CDPCAM-71 Add Private Subnets validation with 'Auto-assign public IPs' disabled (#22)

* Add private subnets auto-assign IP settings validation

Signed-off-by: Anurag Patro <anurag.patro@cloudera.com>

Author: anuragpatro

cdpctl/validation/infra/issue_templates.yml

@@ -165,3 +165,7 @@ docs_link: https://docs.cloudera.com/cdp/latest/requirements-aws/topics/mc-aws-r
 id: AWS_VPC_NOT_FOUND_IN_ACCOUNT
 summary: "VPC ID {0} set in infra:aws:vpc:existing:vpc_id was not found in the AWS account."
 docs_link: https://docs.cloudera.com/cdp/latest/requirements-aws/topics/mc-aws-req-vpc.html
+---
+id: AWS_SUBNETS_WITH_PUBLIC_IPS_ENABLED
+summary: "These {0} Subnets must have 'Auto-assign Public IPs' disabled for a fully-private network configuration."
+render_type: list

cdpctl/validation/infra/issues.py

@@ -121,3 +121,5 @@
 AWS_DNS_SUPPORT_NOT_ENABLED_FOR_VPC = "AWS_DNS_SUPPORT_NOT_ENABLED_FOR_VPC"
 
 AWS_VPC_NOT_FOUND_IN_ACCOUNT = "AWS_VPC_NOT_FOUND_IN_ACCOUNT"
+
+AWS_SUBNETS_WITH_PUBLIC_IPS_ENABLED = "AWS_SUBNETS_WITH_PUBLIC_IPS_ENABLED"

cdpctl/validation/infra/validate_aws_subnets.py

@@ -59,6 +59,7 @@
     AWS_SUBNETS_MISSING_K8S_LB_TAG,
     AWS_SUBNETS_NOT_PART_OF_VPC,
     AWS_SUBNETS_OR_VPC_WITHOUT_INTERNET_GATEWAY,
+    AWS_SUBNETS_WITH_PUBLIC_IPS_ENABLED,
     AWS_SUBNETS_WITHOUT_INTERNET_GATEWAY,
     AWS_SUBNETS_WITHOUT_VALID_RANGE,
 )
@@ -414,6 +415,27 @@ def aws_private_subnets_tags_validation() -> None:
         fail(AWS_REQUIRED_DATA_MISSING, e.args[0])
 
 
+@pytest.mark.aws
+@pytest.mark.infra
+@pytest.mark.dependency(depends=["aws_private_subnets_validation"])
+def aws_private_subnets_auto_assign_ip_validation() -> None:
+    """Private subnets have auto-assign public IPs disabled."""  # noqa: D401,E501
+    try:
+        subnets_w_public_ips_enabled = []
+        for subnet in subnets_data["private_subnets"]:
+            if subnet["MapPublicIpOnLaunch"]:
+                subnets_w_public_ips_enabled.append(subnet["SubnetId"])
+
+        if len(subnets_w_public_ips_enabled) > 0:
+            warn(
+                AWS_SUBNETS_WITH_PUBLIC_IPS_ENABLED,
+                subjects=["Private"],
+                resources=subnets_w_public_ips_enabled,
+            )
+    except KeyError as e:
+        fail(AWS_REQUIRED_DATA_MISSING, e.args[0])
+
+
 @pytest.mark.aws
 @pytest.mark.infra
 @pytest.mark.dependency(

tests/validation/infra/test_validate_aws_subnets.py

@@ -49,6 +49,7 @@
 
 from cdpctl.validation.aws_utils import get_client
 from cdpctl.validation.infra.validate_aws_subnets import (
+    aws_private_subnets_auto_assign_ip_validation,
     aws_private_subnets_availablity_zone_validation,
     aws_private_subnets_range_validation,
     aws_private_subnets_route_validation,
@@ -107,6 +108,7 @@
         {
             "AvailabilityZone": "us-west-2b",
             "CidrBlock": "20.0.237.0/14",
+            "MapPublicIpOnLaunch": False,
             "SubnetId": "subnet-prvtest1-cdp",
             "VpcId": "vpc-testcdp12345",
             "Tags": [
@@ -117,6 +119,7 @@
         {
             "AvailabilityZone": "us-west-2c",
             "CidrBlock": "20.1.238.0/19",
+            "MapPublicIpOnLaunch": False,
             "SubnetId": "subnet-prvtest2-cdp",
             "VpcId": "vpc-testcdp12345",
             "Tags": [
@@ -127,6 +130,7 @@
         {
             "AvailabilityZone": "us-west-2a",
             "CidrBlock": "20.2.236.0/18",
+            "MapPublicIpOnLaunch": False,
             "SubnetId": "subnet-prvtest3-cdp",
             "VpcId": "vpc-testcdp12345",
             "Tags": [
@@ -899,7 +903,7 @@ def test_aws_private_subnets_tags_validation_success(ec2_client: EC2Client) -> N
         func()
 
 
-def test_aws_private_subnets_tags_validation_failure(ec2_client: EC2Client) -> None:
+def test_aws_private_subnets_tags_validation_warning(ec2_client: EC2Client) -> None:
     """Unit test private subnets tags failure."""
     config = get_config(
         private_subnet_ids_val=private_subnet_ids, private_suffix_val="fail"
@@ -941,6 +945,63 @@ def test_aws_private_subnets_tags_validation_failure(ec2_client: EC2Client) -> N
         func()
 
 
+def test_aws_private_subnets_auto_assign_ip_validation_success(
+    ec2_client: EC2Client,
+) -> None:
+    """Unit test private subnets auto assign ip settings success."""
+    config = get_config(
+        private_subnet_ids_val=private_subnet_ids, private_suffix_val="cdp"
+    )
+    stubber = Stubber(ec2_client)
+    stubber.add_response(
+        "describe_subnets",
+        sample_private_subnets_response,
+        expected_params={"SubnetIds": private_subnet_ids},
+    )
+    with stubber:
+        func = expect_validation_success(aws_private_subnets_validation)
+        func(config, ec2_client)
+    with stubber:
+        func = expect_validation_success(aws_private_subnets_auto_assign_ip_validation)
+        func()
+
+
+def test_aws_private_subnets_auto_assign_ip_validation_warning(
+    ec2_client: EC2Client,
+) -> None:
+    """Unit test private subnets auto assign ip settings failure."""
+    config = get_config(
+        private_subnet_ids_val=private_subnet_ids, private_suffix_val="fail"
+    )
+    stubber = Stubber(ec2_client)
+    stubber.add_response(
+        "describe_subnets",
+        {
+            "Subnets": [
+                {
+                    "MapPublicIpOnLaunch": False,
+                    "SubnetId": "subnet-prvtest1-cdp",
+                },
+                {
+                    "MapPublicIpOnLaunch": False,
+                    "SubnetId": "subnet-prvtest2-cdp",
+                },
+                {
+                    "MapPublicIpOnLaunch": True,
+                    "SubnetId": "subnet-prvtest3-cdp",
+                },
+            ],
+        },
+        expected_params={"SubnetIds": private_subnet_ids},
+    )
+    with stubber:
+        func = expect_validation_success(aws_private_subnets_validation)
+        func(config, ec2_client)
+    with stubber:
+        func = expect_validation_warning(aws_private_subnets_auto_assign_ip_validation)
+        func()
+
+
 def test_aws_vpc_validation_success(ec2_client: EC2Client) -> None:
     """Unit test vpc success."""
     config = {