add test for variables in a Terraform here doc

linter/terraform_test.go

@@ -111,3 +111,20 @@ func TestTerraformPolicies(t *testing.T) {
 		t.Errorf("TestTerraformPolicies returned %d violations, expecting 1", len(report.Violations))
 	}
 }
+
+func TestTerraformPoliciesWithVariables(t *testing.T) {
+	options := Options{
+		Tags:    []string{},
+		RuleIDs: []string{},
+	}
+	filenames := []string{"./testdata/resources/policy_with_variables.tf"}
+	linter := FileLinter{Filenames: filenames, ValueSource: TestingValueSource{}, Loader: TerraformResourceLoader{}}
+	ruleSet := loadRulesForTest("./testdata/rules/policy_variable.yml", t)
+	report, err := linter.Validate(ruleSet, options)
+	if err != nil {
+		t.Error("Expecting TestTerraformPoliciesWithVariables to not return an error:" + err.Error())
+	}
+	if len(report.Violations) != 0 {
+		t.Errorf("TestTerraformPoliciesWithVariables returned %d violations, expecting 0", len(report.Violations))
+	}
+}

linter/testdata/resources/policy_with_variables.tf

@@ -0,0 +1,20 @@
+variable "statement_effect" {
+  default = "Allow"
+}
+
+resource "aws_iam_role" "role_with_variable" {
+    name = "non_compliant"
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+     {
+        "Action": "*",
+        "Principal": { "Service": "ec2.amazonaws.com" },
+        "Effect": "${var.statement_effect}",
+        "Resources": "*"
+     }
+  ]
+}
+EOF
+}

linter/testdata/rules/policy_variable.yml

@@ -0,0 +1,14 @@
+version: 1
+description: Rules for Terraform here documents with variables
+type: Terraform
+files:
+  - "*.tf"
+rules:
+
+  - id: TEST_VARIABLE
+    message: Testing
+    resource: aws_iam_role
+    assertions:
+      - key: "assume_role_policy.Statement[].Effect | [0]"
+        op: eq
+        value: Allow