security and reliability issue when using HTTP sources outside of this repo #22
Description
In the snippet of code above, it references a file hosted on S3. This presents a security and versioning problem. It would be more stable and more secure to use the Template provider described here in the Terraform documentation:
https://www.terraform.io/docs/providers/template/index.html
The security vulnerability is that it would allow anyone with the ability to change the content hosted at that URL to escalate the privileges held by the IAM roles created in this terraform module. This could be part of a set of vulnerabilities taken advantage of in order to breach a customer via this vendor-provided module.
Secondly, it circumvents the customer's ability to have thoroughly reviewed and approved this Terraform code for use in their production environments. This could lead to instability in their environment, including troublesome deployment of Terraform code to potentially downtime.
If the information held at that URL was intended to be fluid, that was the intent of the function of this module, and it was documented as such for the customer, then that would be acceptable. For instance, an authoritative list of IP addresses for whilelisting. However, this is making the assignment of IAM permissions flexible.