allow eks_public_access_cidrs to be optionally set in nebari-config.yaml (#2963)

Author: dcmcand

src/_nebari/stages/infrastructure/__init__.py

@@ -170,6 +170,7 @@ class AWSInputVars(schema.Base):
         Literal["private", "public", "public_and_private"]
     ] = "public"
     eks_kms_arn: Optional[str] = None
+    eks_public_access_cidrs: Optional[List[str]] = ["0.0.0.0/0"]
     node_groups: List[AWSNodeGroupInputVars]
     availability_zones: List[str]
     vpc_cidr_block: str
@@ -327,7 +328,7 @@ def _check_input(cls, data: Any) -> Any:
         ):
             raise ValueError(
                 f"\nInvalid `kubernetes-version` provided: {data['kubernetes_version']}.\nPlease select from one of the following supported Kubernetes versions: {available_kubernetes_versions} or omit flag to use latest Kubernetes version available."
-            )
+            )  # noqa
 
         # check if instances are valid
         available_instances = google_cloud.instances(data["region"])
@@ -457,6 +458,7 @@ class AmazonWebServicesProvider(schema.Base):
     eks_endpoint_access: Optional[
         Literal["private", "public", "public_and_private"]
     ] = "public"
+    eks_public_access_cidrs: Optional[List[str]] = ["0.0.0.0/0"]
     eks_kms_arn: Optional[str] = None
     existing_subnet_ids: Optional[List[str]] = None
     existing_security_group_id: Optional[str] = None
@@ -526,7 +528,7 @@ def _check_input(cls, data: Any) -> Any:
                 or available_kms_keys[key_id[0]].Arn != data["eks_kms_arn"]
             ):
                 raise ValueError(
-                    f"Amazon Web Services KMS Key with ARN {data['eks_kms_arn']} not one of available/enabled keys={[v.Arn for v in available_kms_keys.values() if v.KeyManager=='CUSTOMER' and v.KeySpec=='SYMMETRIC_DEFAULT']}"
+                    f"Amazon Web Services KMS Key with ARN {data['eks_kms_arn']} not one of available/enabled keys={ [v.Arn for v in available_kms_keys.values() if v.KeyManager == 'CUSTOMER' and v.KeySpec == 'SYMMETRIC_DEFAULT']}"
                 )
             key_id = key_id[0]
             # Raise error if key is not a customer managed key
@@ -835,6 +837,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
                 name=self.config.escaped_project_name,
                 environment=self.config.namespace,
                 eks_endpoint_access=self.config.amazon_web_services.eks_endpoint_access,
+                eks_public_access_cidrs=self.config.amazon_web_services.eks_public_access_cidrs,
                 eks_kms_arn=self.config.amazon_web_services.eks_kms_arn,
                 existing_subnet_ids=self.config.amazon_web_services.existing_subnet_ids,
                 existing_security_group_id=self.config.amazon_web_services.existing_security_group_id,

src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf

@@ -8,10 +8,13 @@ resource "aws_eks_cluster" "main" {
   vpc_config {
     security_group_ids = var.cluster_security_groups
     subnet_ids         = var.cluster_subnets
+    # ignored because this is set through the eks_endpoint_access variable
     #trivy:ignore:AVD-AWS-0040
     endpoint_public_access  = var.endpoint_public_access
     endpoint_private_access = var.endpoint_private_access
-    public_access_cidrs     = var.public_access_cidrs
+    # ignored because this is set through the eks_public_access_cidrs variable
+    #trivy:ignore:AVD-AWS-0041
+    public_access_cidrs = var.public_access_cidrs
   }
 
   # Only set encryption_config if eks_kms_arn is not null