fix: handle query params in module sources with subdirectories (#296)

The `terraform_module_pinned_source` rule was incorrectly reporting
false positives when module sources included subdirectories with query
parameters (e.g., `github.com/org/repo.git/directory?ref=v1.2.3`).

The issue occurred because `go-getter` URL-encodes query parameters when
they appear after a subdirectory path with a single slash. The fix
extracts query parameters from the original source before calling
`getter.Detect()`, then merges them with any parameters found in the
detected URL.

Adds test cases for GitHub and git:// protocol sources with
subdirectories to prevent regressions.

Author: bendrucker

rules/terraform_module_pinned_source.go

@@ -87,6 +87,15 @@ func (r *TerraformModulePinnedSourceRule) Check(rr tflint.Runner) error {
 }
 
 func (r *TerraformModulePinnedSourceRule) checkModule(runner tflint.Runner, module *terraform.ModuleCall, config terraformModulePinnedSourceRuleConfig) error {
+	// Extract query parameters from the original source before calling getter.Detect()
+	// because go-getter may URL-encode them when there's a subdirectory path
+	originalQuery := url.Values{}
+	if idx := strings.Index(module.Source, "?"); idx != -1 {
+		if parsedQuery, err := url.ParseQuery(module.Source[idx+1:]); err == nil {
+			originalQuery = parsedQuery
+		}
+	}
+
 	source, err := getter.Detect(module.Source, filepath.Dir(module.DefRange.Filename), []getter.Detector{
 		// https://github.com/hashicorp/terraform/blob/51b0aee36cc2145f45f5b04051a01eb6eb7be8bf/internal/getmodules/getter.go#L30-L52
 		new(getter.GitHubDetector),
@@ -130,7 +139,13 @@ func (r *TerraformModulePinnedSourceRule) checkModule(runner tflint.Runner, modu
 		)
 	}
 
+	// Merge query parameters from both the detected URL and the original source
 	query := u.Query()
+	for key, values := range originalQuery {
+		if len(query[key]) == 0 {
+			query[key] = values
+		}
+	}
 
 	if ref := query.Get("ref"); ref != "" {
 		return r.checkRevision(runner, module, config, "ref", ref)

rules/terraform_module_pinned_source_test.go

@@ -63,6 +63,32 @@ module "default_git" {
 			Content: `
 module "pinned_git" {
   source = "git://hashicorp.com/consul.git?ref=pinned"
+}`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "git module with subdirectory is not pinned",
+			Content: `
+module "unpinned" {
+  source = "git://hashicorp.com/consul.git/subdirectory"
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewTerraformModulePinnedSourceRule(),
+					Message: "Module source \"git://hashicorp.com/consul.git/subdirectory\" is not pinned",
+					Range: hcl.Range{
+						Filename: "module.tf",
+						Start:    hcl.Pos{Line: 3, Column: 12},
+						End:      hcl.Pos{Line: 3, Column: 57},
+					},
+				},
+			},
+		},
+		{
+			Name: "git module with subdirectory reference is pinned",
+			Content: `
+module "pinned_git" {
+  source = "git://hashicorp.com/consul.git/subdirectory?ref=v1.2.3"
 }`,
 			Expected: helper.Issues{},
 		},
@@ -192,6 +218,76 @@ module "default_git" {
 			Content: `
 module "pinned_git" {
   source = "github.com/hashicorp/consul.git?ref=pinned"
+}`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "github module with subdirectory is not pinned",
+			Content: `
+module "unpinned" {
+  source = "github.com/hashicorp/consul.git/subdirectory"
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewTerraformModulePinnedSourceRule(),
+					Message: "Module source \"github.com/hashicorp/consul.git/subdirectory\" is not pinned",
+					Range: hcl.Range{
+						Filename: "module.tf",
+						Start:    hcl.Pos{Line: 3, Column: 12},
+						End:      hcl.Pos{Line: 3, Column: 58},
+					},
+				},
+			},
+		},
+		{
+			Name: "github module with subdirectory reference is pinned",
+			Content: `
+module "pinned_git" {
+  source = "github.com/hashicorp/consul.git/subdirectory?ref=v1.2.3"
+}`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "github module with subdirectory reference is default",
+			Content: `
+module "default_git" {
+  source = "github.com/hashicorp/consul.git/subdirectory?ref=master"
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewTerraformModulePinnedSourceRule(),
+					Message: "Module source \"github.com/hashicorp/consul.git/subdirectory?ref=master\" uses a default branch as ref (master)",
+					Range: hcl.Range{
+						Filename: "module.tf",
+						Start:    hcl.Pos{Line: 3, Column: 12},
+						End:      hcl.Pos{Line: 3, Column: 69},
+					},
+				},
+			},
+		},
+		{
+			Name: "github module with multiple subdirectories is not pinned",
+			Content: `
+module "unpinned" {
+  source = "github.com/hashicorp/consul.git/directory/subdirectory"
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewTerraformModulePinnedSourceRule(),
+					Message: "Module source \"github.com/hashicorp/consul.git/directory/subdirectory\" is not pinned",
+					Range: hcl.Range{
+						Filename: "module.tf",
+						Start:    hcl.Pos{Line: 3, Column: 12},
+						End:      hcl.Pos{Line: 3, Column: 68},
+					},
+				},
+			},
+		},
+		{
+			Name: "github module with multiple subdirectories reference is pinned",
+			Content: `
+module "pinned_git" {
+  source = "github.com/hashicorp/consul.git/directory/subdirectory?ref=v1.2.3"
 }`,
 			Expected: helper.Issues{},
 		},