New rule(s) request/proposal: enforce drift detecting Terraform resources over those that don't

[tomelliff]

The aws_security_group_rule, aws_route, aws_iam_role_policy_attachment can all lead to drift that Terraform is unable to correct because they don't allow for exclusively managing the containing resource (security group, route table, IAM role respectively).

This is probably not an exhaustive list of resources like this.

This can cause issues where changes can be introduced to these resources and Terraform is unaware of them and unable to correct them. As a general rule, I push colleagues to use the exclusive managing resources but it's a regular thing that comes up during code review. It would be helpful if we could lint on this instead (with the normal opt out via comments where appropriate).

Would you be open to a pull request (or potentially one per resource) that adds a non default enabled rule that forbids the use of eg aws_security_group_rule in favour of aws_security_group rule blocks?

[wata727]

Looks good. I think the suggested rules are useful.
If possible, it might be nice to have rules that can alert you when a conflict actually occurs.

[tomelliff]

The aws_iam_role_policies_exclusive resource maybe supersedes this approach but the idea of a lint rule to cover this and also discourage eg aws_iam_role.inline_policy etc.