cnspec throws errors with shell/scan if TF plan contains replace_paths as array

[crcsmnky]

Describe the bug
If a Terraform plan contains changes with

  "replace_paths": [["triggers"]]

cnspec scan terraform plan throws the following error on all checks:

Checks:
! Error:        Default service accounts cannot have roles on folders assigned
  Message:      json: cannot unmarshal array into Go value of type map[string]interface {}

To Reproduce
Steps to reproduce the behavior:

1. Download cnspec 8.22.1
2. cnspec shell terraform plan [temp-plan.json]
3. cnspec> terraform.plan.resourceChanges
4. Error:

Query encountered errors:
json: cannot unmarshal array into Go value of type map[string]interface {}
terraform.plan.resourceChanges: no data available

Expected behavior
cnspec should not throw any errors because this is a valid format based on Hashicorp's TF plan specifications: https://developer.hashicorp.com/terraform/internals/json-format#change-representation

Screenshots or CLI Output
cnspec shell terraform plan:

> cnspec shell terraform plan temp-plan.json
→ loaded configuration from /Users/parikhs/.config/mondoo/mondoo.yml using source default
→ discover related assets for 1 asset(s)
→ resolved assets resolved-assets=1
  ___ _ __  ___ _ __   ___  ___ 
 / __| '_ \/ __| '_ \ / _ \/ __|
| (__| | | \__ \ |_) |  __/ (__ 
 \___|_| |_|___/ .__/ \___|\___|
   mondoo™     |_|              
cnspec> terraform.plan.resourceChanges
Query encountered errors:
json: cannot unmarshal array into Go value of type map[string]interface {}
terraform.plan.resourceChanges: no data available
cnspec> exit

Similar errors are seen when using cnspec scan terraform plan

Desktop (please complete the following information):

• OS: macOS
• OS Version: 13.5

Additional context
temp-plan.json:

{
  "format_version": "1.5",
  "terraform_version": "1.5.0",
  "resource_changes": [
    {
      "address": "",
      "module_address": "",
      "mode": "managed",
      "type": "google_service_account_iam_member",
      "name": "cloud_deploy_service_account",
      "provider_name": "registry.terraform.io/hashicorp/google",
      "change": {
        "actions": ["delete", "create"],
        "before": {
          "condition": [],
          "etag": "BwYCXPmcVSE=",
          "id": "",
          "member": "",
          "role": "",
          "service_account_id": ""
        },
        "after": {
          "condition": [],
          "member": "",
          "role": "",
          "service_account_id": ""
        },
        "after_unknown": { "condition": [], "etag": true, "id": true },
        "before_sensitive": { "condition": [] },
        "after_sensitive": { "condition": [] },
        "replace_paths": [["member"]]
      },
      "action_reason": "replace_because_cannot_update"
    }
  ]
}

[czunker]

Thanks @crcsmnky for reporting this issue.

When the linked cnquery fix is integrated into cnspec, it will look like this:

cnspec> terraform.plan.resourceChanges
terraform.plan.resourceChanges: [
  0: terraform.plan.resourceChange type="google_service_account_iam_member" name="cloud_deploy_service_account"
]
cnspec> terraform.plan.resourceChanges[0].change.replacePaths
terraform.plan.resourceChanges[0].change.replacePaths: [
  0: [
    0: "member"
  ]
]

[chris-rock]

We released https://github.com/mondoohq/cnquery/releases/tag/v8.23.1 and https://github.com/mondoohq/cnspec/releases/tag/v8.23.1 which includes the fix for this issue.