close
Skip to content

fix(wiz): identify EKS clusters by ARN instead of Wiz-internal hash#36

Open
bakayolo wants to merge 3 commits intomainfrom
fix/configurable-external-id-eks-provider-unique-id
Open

fix(wiz): identify EKS clusters by ARN instead of Wiz-internal hash#36
bakayolo wants to merge 3 commits intomainfrom
fix/configurable-external-id-eks-provider-unique-id

Conversation

@bakayolo
Copy link
Copy Markdown
Collaborator

@bakayolo bakayolo commented Apr 27, 2026
edited
Loading

Problem

EKS clusters in our snapshots are keyed by Wiz's externalId column, which
for EKS is a Wiz-internal hash (e.g. a8f3...e1b2) — not the cluster ARN.
Anything joining on Resource.ID (snapshot JSON, S3 keys, dashboards) gets
opaque values that don't match what AWS or operators see.

The cluster ARN lives in Wiz's providerUniqueId column. To use it we need
the parser's CSV column choice to be configurable per resource — today it's
hard-coded.

Fix

Make every CSV column the parser reads driven by field_mappings, then
point EKS at providerUniqueId. Other resource types keep their existing
behavior because YAML defaults match the previously hard-coded columns.

  • pkg/inventory/wiz/generic.go — single helper resolves any field via
    field_mappings with a Wiz-canonical default.
  • pkg/config/loader.go — fail fast at load time if resource_id,
    version, engine are missing (with lambda/eks/opensearch
    exemptions where the field is implicit).
  • config/resources.yaml — EKS sets resource_id: "providerUniqueId";
    every resource declares its full mapping.
  • Pre-push hook now matches CI's only-new-issues: true behavior so it
    doesn't block contributors on pre-existing lint debt.
  • Tests cover the configurability and the new validator.

Behavior change

EKS findings going forward use ARNs (arn:aws:eks:…:cluster/…). All other
resource types unchanged.

Verified end-to-end against live Wiz data via docker-compose: 155/155 EKS
findings now have ARN-prefixed resource IDs.

Verification

go vet, gofmt, goimports, go test ./..., and
golangci-lint run --new-from-rev=main all clean.

@bakayolo bakayolo force-pushed the fix/configurable-external-id-eks-provider-unique-id branch from 81d34df to db0b544 Compare April 27, 2026 22:00
@bakayolo bakayolo changed the title fix(wiz): make external_id column configurable; use providerUniqueId for EKS fix(wiz): make Resource.ID column configurable; use providerUniqueId for EKS Apr 27, 2026
bakayolo and others added 2 commits April 27, 2026 15:14
@bakayolo @ampcode-com
fix(wiz): drive every CSV column through field_mappings; require reso…
226cc08 
…urce_id, version, engine

The Wiz inventory parser hard-coded the CSV column names for resource_id
(externalId), name, account_id, region, and tags. This made the YAML
field_mappings entries for those keys decorative — they happened to
match the hard-coded constants, but changing them had no effect.

For EKS specifically, this was actively wrong: Wiz's 'externalId' column
is an internal hash, while the cluster ARN lives in 'providerUniqueId'.
Fixing only resource_id while leaving the rest hard-coded would have
left a confusing half-configurable interface.

This commit makes field_mappings the single source of truth for every
CSV column the parser reads:

- generic.go: introduces a generic column(key, defaultCol) helper used
  for resource_id, name, account_id, region, version, engine, and tags.
  Each lookup falls back to the canonical Wiz column when not mapped.
  nativeType (used to filter rows) and graphEntity.properties (used by
  Lambda) remain hard-coded because they are infrastructure, not
  resource fields.

- pkg/config/loader.go: adds validateFieldMappings, which enforces that
  resource_id, version, and engine are present in field_mappings.
  Three resource types are exempt where the underlying CSV does not
  expose a single column for the field:
    - lambda: version (runtime) is extracted from graphEntity.properties
      JSON; engine is implicitly 'aws-lambda'.
    - eks: engine is implicitly 'eks' (no engine column).
    - opensearch: engine is derived from version.

- config/resources.yaml: every resource now declares its full set of
  field_mappings in a consistent order, with explicit comments where
  a field is implicit (eks engine, opensearch engine, lambda
  version+engine). EKS sets resource_id: 'providerUniqueId' so
  Resource.ID is the cluster ARN instead of a Wiz-internal hash.

- Tests:
    - TestParseResourceRow_AllMappingsAreConfigurable: proves the
      parser honors every field_mapping by using non-canonical Wiz
      column names everywhere.
    - TestParseResourceRow_ConfigurableResourceIDColumn: covers the
      EKS providerUniqueId case.
    - TestGetRequiredColumns_ConfigurableResourceIDColumn: verifies
      required-columns derivation reflects the override.
    - TestValidateConfig_FieldMappings: covers the new validator,
      including the lambda/eks/opensearch exemptions.

- Docs: ARCHITECTURE.md, the add-version-guard-resource skill, and
  the example YAMLs are updated to document the new required/optional
  keys, the per-type exemptions, and the EKS providerUniqueId guidance.

Amp-Thread-ID: https://ampcode.com/threads/T-019dd0ae-f269-7191-ae5f-019a787fcaa8
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo @ampcode-com
chore(hooks): align pre-push lint with CI's only-new-issues behavior
06b2382 
CI's golangci-lint-action runs with only-new-issues: true, but the
pre-push hook ran the linter over the entire codebase, surfacing many
pre-existing issues unrelated to the push being made. This made the
hook block contributors on issues that CI itself would not flag.

Switch the hook to --new-from-rev=origin/main so it lints only changes
relative to the integration branch, matching CI behavior. Falls back
to local 'main' when origin/main is not available.

Amp-Thread-ID: https://ampcode.com/threads/T-019dd0ae-f269-7191-ae5f-019a787fcaa8
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo bakayolo force-pushed the fix/configurable-external-id-eks-provider-unique-id branch from db0b544 to 06b2382 Compare April 27, 2026 22:15
@bakayolo bakayolo changed the title fix(wiz): make Resource.ID column configurable; use providerUniqueId for EKS fix(wiz): drive every CSV column through field_mappings; require resource_id, version, engine Apr 27, 2026
@bakayolo bakayolo force-pushed the fix/configurable-external-id-eks-provider-unique-id branch from 17801b8 to 06b2382 Compare April 27, 2026 23:37
@bakayolo @ampcode-com
chore(config): drop redundant commented-out examples in resources.yaml
bb57c7b 
The 'Examples' block at the end re-pasted aurora-postgresql, eks, and
elasticache-redis as comments — but those resources are already defined
live above. Standalone copy-paste templates already live in
skills/add-version-guard-resource/examples/, and the README/USAGE docs
cover the WIZ_REPORT_IDS env var. Replace ~70 lines of duplication
with a single pointer to the skill.

Amp-Thread-ID: https://ampcode.com/threads/T-019dd117-2fc4-71e6-8fd1-72b471f07e15
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo bakayolo changed the title fix(wiz): drive every CSV column through field_mappings; require resource_id, version, engine fix(wiz): identify EKS clusters by ARN instead of Wiz-internal hash Apr 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bakayolo