feat: warn on heredocs for specific resources like aws_iam_role

[nitrocode]

Using the resource aws_iam_role, I can create a role using

resource "aws_iam_role" "task_role" {
  name               = "ecs-${var.project}"
  path               = "/"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
  ...
  ]
}
EOF
}

or I can create one using the data source aws_iam_policy_document. I'd prefer using the data source because it's a lot cleaner and less error prone than using JSON.

Rule definition

rule "aws_resource_no_eof" {
  enabled = true
  include = [
    "aws_iam_role_policy",
    "aws_iam_role"
  ]
}

[bendrucker]

I like it, these are called "heredocs"

https://www.terraform.io/docs/configuration/expressions.html#literal-expressions

I think users are better off if TFLint tracks the AWS resources that accept policy documents, and then perhaps you could specify additional ones for newly released AWS resources that aren't tracked here. There are plenty of resources outside of the core IAM ones that accept policies, e.g. S3 bucket policies, KMS keys, and VPC endpoints.

It might work to enforce this logic on any attribute that is policy or *_policy, which holds for the earlier examples.