fix(misconf): preserve original paths of remote submodules from .terraform (#9294)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>

Author: nikpivkin

pkg/iac/scanners/terraform/parser/load_module.go

@@ -2,7 +2,6 @@ package parser
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"io/fs"
 	"path"
@@ -78,9 +77,19 @@ func (e *evaluator) loadModule(ctx context.Context, b *terraform.Block) (*Module
 		return nil, fmt.Errorf("could not read module source attribute at %s", metadata.Range().String())
 	}
 
-	if def, err := e.loadModuleFromTerraformCache(ctx, b, source); err == nil {
-		e.logger.Debug("Using module from Terraform cache .terraform/modules", log.String("source", source))
-		return def, nil
+	if e.moduleMetadata != nil {
+		// if we have module metadata we can parse all the modules as they'll be cached locally!
+		def, err := e.loadModuleFromTerraformCache(ctx, b, source)
+		if err == nil {
+			e.logger.Debug("Using module from Terraform cache .terraform/modules",
+				log.String("source", source))
+			return def, nil
+		}
+
+		e.logger.Debug("Failed to load module from .terraform cache",
+			log.String("module_source", source),
+			log.Err(err),
+		)
 	}
 
 	// we don't have the module installed via 'terraform init' so we need to grab it...
@@ -89,38 +98,31 @@ func (e *evaluator) loadModule(ctx context.Context, b *terraform.Block) (*Module
 
 func (e *evaluator) loadModuleFromTerraformCache(ctx context.Context, b *terraform.Block, source string) (*ModuleDefinition, error) {
 	var modulePath string
-	if e.moduleMetadata != nil {
-		// if we have module metadata we can parse all the modules as they'll be cached locally!
-		moduleKey := b.ModuleKey()
-		for _, module := range e.moduleMetadata.Modules {
-			if module.Key == moduleKey {
-				modulePath = path.Clean(path.Join(e.projectRootPath, module.Dir))
-				break
-			}
+	moduleKey := b.ModuleKey()
+	for _, module := range e.moduleMetadata.Modules {
+		if module.Key == moduleKey {
+			modulePath = path.Clean(path.Join(e.projectRootPath, module.Dir))
+			break
 		}
 	}
 	if modulePath == "" {
-		return nil, errors.New("failed to load module from .terraform/modules")
+		return nil, fmt.Errorf("resolve module with key %q from .terraform/modules", moduleKey)
 	}
+
 	if strings.HasPrefix(source, ".") {
 		source = ""
 	}
 
-	if prefix, relativeDir, ok := strings.Cut(source, "//"); ok && !strings.HasSuffix(prefix, ":") && strings.Count(prefix, "/") == 2 {
-		if !strings.HasSuffix(modulePath, relativeDir) {
-			modulePath = fmt.Sprintf("%s/%s", modulePath, relativeDir)
-		}
-	}
-
 	e.logger.Debug("Module resolved using modules.json",
 		log.String("block", b.FullName()),
 		log.String("source", source),
 		log.String("modulePath", modulePath),
 	)
 	moduleParser := e.parentParser.newModuleParser(e.filesystem, source, modulePath, b.Label(), b)
 	if err := moduleParser.ParseFS(ctx, modulePath); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("parse module filesystem: %w", err)
 	}
+
 	return &ModuleDefinition{
 		Name:       b.Label(),
 		Path:       modulePath,

pkg/iac/scanners/terraform/parser/parser.go

@@ -169,7 +169,7 @@ func (p *Parser) ParseFS(ctx context.Context, dir string) error {
 	p.logger.Debug("Parsing FS", log.FilePath(slashed))
 	fileInfos, err := fs.ReadDir(p.moduleFS, slashed)
 	if err != nil {
-		return err
+		return fmt.Errorf("read dir: %w", err)
 	}
 
 	var paths []string

pkg/iac/scanners/terraform/parser/parser_test.go

@@ -2812,3 +2812,45 @@ func TestProvidedWorkingDirectory(t *testing.T) {
 	attr := foo.GetAttribute("cwd")
 	require.Equal(t, fakeCwd, attr.Value().AsString())
 }
+
+func Test_ResolveRemoteSubmoduleFromTerraformCache(t *testing.T) {
+	fsys := fstest.MapFS{
+		"main.tf": &fstest.MapFile{Data: []byte(`module "aws_bucket" {
+  source = "github.com/foo/bar.git//aws/modules/bucket?ref=v0.0.1"
+}
+
+locals {
+  test = module.aws_bucket.out
+}
+`)},
+		".terraform/modules/modules.json": &fstest.MapFile{Data: []byte(`{
+    "Modules": [
+        { "Key": "", "Source": "", "Dir": "." },
+        {
+            "Key": "aws_bucket",
+            "Source": "git::https://github.com/foo/bar.git//aws/modules/bucket?ref=v0.0.1",
+            "Dir": ".terraform/modules/aws_bucket/aws/modules/bucket"
+        }
+    ]
+}`)},
+		".terraform/modules/aws_bucket/aws/modules/bucket/main.tf": &fstest.MapFile{Data: []byte(`output "out" {
+  value = "some_value"
+}`)},
+	}
+
+	parser := New(fsys, "",
+		OptionWithSkipCachedModules(true),
+		OptionWithDownloads(false),
+		OptionStopOnHCLError(true),
+	)
+	err := parser.ParseFS(t.Context(), ".")
+	require.NoError(t, err)
+
+	modules, err := parser.EvaluateAll(t.Context())
+	require.NoError(t, err)
+
+	require.Len(t, modules, 2)
+	bucket := modules[0].GetBlocks().OfType("locals")[0]
+	attr := bucket.GetAttribute("test")
+	require.Equal(t, "some_value", attr.Value().AsString())
+}