From 6ef8cff1787083cc21922b28c7041f9546c829f0 Mon Sep 17 00:00:00 2001
From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com>
Date: Fri, 10 Jan 2025 00:42:58 +0100
Subject: [PATCH] add authorized ip range variable for azure (#2880)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
---
 src/_nebari/stages/infrastructure/__init__.py               | 3 +++
 src/_nebari/stages/infrastructure/template/azure/main.tf    | 1 +
 .../template/azure/modules/kubernetes/main.tf               | 3 +++
 .../template/azure/modules/kubernetes/variables.tf          | 6 ++++++
 .../stages/infrastructure/template/azure/variables.tf       | 6 ++++++
 5 files changed, 19 insertions(+)

diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py
index 067161f6a4..0c5a60a06c 100644
--- a/src/_nebari/stages/infrastructure/__init__.py
+++ b/src/_nebari/stages/infrastructure/__init__.py
@@ -95,6 +95,7 @@ class AzureInputVars(schema.Base):
     name: str
     environment: str
     region: str
+    authorized_ip_ranges: List[str] = ["0.0.0.0/0"]
     kubeconfig_filename: str = get_kubeconfig_filename()
     kubernetes_version: str
     node_groups: Dict[str, AzureNodeGroupInputVars]
@@ -362,6 +363,7 @@ class AzureProvider(schema.Base):
     region: str
     kubernetes_version: Optional[str] = None
     storage_account_postfix: str
+    authorized_ip_ranges: Optional[List[str]] = ["0.0.0.0/0"]
     resource_group_name: Optional[str] = None
     node_groups: Dict[str, AzureNodeGroup] = DEFAULT_AZURE_NODE_GROUPS
     storage_account_postfix: str
@@ -799,6 +801,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
                 environment=self.config.namespace,
                 region=self.config.azure.region,
                 kubernetes_version=self.config.azure.kubernetes_version,
+                authorized_ip_ranges=self.config.azure.authorized_ip_ranges,
                 node_groups={
                     name: AzureNodeGroupInputVars(
                         instance=node_group.instance,
diff --git a/src/_nebari/stages/infrastructure/template/azure/main.tf b/src/_nebari/stages/infrastructure/template/azure/main.tf
index 594a6a4aa2..960b755f8c 100644
--- a/src/_nebari/stages/infrastructure/template/azure/main.tf
+++ b/src/_nebari/stages/infrastructure/template/azure/main.tf
@@ -28,6 +28,7 @@ module "kubernetes" {
   kubernetes_version       = var.kubernetes_version
   tags                     = var.tags
   max_pods                 = var.max_pods
+  authorized_ip_ranges     = var.authorized_ip_ranges
 
   network_profile = var.network_profile
 
diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf
index 66b46e13eb..f97f1f6383 100644
--- a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf
+++ b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/main.tf
@@ -4,6 +4,9 @@ resource "azurerm_kubernetes_cluster" "main" {
   location            = var.location
   resource_group_name = var.resource_group_name
   tags                = var.tags
+  api_server_access_profile {
+    authorized_ip_ranges = var.authorized_ip_ranges
+  }
 
   # To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.
   oidc_issuer_enabled       = var.workload_identity_enabled
diff --git a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf
index 355b284ba0..95d2045420 100644
--- a/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf
+++ b/src/_nebari/stages/infrastructure/template/azure/modules/kubernetes/variables.tf
@@ -77,6 +77,12 @@ variable "workload_identity_enabled" {
   default     = false
 }
 
+variable "authorized_ip_ranges" {
+  description = "The ip range allowed to access the Kubernetes API server, defaults to 0.0.0.0/0"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
 variable "azure_policy_enabled" {
   description = "Enable Azure Policy"
   type        = bool
diff --git a/src/_nebari/stages/infrastructure/template/azure/variables.tf b/src/_nebari/stages/infrastructure/template/azure/variables.tf
index 657435c7da..ac36f42fd6 100644
--- a/src/_nebari/stages/infrastructure/template/azure/variables.tf
+++ b/src/_nebari/stages/infrastructure/template/azure/variables.tf
@@ -83,6 +83,12 @@ variable "workload_identity_enabled" {
   default     = false
 }
 
+variable "authorized_ip_ranges" {
+  description = "The ip range allowed to access the Kubernetes API server, defaults to 0.0.0.0/0"
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}
+
 variable "azure_policy_enabled" {
   description = "Enable Azure Policy"
   type        = bool