From 501438d85285a2ff1a29be8577951d6091a56677 Mon Sep 17 00:00:00 2001 From: joneszc Date: Fri, 9 Aug 2024 13:41:18 -0400 Subject: [PATCH 1/5] Add option in nebari-config (amazon_web_services.eks_endpoint_access) to specify EKS cluster endpoint access --- src/_nebari/stages/infrastructure/__init__.py | 12 ++++++++++++ .../stages/infrastructure/template/aws/main.tf | 3 ++- .../template/aws/modules/kubernetes/main.tf | 1 + .../template/aws/modules/kubernetes/variables.tf | 5 +++++ .../stages/infrastructure/template/aws/variables.tf | 6 ++++++ 5 files changed, 26 insertions(+), 1 deletion(-) diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py index 1a16238b1b..86566ee4e1 100644 --- a/src/_nebari/stages/infrastructure/__init__.py +++ b/src/_nebari/stages/infrastructure/__init__.py @@ -133,6 +133,7 @@ class AWSInputVars(schema.Base): existing_subnet_ids: Optional[List[str]] = None region: str kubernetes_version: str + eks_endpoint_access: str = 'public' node_groups: List[AWSNodeGroupInputVars] availability_zones: List[str] vpc_cidr_block: str @@ -451,6 +452,7 @@ class AmazonWebServicesProvider(schema.Base): kubernetes_version: str availability_zones: Optional[List[str]] node_groups: Dict[str, AWSNodeGroup] = DEFAULT_AWS_NODE_GROUPS + eks_endpoint_access: str = 'public' existing_subnet_ids: Optional[List[str]] = None existing_security_group_id: Optional[str] = None vpc_cidr_block: str = "10.10.0.0/16" @@ -506,6 +508,15 @@ def _check_input(cls, data: Any) -> Any: raise ValueError( f"Amazon Web Services instance {node_group.instance} not one of available instance types={available_instances}" ) + + # check if eks cluster endpoint access config is valid + available_endpoint_options = ['private', 'public', 'public_and_private'] + if data["eks_endpoint_access"] is None: + data["eks_endpoint_access"] = 'public' + elif data["eks_endpoint_access"] not in available_endpoint_options: + raise ValueError( + f"\nInvalid `eks-endpoint-access` provided: {data['eks_endpoint_access']}.\nPlease select from one of the following supported EKS cluster endpoint access options: {available_endpoint_options}" + ) return data @@ -789,6 +800,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]): return AWSInputVars( name=self.config.escaped_project_name, environment=self.config.namespace, + eks_endpoint_access=self.config.amazon_web_services.eks_endpoint_access, existing_subnet_ids=self.config.amazon_web_services.existing_subnet_ids, existing_security_group_id=self.config.amazon_web_services.existing_security_group_id, region=self.config.amazon_web_services.region, diff --git a/src/_nebari/stages/infrastructure/template/aws/main.tf b/src/_nebari/stages/infrastructure/template/aws/main.tf index 2c78018f0b..5643625fe9 100644 --- a/src/_nebari/stages/infrastructure/template/aws/main.tf +++ b/src/_nebari/stages/infrastructure/template/aws/main.tf @@ -92,7 +92,8 @@ module "kubernetes" { node_groups = var.node_groups - endpoint_private_access = var.eks_endpoint_private_access + endpoint_public_access = var.eks_endpoint_access == "private" ? false : true + endpoint_private_access = var.eks_endpoint_access == "public" ? false : true public_access_cidrs = var.eks_public_access_cidrs permissions_boundary = var.permissions_boundary } diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf index 521096cae0..1fb488fc48 100644 --- a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf +++ b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf @@ -9,6 +9,7 @@ resource "aws_eks_cluster" "main" { security_group_ids = var.cluster_security_groups subnet_ids = var.cluster_subnets + endpoint_public_access = var.endpoint_public_access endpoint_private_access = var.endpoint_private_access public_access_cidrs = var.public_access_cidrs } diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf index e22c640929..87f5e7c95a 100644 --- a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf +++ b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/variables.tf @@ -60,6 +60,11 @@ variable "node_group_instance_type" { default = "m5.large" } +variable "endpoint_public_access" { + type = bool + default = true +} + variable "endpoint_private_access" { type = bool default = false diff --git a/src/_nebari/stages/infrastructure/template/aws/variables.tf b/src/_nebari/stages/infrastructure/template/aws/variables.tf index 2e80c64c3c..6b8fd23430 100644 --- a/src/_nebari/stages/infrastructure/template/aws/variables.tf +++ b/src/_nebari/stages/infrastructure/template/aws/variables.tf @@ -56,6 +56,12 @@ variable "kubeconfig_filename" { type = string } +variable "eks_endpoint_access" { + description = "EKS cluster api server endpoint access setting" + type = string + default = "public" +} + variable "eks_endpoint_private_access" { type = bool default = false From 215f3c10951dcad6fe4d5d1f48125feedba449cc Mon Sep 17 00:00:00 2001 From: joneszc Date: Fri, 9 Aug 2024 14:13:38 -0400 Subject: [PATCH 2/5] Add option in nebari-config (amazon_web_services.eks_endpoint_access) to specify EKS cluster endpoint access --- src/_nebari/stages/infrastructure/__init__.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py index 86566ee4e1..aafc2780a6 100644 --- a/src/_nebari/stages/infrastructure/__init__.py +++ b/src/_nebari/stages/infrastructure/__init__.py @@ -511,12 +511,15 @@ def _check_input(cls, data: Any) -> Any: # check if eks cluster endpoint access config is valid available_endpoint_options = ['private', 'public', 'public_and_private'] - if data["eks_endpoint_access"] is None: + if "eks_endpoint_access" not in data: data["eks_endpoint_access"] = 'public' - elif data["eks_endpoint_access"] not in available_endpoint_options: - raise ValueError( - f"\nInvalid `eks-endpoint-access` provided: {data['eks_endpoint_access']}.\nPlease select from one of the following supported EKS cluster endpoint access options: {available_endpoint_options}" - ) + else: + if data["eks_endpoint_access"] is None: + data["eks_endpoint_access"] = 'public' + elif data["eks_endpoint_access"] not in available_endpoint_options: + raise ValueError( + f"\nInvalid `eks-endpoint-access` provided: {data['eks_endpoint_access']}.\nPlease select from one of the following supported EKS cluster endpoint access options: {available_endpoint_options}" + ) return data From 7f0874a6bac1b89c51d46bb41f56fbeffb7ce42e Mon Sep 17 00:00:00 2001 From: joneszc Date: Fri, 23 Aug 2024 16:06:17 -0400 Subject: [PATCH 3/5] reformat __init__.py single quotes --- src/_nebari/stages/infrastructure/__init__.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py index 712a04b0d7..3bd14416bc 100644 --- a/src/_nebari/stages/infrastructure/__init__.py +++ b/src/_nebari/stages/infrastructure/__init__.py @@ -146,7 +146,7 @@ class AWSInputVars(schema.Base): existing_subnet_ids: Optional[List[str]] = None region: str kubernetes_version: str - eks_endpoint_access: str = 'public' + eks_endpoint_access: str = "public" node_groups: List[AWSNodeGroupInputVars] availability_zones: List[str] vpc_cidr_block: str @@ -466,7 +466,7 @@ class AmazonWebServicesProvider(schema.Base): kubernetes_version: str availability_zones: Optional[List[str]] node_groups: Dict[str, AWSNodeGroup] = DEFAULT_AWS_NODE_GROUPS - eks_endpoint_access: str = 'public' + eks_endpoint_access: str = "public" existing_subnet_ids: Optional[List[str]] = None existing_security_group_id: Optional[str] = None vpc_cidr_block: str = "10.10.0.0/16" @@ -524,12 +524,12 @@ def _check_input(cls, data: Any) -> Any: ) # check if eks cluster endpoint access config is valid - available_endpoint_options = ['private', 'public', 'public_and_private'] + available_endpoint_options = ["private", "public", "public_and_private"] if "eks_endpoint_access" not in data: - data["eks_endpoint_access"] = 'public' + data["eks_endpoint_access"] = "public" else: if data["eks_endpoint_access"] is None: - data["eks_endpoint_access"] = 'public' + data["eks_endpoint_access"] = "public" elif data["eks_endpoint_access"] not in available_endpoint_options: raise ValueError( f"\nInvalid `eks-endpoint-access` provided: {data['eks_endpoint_access']}.\nPlease select from one of the following supported EKS cluster endpoint access options: {available_endpoint_options}" From 521711f9eaade6cd13527b4fd674fc490ad22e0d Mon Sep 17 00:00:00 2001 From: joneszc Date: Wed, 4 Sep 2024 10:14:49 -0400 Subject: [PATCH 4/5] Edit validation for amazon_web_services.eks_endpoint_access var option to specify EKS cluster endpoint access --- src/_nebari/stages/infrastructure/__init__.py | 18 +++--------------- .../template/aws/modules/kubernetes/main.tf | 2 +- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py index 3bd14416bc..677de34989 100644 --- a/src/_nebari/stages/infrastructure/__init__.py +++ b/src/_nebari/stages/infrastructure/__init__.py @@ -6,7 +6,7 @@ import re import sys import tempfile -from typing import Annotated, Any, Dict, List, Optional, Tuple, Type, Union +from typing import Annotated, Any, Dict, List, Literal, Optional, Tuple, Type, Union from pydantic import Field, field_validator, model_validator @@ -146,7 +146,7 @@ class AWSInputVars(schema.Base): existing_subnet_ids: Optional[List[str]] = None region: str kubernetes_version: str - eks_endpoint_access: str = "public" + eks_endpoint_access: Optional[Literal["private", "public", "public_and_private"]] = "public" node_groups: List[AWSNodeGroupInputVars] availability_zones: List[str] vpc_cidr_block: str @@ -466,7 +466,7 @@ class AmazonWebServicesProvider(schema.Base): kubernetes_version: str availability_zones: Optional[List[str]] node_groups: Dict[str, AWSNodeGroup] = DEFAULT_AWS_NODE_GROUPS - eks_endpoint_access: str = "public" + eks_endpoint_access: Optional[Literal["private", "public", "public_and_private"]] = "public" existing_subnet_ids: Optional[List[str]] = None existing_security_group_id: Optional[str] = None vpc_cidr_block: str = "10.10.0.0/16" @@ -522,18 +522,6 @@ def _check_input(cls, data: Any) -> Any: raise ValueError( f"Amazon Web Services instance {node_group.instance} not one of available instance types={available_instances}" ) - - # check if eks cluster endpoint access config is valid - available_endpoint_options = ["private", "public", "public_and_private"] - if "eks_endpoint_access" not in data: - data["eks_endpoint_access"] = "public" - else: - if data["eks_endpoint_access"] is None: - data["eks_endpoint_access"] = "public" - elif data["eks_endpoint_access"] not in available_endpoint_options: - raise ValueError( - f"\nInvalid `eks-endpoint-access` provided: {data['eks_endpoint_access']}.\nPlease select from one of the following supported EKS cluster endpoint access options: {available_endpoint_options}" - ) return data diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf index 1fb488fc48..6ca547ab32 100644 --- a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf +++ b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf @@ -8,7 +8,7 @@ resource "aws_eks_cluster" "main" { vpc_config { security_group_ids = var.cluster_security_groups subnet_ids = var.cluster_subnets - + #trivy:ignore:AVD-AWS-0040 endpoint_public_access = var.endpoint_public_access endpoint_private_access = var.endpoint_private_access public_access_cidrs = var.public_access_cidrs From dbe30ab35f009b5a6a65ad9fc004b983a239a870 Mon Sep 17 00:00:00 2001 From: joneszc Date: Wed, 4 Sep 2024 13:11:16 -0400 Subject: [PATCH 5/5] Edit validation for amazon_web_services.eks_endpoint_access var option to specify EKS cluster endpoint access --- src/_nebari/stages/infrastructure/__init__.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py index 677de34989..0820940f20 100644 --- a/src/_nebari/stages/infrastructure/__init__.py +++ b/src/_nebari/stages/infrastructure/__init__.py @@ -146,7 +146,9 @@ class AWSInputVars(schema.Base): existing_subnet_ids: Optional[List[str]] = None region: str kubernetes_version: str - eks_endpoint_access: Optional[Literal["private", "public", "public_and_private"]] = "public" + eks_endpoint_access: Optional[ + Literal["private", "public", "public_and_private"] + ] = "public" node_groups: List[AWSNodeGroupInputVars] availability_zones: List[str] vpc_cidr_block: str @@ -466,7 +468,9 @@ class AmazonWebServicesProvider(schema.Base): kubernetes_version: str availability_zones: Optional[List[str]] node_groups: Dict[str, AWSNodeGroup] = DEFAULT_AWS_NODE_GROUPS - eks_endpoint_access: Optional[Literal["private", "public", "public_and_private"]] = "public" + eks_endpoint_access: Optional[ + Literal["private", "public", "public_and_private"] + ] = "public" existing_subnet_ids: Optional[List[str]] = None existing_security_group_id: Optional[str] = None vpc_cidr_block: str = "10.10.0.0/16"