Skip to content

Commit

Permalink
Add validation checks for config option amazon_web_services.eks_kms_a…
Browse files Browse the repository at this point in the history 
…rn to ensure KMS-key ARN available
  • Loading branch information
@joneszc
joneszc committed Oct 2, 2024
1 parent c40930a commit f31f209
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 16 deletions.
14 changes: 7 additions & 7 deletions src/_nebari/provider/cloud/amazon_web_services.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,22 +127,22 @@ def kms_key_arns(region: str) -> Dict[str, dict]:
session = aws_session(region=region)
client = session.client("kms")
paginator = client.get_paginator("list_keys")
schema = [
fields = [
"Arn",
"KeyUsage",
"KeyState",
"Origin",
"KeyManager",
"KeySpec",
"EncryptionAlgorithms",
"MultiRegion",
#"KeyState",
#"Origin",
#"KeyManager",
#"EncryptionAlgorithms",
#"MultiRegion",
]
kms_keys = [
client.describe_key(KeyId=j["KeyId"]).get("KeyMetadata")
for i in paginator.paginate()
for j in i["Keys"]
]
return {i["KeyId"]: {k: i[k] for k in schema} for i in kms_keys if i["Enabled"]}
return {i["KeyId"]: {k: i[k] for k in fields} for i in kms_keys if i["Enabled"]}


def aws_get_vpc_id(name: str, namespace: str, region: str) -> Optional[str]:
Expand Down
25 changes: 16 additions & 9 deletions src/_nebari/stages/infrastructure/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -564,7 +564,7 @@ def _check_input(cls, data: Any) -> Any:

# check if kms key is valid
available_kms_keys = amazon_web_services.kms_key_arns(data["region"])
if "eks_kms_arn" in data:
if "eks_kms_arn" in data and data["eks_kms_arn"] is not None:
key_id = [
id for id in available_kms_keys.keys() if id in data["eks_kms_arn"]
]
Expand All @@ -573,14 +573,21 @@ def _check_input(cls, data: Any) -> Any:
and available_kms_keys[key_id[0]]["Arn"] == data["eks_kms_arn"]
):
key_id = key_id[0]
if available_kms_keys[key_id]["KeyUsage"] != "ENCRYPT_DECRYPT":
raise ValueError(
f"Amazon Web Services KMS Key with ID {key_id} does not have KeyUsage configured to encrypt and decrypt data"
)
if available_kms_keys[key_id]["KeySpec"] != "SYMMETRIC_DEFAULT":
raise ValueError(
f"Amazon Web Services KMS Key with ID {key_id} is not a Symmetric key"
)
# Symmetric KMS keys with Encrypt and decrypt key-usage have the SYMMETRIC_DEFAULT key-spec
# EKS cluster encryption requires a Symmetric key that is set to encrypt and decrypt data
if available_kms_keys[key_id]["KeySpec"] is not "SYMMETRIC_DEFAULT":
if available_kms_keys[key_id]["KeyUsage"] is "GENERATE_VERIFY_MAC":
raise ValueError(
f"Amazon Web Services KMS Key with ID {key_id} does not have KeyUsage set to 'Encrypt and decrypt' data"
)
elif available_kms_keys[key_id]["KeyUsage"] is not "ENCRYPT_DECRYPT":
raise ValueError(
f"Amazon Web Services KMS Key with ID {key_id} is not of type Symmetric, and KeyUsage not set to 'Encrypt and decrypt' data"
)
else:
raise ValueError(
f"Amazon Web Services KMS Key with ID {key_id} is not of type Symmetric"
)
else:
raise ValueError(
f"Amazon Web Services KMS Key with ARN {data['eks_kms_arn']} not one of available/enabled keys={[v['Arn'] for v in available_kms_keys.values()]}"
Expand Down

0 comments on commit f31f209

Please sign in to comment.