:WriteCapacityUnits",
+			"dynamodb:table:ReadCapacityUnits",
+			"dynamodb:table:WriteCapacityUnits",
+			"ec2:spot-fleet-request:TargetCapacity",
+			"ecs:service:DesiredCount",
+			"elasticmapreduce:instancegroup:InstanceCount",
 			"elasticache:cache-cluster:Nodes",
 			"elasticache:replication-group:NodeGroups",
 			"elasticache:replication-group:Replicas",
+			"kafka:broker-storage:VolumeSize",
+			"lambda:function:ProvisionedConcurrency",
 			"neptune:cluster:ReadReplicaCount",
-			"sagemaker:variant:DesiredProvisionedConcurrency",
+			"rds:cluster:ReadReplicaCount",
 			"sagemaker:inference-component:DesiredCopyCount",
+			"sagemaker:variant:DesiredInstanceCount",
+			"sagemaker:variant:DesiredProvisionedConcurrency",
 			"workspaces:workspacespool:DesiredUserSessions",
 		},
 	}
-Original file line number
+Diff line change
@@ Expand Up @@
     		attributeName: "cache_cluster_size",
     		enum: []string{
     			"0.5",
-    			"1.6",
-    			"6.1",
+    			"118",
     			"13.5",
+    			"1.6",
+    			"237",
     			"28.4",
     			"58.2",
-    			"118",
-    			"237",
+    			"6.1",
     		},
     	}
     }
@@ Expand Down @@