From f31f209185841253e37ef33af04abe8a89a21d4a Mon Sep 17 00:00:00 2001 From: joneszc Date: Wed, 2 Oct 2024 14:20:31 -0400 Subject: [PATCH] Add validation checks for config option amazon_web_services.eks_kms_arn to ensure KMS-key ARN available --- .../provider/cloud/amazon_web_services.py | 14 +++++------ src/_nebari/stages/infrastructure/__init__.py | 25 ++++++++++++------- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/src/_nebari/provider/cloud/amazon_web_services.py b/src/_nebari/provider/cloud/amazon_web_services.py index f057b8ab1..8fb9c0be3 100644 --- a/src/_nebari/provider/cloud/amazon_web_services.py +++ b/src/_nebari/provider/cloud/amazon_web_services.py @@ -127,22 +127,22 @@ def kms_key_arns(region: str) -> Dict[str, dict]: session = aws_session(region=region) client = session.client("kms") paginator = client.get_paginator("list_keys") - schema = [ + fields = [ "Arn", "KeyUsage", - "KeyState", - "Origin", - "KeyManager", "KeySpec", - "EncryptionAlgorithms", - "MultiRegion", + #"KeyState", + #"Origin", + #"KeyManager", + #"EncryptionAlgorithms", + #"MultiRegion", ] kms_keys = [ client.describe_key(KeyId=j["KeyId"]).get("KeyMetadata") for i in paginator.paginate() for j in i["Keys"] ] - return {i["KeyId"]: {k: i[k] for k in schema} for i in kms_keys if i["Enabled"]} + return {i["KeyId"]: {k: i[k] for k in fields} for i in kms_keys if i["Enabled"]} def aws_get_vpc_id(name: str, namespace: str, region: str) -> Optional[str]: diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py index d2287c7dc..4403ae302 100644 --- a/src/_nebari/stages/infrastructure/__init__.py +++ b/src/_nebari/stages/infrastructure/__init__.py @@ -564,7 +564,7 @@ def _check_input(cls, data: Any) -> Any: # check if kms key is valid available_kms_keys = amazon_web_services.kms_key_arns(data["region"]) - if "eks_kms_arn" in data: + if "eks_kms_arn" in data and data["eks_kms_arn"] is not None: key_id = [ id for id in available_kms_keys.keys() if id in data["eks_kms_arn"] ] @@ -573,14 +573,21 @@ def _check_input(cls, data: Any) -> Any: and available_kms_keys[key_id[0]]["Arn"] == data["eks_kms_arn"] ): key_id = key_id[0] - if available_kms_keys[key_id]["KeyUsage"] != "ENCRYPT_DECRYPT": - raise ValueError( - f"Amazon Web Services KMS Key with ID {key_id} does not have KeyUsage configured to encrypt and decrypt data" - ) - if available_kms_keys[key_id]["KeySpec"] != "SYMMETRIC_DEFAULT": - raise ValueError( - f"Amazon Web Services KMS Key with ID {key_id} is not a Symmetric key" - ) + # Symmetric KMS keys with Encrypt and decrypt key-usage have the SYMMETRIC_DEFAULT key-spec + # EKS cluster encryption requires a Symmetric key that is set to encrypt and decrypt data + if available_kms_keys[key_id]["KeySpec"] is not "SYMMETRIC_DEFAULT": + if available_kms_keys[key_id]["KeyUsage"] is "GENERATE_VERIFY_MAC": + raise ValueError( + f"Amazon Web Services KMS Key with ID {key_id} does not have KeyUsage set to 'Encrypt and decrypt' data" + ) + elif available_kms_keys[key_id]["KeyUsage"] is not "ENCRYPT_DECRYPT": + raise ValueError( + f"Amazon Web Services KMS Key with ID {key_id} is not of type Symmetric, and KeyUsage not set to 'Encrypt and decrypt' data" + ) + else: + raise ValueError( + f"Amazon Web Services KMS Key with ID {key_id} is not of type Symmetric" + ) else: raise ValueError( f"Amazon Web Services KMS Key with ARN {data['eks_kms_arn']} not one of available/enabled keys={[v['Arn'] for v in available_kms_keys.values()]}"