terraform aws_iam_policy check fails when using a data source

[mbainter]

Describe the bug
cnspec's policy fails to account for using a data source for policy like this:

data "aws_iam_policy_document" "some_policy" {
  statement {
    actions = [ ]
    resources = ["*"]
  }
}

resource "aws_iam_policy" "some_policy" {
  name  = "SomePolicy"
  ...

  policy = data.aws_iam_policy_document.some_policy.json
}

To Reproduce
Steps to reproduce the behavior:

1. Write up some terraform with an iam policy resource and a data resource for the policy as described above.
2. run cnspec scan terraform against it

Expected behavior
most likely, it should have an additional exception for when the value is a simple string - because in addition to data sources it's not uncommon to use file() or templatefile() functions here.

There should probably be another check here that looks for:
terraform.datasources.where(nameLabel == "aws_iam_policy_document") and runs similar checks. Perhaps file() could do something similar, but templatefile probably isn't something you can work with outside of a plan.

Desktop (please complete the following information):

• OS: Linux
• OS Version: PopOS

Additional context

The check defined here has this query:

terraform.resources.where( nameLabel  == "aws_iam_policy" && arguments["policy"] != null  ) {
  arguments["policy"].where( _["Statement"] != null) {
    _["Statement"] {
      # Resource is either not * or DENY is used (where wildcard is great)
      _["Resource"] != "*" || _["Effect"].upcase == "DENY"
    }
  }
}

This assumes that the policy will be inline - but if you're using a datasource it'll look like this instead:

arguments {
  ...
  policy: "data.aws_iam_policy_document.some_policy.json"
}

This results in an error like this:

! Error: Ensure IAM policy do not use wildcards and instead apply the principle of least privilege
Message: 1 error occurred:
* 1 error occurred:
* cannot find function '[]' for type 'stringslice'