[Wiz Sensor] Fix typo in variable name (#6765)

ZainRizvi · web-flow · commit 5cc5536898a6 · 2025-06-13T15:59:39.000-05:00
Realized the variable name had accidentally left in the plural form
instead of singular.

This is a safe change to make right now since this variable doesn't
actually have a value passed in to it yet
diff --git a/terraform-aws-github-runner/main.tf b/terraform-aws-github-runner/main.tf
@@ -211,8 +211,8 @@ module "runners_instances" {
 
   runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns
 
-  wiz_secrets_arn         = var.wiz_secrets_arn
-  wiz_secrets_kms_key_arn = var.wiz_secrets_kms_key_arn
+  wiz_secret_arn         = var.wiz_secret_arn
+  wiz_secret_kms_key_arn = var.wiz_secret_kms_key_arn
 
   ghes_url = var.ghes_url
 }
diff --git a/terraform-aws-github-runner/modules/runners-instances/launch-template.tf b/terraform-aws-github-runner/modules/runners-instances/launch-template.tf
@@ -122,7 +122,7 @@ resource "aws_launch_template" "linux_runner" {
     nvidia_driver_install           = false
     ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner_linux[0].name : ""
     ghes_url                        = var.ghes_url
-    wiz_secrets_arn                 = var.wiz_secrets_arn
+    wiz_secret_arn                  = var.wiz_secret_arn
     install_config_runner           = local.install_config_runner_linux
   }))
 
@@ -179,7 +179,7 @@ resource "aws_launch_template" "linux_runner_nvidia" {
     nvidia_driver_install           = true
     ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner_linux[0].name : ""
     ghes_url                        = var.ghes_url
-    wiz_secrets_arn                 = var.wiz_secrets_arn
+    wiz_secret_arn                  = var.wiz_secret_arn
     install_config_runner           = local.install_config_runner_linux
   }))
 
@@ -236,7 +236,7 @@ resource "aws_launch_template" "linux_arm64_runner" {
     nvidia_driver_install           = false
     ssm_key_cloudwatch_agent_config = var.enable_cloudwatch_agent ? aws_ssm_parameter.cloudwatch_agent_config_runner_linux_arm64[0].name : ""
     ghes_url                        = var.ghes_url
-    wiz_secrets_arn                 = var.wiz_secrets_arn
+    wiz_secret_arn                  = var.wiz_secret_arn
     install_config_runner           = local.install_config_runner_linux_arm64
   }))
 
diff --git a/terraform-aws-github-runner/modules/runners-instances/policies-runner.tf b/terraform-aws-github-runner/modules/runners-instances/policies-runner.tf
@@ -54,18 +54,18 @@ resource "aws_iam_role_policy" "create_tags" {
   policy = file("${path.module}/policies/instance-ec2-create-tags-policy.json")
 }
 
-# This policy is conditionally created only when wiz_secrets_arn is provided.
+# This policy is conditionally created only when wiz_secret_arn is provided.
 # This ensures we don't create empty policies when no secret access is needed,
 # making the security configuration more explicit and reducing IAM clutter.
 resource "aws_iam_role_policy" "secrets_access" {
-  count  = var.wiz_secrets_arn != null ? 1 : 0
+  count  = var.wiz_secret_arn != null ? 1 : 0
   name   = "runner-secrets-access"
   role   = aws_iam_role.runner.name
 
   lifecycle {
     precondition {
-      condition     = var.wiz_secrets_arn == null || var.wiz_secrets_kms_key_arn != null
-      error_message = "wiz_secrets_kms_key_arn must be provided when wiz_secrets_arn is specified. The secret requires explicit KMS key permissions for decryption."
+      condition     = var.wiz_secret_arn == null || var.wiz_secret_kms_key_arn != null
+      error_message = "wiz_secret_kms_key_arn must be provided when wiz_secret_arn is specified. The secret requires explicit KMS key permissions for decryption."
     }
   }
 
@@ -76,9 +76,9 @@ resource "aws_iam_role_policy" "secrets_access" {
       # (e.g., "MySecret" becomes "MySecret-a1b2c3")
       # We use "-??????" to match the format exactly, which is more secure than "*"
       # This handles cases where users provide bare secret names or already-complete ARNs
-      secrets_arn = endswith(var.wiz_secrets_arn, "*") || can(regex("-[a-zA-Z0-9]{6}$", var.wiz_secrets_arn)) ? var.wiz_secrets_arn : "${var.wiz_secrets_arn}-??????"
+      secrets_arn = endswith(var.wiz_secret_arn, "*") || can(regex("-[a-zA-Z0-9]{6}$", var.wiz_secret_arn)) ? var.wiz_secret_arn : "${var.wiz_secret_arn}-??????"
       # KMS key ARN for decrypting the secret - must be provided when secret is specified
-      kms_key_arn = var.wiz_secrets_kms_key_arn
+      kms_key_arn = var.wiz_secret_kms_key_arn
       aws_region = var.aws_region
     }
   )
diff --git a/terraform-aws-github-runner/modules/runners-instances/templates/user-data.sh b/terraform-aws-github-runner/modules/runners-instances/templates/user-data.sh
@@ -104,7 +104,7 @@ ${install_config_runner}
 retry sudo dnf groupinstall -y 'Development Tools'
 retry sudo dnf install -y "kernel-devel-uname-r == $(uname -r)" || true
 
-%{ if wiz_secrets_arn != null ~}
+%{ if wiz_secret_arn != null ~}
 # Install Wiz Sensor - a runtime security agent
 echo "Fetching Wiz secrets from AWS Secrets Manager"
 
@@ -125,12 +125,12 @@ echo "Fetching Wiz secrets from AWS Secrets Manager"
         fi
     }
 
-    SECRET_REGION=$(get_region_from_arn "${wiz_secrets_arn}")
+    SECRET_REGION=$(get_region_from_arn "${wiz_secret_arn}")
     if [ -z "$SECRET_REGION" ]; then
         echo "Warning: Region is required in the Secrets Manager ARN. Skipping Wiz installation."
         metric_report "linux_userdata.wiz_failure_arn_invalid" 1
     else
-        WIZ_SECRET_RAW=$(retry aws secretsmanager get-secret-value --secret-id "${wiz_secrets_arn}" --region "$SECRET_REGION" --query 'SecretString' --output text)
+        WIZ_SECRET_RAW=$(retry aws secretsmanager get-secret-value --secret-id "${wiz_secret_arn}" --region "$SECRET_REGION" --query 'SecretString' --output text)
         if [ $? -eq 0 ] && [ ! -z "$WIZ_SECRET_RAW" ]; then
           echo "Successfully retrieved Wiz secrets"
           echo "Extracting Wiz runtime sensor credentials"
@@ -151,7 +151,7 @@ echo "Fetching Wiz secrets from AWS Secrets Manager"
             metric_report "linux_userdata.wiz_failure_credentials_missing" 1
           fi
         else
-          echo "Warning: Failed to retrieve Wiz secrets from ${wiz_secrets_arn}"
+          echo "Warning: Failed to retrieve Wiz secrets from ${wiz_secret_arn}"
           metric_report "linux_userdata.wiz_failure_secrets_error" 1
         fi
     fi
diff --git a/terraform-aws-github-runner/modules/runners-instances/variables.tf b/terraform-aws-github-runner/modules/runners-instances/variables.tf
@@ -196,14 +196,14 @@ variable "key_name" {
   default     = null
 }
 
-variable "wiz_secrets_arn" {
+variable "wiz_secret_arn" {
   description = "ARN of AWS Secrets Manager secret that the runner role should have access to"
   type        = string
   sensitive   = true
 }
 
-variable "wiz_secrets_kms_key_arn" {
-  description = "ARN of KMS key used to encrypt the secret specified in wiz_secrets_arn. Must be provided if wiz_secrets_arn is specified."
+variable "wiz_secret_kms_key_arn" {
+  description = "ARN of KMS key used to encrypt the secret specified in wiz_secret_arn. Must be provided if wiz_secret_arn is specified."
   type        = string
   sensitive   = true
 }
diff --git a/terraform-aws-github-runner/variables.tf b/terraform-aws-github-runner/variables.tf
@@ -374,15 +374,15 @@ variable "retry_scale_up_chron_hud_query_url" {
   default     = ""
 }
 
-variable "wiz_secrets_arn" {
+variable "wiz_secret_arn" {
   description = "ARN of AWS Secrets Manager secret that the runner role should have access to"
   type        = string
   default     = null
   sensitive   = true
 }
 
-variable "wiz_secrets_kms_key_arn" {
-  description = "ARN of KMS key used to encrypt the secret specified in wiz_secrets_arn. Must be provided if wiz_secrets_arn is specified."
+variable "wiz_secret_kms_key_arn" {
+  description = "ARN of KMS key used to encrypt the secret specified in wiz_secret_arn. Must be provided if wiz_secret_arn is specified."
   type        = string
   default     = null
   sensitive   = true

Original file line number	Diff line number	Diff line change
`@@ -211,8 +211,8 @@ module "runners_instances" {`
`211`	`211`
`212`	`212`	`runner_iam_role_managed_policy_arns = var.runner_iam_role_managed_policy_arns`
`213`	`213`
`214`		`- wiz_secrets_arn = var.wiz_secrets_arn`
`215`		`- wiz_secrets_kms_key_arn = var.wiz_secrets_kms_key_arn`
	`214`	`+ wiz_secret_arn = var.wiz_secret_arn`
	`215`	`+ wiz_secret_kms_key_arn = var.wiz_secret_kms_key_arn`
`216`	`216`
`217`	`217`	`ghes_url = var.ghes_url`
`218`	`218`	`}`
Original file line number	Diff line number	Diff line change
`@@ -196,14 +196,14 @@ variable "key_name" {`
`196`	`196`	`default = null`
`197`	`197`	`}`
`198`	`198`
`199`		`-variable "wiz_secrets_arn" {`
	`199`	`+variable "wiz_secret_arn" {`
`200`	`200`	`description = "ARN of AWS Secrets Manager secret that the runner role should have access to"`
`201`	`201`	`type = string`
`202`	`202`	`sensitive = true`
`203`	`203`	`}`
`204`	`204`
`205`		`-variable "wiz_secrets_kms_key_arn" {`
`206`		`- description = "ARN of KMS key used to encrypt the secret specified in wiz_secrets_arn. Must be provided if wiz_secrets_arn is specified."`
	`205`	`+variable "wiz_secret_kms_key_arn" {`
	`206`	`+ description = "ARN of KMS key used to encrypt the secret specified in wiz_secret_arn. Must be provided if wiz_secret_arn is specified."`
`207`	`207`	`type = string`
`208`	`208`	`sensitive = true`
`209`	`209`	`}`