Skip to content

Commit

Permalink
allow eks_public_access_cidrs to be optionally set in nebari-config.y…
Browse files Browse the repository at this point in the history 
…aml (#2963)
  • Loading branch information
@dcmcand
dcmcand authored Mar 4, 2025
2 parents d92b1c1 + 7296c03 commit 22b37ad
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
7 changes: 5 additions & 2 deletions src/_nebari/stages/infrastructure/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ class AWSInputVars(schema.Base):
Literal["private", "public", "public_and_private"]
] = "public"
eks_kms_arn: Optional[str] = None
eks_public_access_cidrs: Optional[List[str]] = ["0.0.0.0/0"]
node_groups: List[AWSNodeGroupInputVars]
availability_zones: List[str]
vpc_cidr_block: str
Expand Down Expand Up @@ -327,7 +328,7 @@ def _check_input(cls, data: Any) -> Any:
):
raise ValueError(
f"\nInvalid `kubernetes-version` provided: {data['kubernetes_version']}.\nPlease select from one of the following supported Kubernetes versions: {available_kubernetes_versions} or omit flag to use latest Kubernetes version available."
)
) # noqa

# check if instances are valid
available_instances = google_cloud.instances(data["region"])
Expand Down Expand Up @@ -457,6 +458,7 @@ class AmazonWebServicesProvider(schema.Base):
eks_endpoint_access: Optional[
Literal["private", "public", "public_and_private"]
] = "public"
eks_public_access_cidrs: Optional[List[str]] = ["0.0.0.0/0"]
eks_kms_arn: Optional[str] = None
existing_subnet_ids: Optional[List[str]] = None
existing_security_group_id: Optional[str] = None
Expand Down Expand Up @@ -526,7 +528,7 @@ def _check_input(cls, data: Any) -> Any:
or available_kms_keys[key_id[0]].Arn != data["eks_kms_arn"]
):
raise ValueError(
f"Amazon Web Services KMS Key with ARN {data['eks_kms_arn']} not one of available/enabled keys={[v.Arn for v in available_kms_keys.values() if v.KeyManager=='CUSTOMER' and v.KeySpec=='SYMMETRIC_DEFAULT']}"
f"Amazon Web Services KMS Key with ARN {data['eks_kms_arn']} not one of available/enabled keys={ [v.Arn for v in available_kms_keys.values() if v.KeyManager == 'CUSTOMER' and v.KeySpec == 'SYMMETRIC_DEFAULT']}"
)
key_id = key_id[0]
# Raise error if key is not a customer managed key
Expand Down Expand Up @@ -835,6 +837,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
name=self.config.escaped_project_name,
environment=self.config.namespace,
eks_endpoint_access=self.config.amazon_web_services.eks_endpoint_access,
eks_public_access_cidrs=self.config.amazon_web_services.eks_public_access_cidrs,
eks_kms_arn=self.config.amazon_web_services.eks_kms_arn,
existing_subnet_ids=self.config.amazon_web_services.existing_subnet_ids,
existing_security_group_id=self.config.amazon_web_services.existing_security_group_id,
Expand Down
5 changes: 4 additions & 1 deletion src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,13 @@ resource "aws_eks_cluster" "main" {
vpc_config {
security_group_ids = var.cluster_security_groups
subnet_ids = var.cluster_subnets
# ignored because this is set through the eks_endpoint_access variable
#trivy:ignore:AVD-AWS-0040
endpoint_public_access = var.endpoint_public_access
endpoint_private_access = var.endpoint_private_access
public_access_cidrs = var.public_access_cidrs
# ignored because this is set through the eks_public_access_cidrs variable
#trivy:ignore:AVD-AWS-0041
public_access_cidrs = var.public_access_cidrs
}

# Only set encryption_config if eks_kms_arn is not null
Expand Down

0 comments on commit 22b37ad

Please sign in to comment.