fix(terraform): Ignored --external-modules-download-path flag

checkov/common/runners/runner_registry.py

@@ -43,7 +43,7 @@
 from checkov.common.typing import _ExitCodeThresholds, _BaseRunner, _ScaExitCodeThresholds, LibraryGraph
 from checkov.common.util import data_structures_utils
 from checkov.common.util.banner import default_tool as tool_name
-from checkov.common.util.consts import S3_UPLOAD_DETAILS_MESSAGE
+from checkov.common.util.consts import DEFAULT_EXTERNAL_MODULES_DIR, S3_UPLOAD_DETAILS_MESSAGE
 from checkov.common.util.data_structures_utils import pickle_deepcopy
 from checkov.common.util.json_utils import CustomJSONEncoder
 from checkov.common.util.secrets_omitter import SecretsOmitter
@@ -276,6 +276,7 @@ def _handle_report(self, scan_report: Report, repo_root_for_plan_enrichment: lis
             enriched_resources = RunnerRegistry.get_enriched_resources(
                 repo_roots=repo_root_for_plan_enrichment,
                 download_external_modules=self.runner_filter.download_external_modules,
+                external_modules_download_path=self.runner_filter.external_modules_download_path,
             )
             scan_report = Report("terraform_plan").enrich_plan_report(scan_report, enriched_resources)
             scan_report = Report("terraform_plan").handle_skipped_checks(scan_report, enriched_resources)
@@ -729,7 +730,7 @@ def enrich_report_with_guidelines(scan_report: Report) -> None:
 
     @staticmethod
     def get_enriched_resources(
-        repo_roots: list[str | Path], download_external_modules: bool
+        repo_roots: list[str | Path], download_external_modules: bool, external_modules_download_path: str = DEFAULT_EXTERNAL_MODULES_DIR
     ) -> dict[str, dict[str, Any]]:
         from checkov.terraform.modules.module_objects import TFDefinitionKey
 
@@ -741,6 +742,7 @@ def get_enriched_resources(
                 directory=repo_root,  # assume plan file is in the repo-root
                 out_parsing_errors=parsing_errors,
                 download_external_modules=download_external_modules,
+                external_modules_download_path=external_modules_download_path,
             )
             repo_definitions[repo_root] = {'tf_definitions': tf_definitions, 'parsing_errors': parsing_errors}
 

tests/common/runner_registry/test_runner_registry_plan_enrichment.py

@@ -10,6 +10,7 @@
 from checkov.terraform.module_loading.content import ModuleContent
 from checkov.terraform.module_loading.registry import module_loader_registry
 from checkov.terraform.plan_runner import Runner as tf_plan_runner
+from checkov.terraform.tf_parser import TFParser
 
 
 class TestRunnerRegistryEnrichment(unittest.TestCase):
@@ -166,6 +167,7 @@ def test_enrichment_of_plan_report_with_external_modules(mocker: MockerFixture):
         checks=allowed_checks,
         framework=["terraform_plan"],
         download_external_modules=True,
+        external_modules_download_path="example/path",
     )
     runner_registry = RunnerRegistry(banner, runner_filter, tf_plan_runner())
 
@@ -180,6 +182,7 @@ def _load_tf_modules(*args, **kwargs):
             )
         }
 
+    parse_directory_spy = mocker.spy(TFParser, "parse_directory")
     mocker.patch("checkov.terraform.tf_parser.load_tf_modules", side_effect=_load_tf_modules)
 
     # when
@@ -199,6 +202,10 @@ def _load_tf_modules(*args, **kwargs):
     assert {c.check_id for c in report.passed_checks} == {"CKV_AWS_66"}
     assert {c.check_id for c in report.skipped_checks} == {"CKV_AWS_158"}
 
+    parse_directory_spy.assert_called()
+    call_args = parse_directory_spy.call_args
+    assert call_args.kwargs["external_modules_download_path"] == "example/path"
+
 
 if __name__ == "__main__":
     unittest.main()