basic submodule support in plan files

Author: Emyrk

attr.go

@@ -62,6 +62,19 @@ func (a *expectedAttribute) required() *expectedAttribute {
 	return a
 }
 
+func (a *expectedAttribute) tryString() string {
+	attr := a.p.block.GetAttribute(a.Key)
+	if attr.IsNil() {
+		return ""
+	}
+
+	if attr.Type() != cty.String {
+		return ""
+	}
+
+	return attr.Value().AsString()
+}
+
 func (a *expectedAttribute) string() string {
 	attr := a.p.block.GetAttribute(a.Key)
 	if attr.IsNil() {

go.mod

@@ -108,4 +108,4 @@ require (
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
 )
 
-replace github.com/aquasecurity/trivy => github.com/Emyrk/trivy v0.0.0-20250211144405-6377059f7705
+replace github.com/aquasecurity/trivy => github.com/Emyrk/trivy v0.0.0-20250214143920-a49c737d9481

go.sum

@@ -625,8 +625,8 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Emyrk/trivy v0.0.0-20250211144405-6377059f7705 h1:+xVBMqeiopGTM+MbCydHG2K1IJm/Vf0LJYuIm8Rky18=
-github.com/Emyrk/trivy v0.0.0-20250211144405-6377059f7705/go.mod h1:h/k++UOEKWxKbATF5462j0OpzrnYwkqHI0HAcLB5uuY=
+github.com/Emyrk/trivy v0.0.0-20250214143920-a49c737d9481 h1:7M01eVPCnJfQN2pUJ/CqUYf809i9VicrI+17ypeu+ps=
+github.com/Emyrk/trivy v0.0.0-20250214143920-a49c737d9481/go.mod h1:h/k++UOEKWxKbATF5462j0OpzrnYwkqHI0HAcLB5uuY=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 h1:3c8yed4lgqTt+oTQ+JNMDo+F4xprBf+O/il4ZC0nRLw=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0/go.mod h1:obipzmGjfSjam60XLwGfqUkJsfiheAl+TUjG+4yzyPM=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 h1:UQ0AhxogsIRZDkElkblfnwjc3IaltCm2HUMvezQaL7s=

parameter.go

@@ -81,7 +81,7 @@ func paramOption(block *terraform.Block) (*types.RichParameterOption, hcl.Diagno
 		Name:        p.attr("name").required().string(),
 		Description: p.attr("description").string(),
 		// Does it need to be a string?
-		Value: p.attr("value").required().string(),
+		Value: p.attr("value").required().tryString(),
 		Icon:  p.attr("icon").string(),
 	}
 	if p.diags.HasErrors() {

plan.go

@@ -5,8 +5,8 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"log"
 	"reflect"
+	"slices"
 	"strings"
 
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/terraformplan/tfjson/parser"
@@ -31,67 +31,53 @@ func PlanJSONHook(dfs fs.FS, input Input) (func(ctx *tfcontext.Context, blocks t
 		return nil, fmt.Errorf("unable to parse plan JSON: %w", err)
 	}
 
-	//plan.PriorState
-
 	var _ = plan
 	return func(ctx *tfcontext.Context, blocks terraform.Blocks, inputVars map[string]cty.Value) {
+		// Do not recurse to child blocks.
+		// TODO: Only load into the single parent context for the module.
 		for _, block := range blocks {
-			if block.InModule() {
-
-				x := block.ModuleKey()
-				y := block.ModuleBlock().FullName()
-				var _, _ = x, y
-				fmt.Println(block.ModuleKey())
+			planMod := priorPlanModule(plan, block)
+			if planMod == nil {
 				continue
 			}
-
-			err = loadResourcesToContext(block.Context().Parent(), plan.PriorState.Values.RootModule.Resources)
+			err = loadResourcesToContext(block.Context().Parent(), planMod.Resources)
 			if err != nil {
+				// TODO: Somehow handle this error
 				panic(fmt.Sprintf("unable to load resources to context: %v", err))
 			}
 		}
-
-		// 'data' blocks are loaded into prior state
-		//plan.PriorState.Values.RootModule.Resources
-		for _, resource := range plan.PriorState.Values.RootModule.Resources {
-			// TODO: Do index references exist here too?
-			// TODO: Handle submodule nested resources
-
-			parts := strings.Split(resource.Address, ".")
-			if len(parts) < 2 {
-				continue
-			}
-
-			if parts[0] != "data" || strings.Contains(parts[1], "coder") {
-				continue
-			}
-
-			val, err := toCtyValue(resource.AttributeValues)
-			if err != nil {
-				// TODO: Remove log
-				log.Printf("unable to determine value of resource %q: %v", resource.Address, err)
-				continue
-			}
-
-			ctx.Set(val, parts...)
-		}
-
 	}, nil
 }
 
-func planResources(plan *tfjson.Plan, block *terraform.Block) error {
+func priorPlanModule(plan *tfjson.Plan, block *terraform.Block) *tfjson.StateModule {
 	if !block.InModule() {
-		return loadResourcesToContext(block.Context().Parent(), plan.PriorState.Values.RootModule.Resources)
+		return plan.PriorState.Values.RootModule
 	}
 
-	var path []string
+	var modPath []string
 	mod := block.ModuleBlock()
-
 	for {
-		path = append([]string{mod.FullName()}, path...)
-		break
+		modPath = append([]string{mod.LocalName()}, modPath...)
+		mod = mod.ModuleBlock()
+		if mod == nil {
+			break
+		}
 	}
-	return nil
+
+	current := plan.PriorState.Values.RootModule
+	for i := range modPath {
+		idx := slices.IndexFunc(current.ChildModules, func(m *tfjson.StateModule) bool {
+			return m.Address == strings.Join(modPath[:i+1], ".")
+		})
+		if idx == -1 {
+			// Maybe throw a diag here?
+			return nil
+		}
+
+		current = current.ChildModules[idx]
+	}
+
+	return current
 }
 
 func loadResourcesToContext(ctx *tfcontext.Context, resources []*tfjson.StateResource) error {

preview_test.go

@@ -179,7 +179,17 @@ func Test_Extract(t *testing.T) {
 			expTags: map[string]string{},
 			input: preview.Input{
 				ParameterValues: map[string]types.ParameterValue{},
-				PlanJSONPath:    "before.json",
+				PlanJSONPath:    "out.json",
+			},
+			expUnknowns: []string{},
+			params:      map[string]func(t *testing.T, parameter types.Parameter){},
+		},
+		{
+			name:    "test",
+			dir:     "test",
+			expTags: map[string]string{},
+			input: preview.Input{
+				ParameterValues: map[string]types.ParameterValue{},
 			},
 			expUnknowns: []string{},
 			params:      map[string]func(t *testing.T, parameter types.Parameter){},
@@ -203,6 +213,9 @@ func Test_Extract(t *testing.T) {
 				require.True(t, diags.HasErrors())
 				return
 			}
+			if diags.HasErrors() {
+				t.Logf("diags: %s", diags)
+			}
 			require.False(t, diags.HasErrors())
 
 			// Assert tags

testdata/manymodules/main.tf

@@ -19,8 +19,38 @@ locals {
 }
 
 data "coder_parameter" "mainquestion" {
-  name        = "Two Question"
+  name        = "Main Question"
   description = "From module 2"
   type        = "string"
   default     = local.foo
+
+  option {
+    name  = "Default"
+    value = local.foo
+  }
+
+  option {
+    name  = "Primary"
+    value = module.one.export
+  }
+
+  option {
+    name  = "Second"
+    value = module.two.export
+  }
+
+  option {
+    name  = "Terraform"
+    value = module.one.terraform
+  }
+
+  option {
+    name  = "Consul"
+    value = module.two.consul
+  }
+
+  option {
+    name  = "Packer"
+    value = module.one.export-a
+  }
 }

testdata/manymodules/one/one.tf

@@ -15,4 +15,44 @@ data "coder_parameter" "onequestion" {
   description = "From module 1"
   type        = "string"
   default     = local.foo
+
+  option {
+      name  = "Default"
+      value = local.foo
+  }
+
+  option {
+    name  = "Primary Sub A"
+    value = module.onea.export
+  }
+
+  option {
+    name  = "Terraform"
+    value = jsondecode(data.http.terraform.response_body).current_version
+  }
+}
+
+module "onea" {
+  source = "./onea"
+}
+
+output "export" {
+  value = local.foo
+}
+
+output "export-a" {
+  value = module.onea.export
+}
+
+output "terraform" {
+  value = jsondecode(data.http.terraform.response_body).current_version
+}
+
+data "http" "terraform" {
+  url = "https://checkpoint-api.hashicorp.com/v1/check/terraform"
+
+  # Optional request headers
+  request_headers = {
+    Accept = "application/json"
+  }
 }

testdata/manymodules/one/onea/onea.tf

@@ -25,6 +25,11 @@ data "coder_parameter" "one-a-question" {
     name  = "Terraform"
     value = jsondecode(data.http.packer.response_body).current_version
   }
+
+  option {
+    name  = "NullResource"
+    value = data.null_data_source.values.outputs["foo"]
+  }
 }
 
 output "export" {
@@ -41,5 +46,12 @@ data "http" "packer" {
   # Optional request headers
   request_headers = {
     Accept = "application/json"
+    Arbitrary = data.null_data_source.values.outputs["foo"]
+  }
+}
+
+data "null_data_source" "values" {
+  inputs = {
+    foo = "bar"
   }
 }