From b739db163c8fe5de2f5c9d61eeaf1b7727909d85 Mon Sep 17 00:00:00 2001 From: ian-flores Date: Tue, 27 Jan 2026 08:10:50 -0800 Subject: [PATCH 1/2] feat(control-room): add EKS access entries support Add eks_access_entries configuration to control room EKS clusters, mirroring the existing workload cluster pattern. This allows control rooms to use modern EKS Access Entries instead of the legacy aws-auth ConfigMap when eks_access_entries.enabled is set to true. Closes #79 --- lib/types/controlroom.go | 20 +++++++++++++------ python-pulumi/src/ptd/aws_control_room.py | 7 +++++++ .../aws_control_room_cluster.py | 6 +++++- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/lib/types/controlroom.go b/lib/types/controlroom.go index c590f20..dc08b3f 100644 --- a/lib/types/controlroom.go +++ b/lib/types/controlroom.go @@ -1,5 +1,12 @@ package types +// EKSAccessEntriesConfig holds configuration for EKS Access Entries +type EKSAccessEntriesConfig struct { + Enabled bool `json:"enabled" yaml:"enabled"` + AdditionalEntries []map[string]interface{} `json:"additional_entries" yaml:"additional_entries"` + IncludeSameAccountPoweruser bool `json:"include_same_account_poweruser" yaml:"include_same_account_poweruser"` +} + // TrustedUserIpAddress represents an IP address for a trusted user type TrustedUserIpAddress struct { Ip string `json:"ip" yaml:"ip"` @@ -15,12 +22,13 @@ type TrustedUser struct { } type AWSControlRoomConfig struct { - AccountID string `json:"account_id" yaml:"account_id"` - PowerUserARN string `json:"power_user_arn" yaml:"power_user_arn"` - Domain string `json:"domain" yaml:"domain"` - Environment string `json:"environment" yaml:"environment"` - TrueName string `json:"true_name" yaml:"true_name"` - DBAllocatedStorage int `json:"db_allocated_storage" yaml:"db_allocated_storage"` + AccountID string `json:"account_id" yaml:"account_id"` + PowerUserARN string `json:"power_user_arn" yaml:"power_user_arn"` + Domain string `json:"domain" yaml:"domain"` + Environment string `json:"environment" yaml:"environment"` + TrueName string `json:"true_name" yaml:"true_name"` + EksAccessEntries *EKSAccessEntriesConfig `json:"eks_access_entries" yaml:"eks_access_entries"` + DBAllocatedStorage int `json:"db_allocated_storage" yaml:"db_allocated_storage"` DBEngineVersion string `json:"db_engine_version" yaml:"db_engine_version"` DBInstanceClass string `json:"db_instance_class" yaml:"db_instance_class"` EksK8sVersion *string `json:"eks_k8s_version" yaml:"eks_k8s_version"` diff --git a/python-pulumi/src/ptd/aws_control_room.py b/python-pulumi/src/ptd/aws_control_room.py index fbdb34a..1fdb85a 100644 --- a/python-pulumi/src/ptd/aws_control_room.py +++ b/python-pulumi/src/ptd/aws_control_room.py @@ -41,6 +41,7 @@ class AWSControlRoomConfig: true_name: str power_user_arn: str | None = None + eks_access_entries: ptd.EKSAccessEntriesConfig = dataclasses.field(default_factory=ptd.EKSAccessEntriesConfig) db_allocated_storage: int = 100 db_engine_version: str = "16.4" db_instance_class: str = "db.t3.small" @@ -185,6 +186,12 @@ def load(self) -> None: for h in trusted_users_raw ] + # Parse eks_access_entries field + if "eks_access_entries" in spec: + eks_access_entries_dict = spec.pop("eks_access_entries") + if isinstance(eks_access_entries_dict, dict): + spec["eks_access_entries"] = ptd.EKSAccessEntriesConfig(**eks_access_entries_dict) + self.cfg = AWSControlRoomConfig(**spec) @property diff --git a/python-pulumi/src/ptd/pulumi_resources/aws_control_room_cluster.py b/python-pulumi/src/ptd/pulumi_resources/aws_control_room_cluster.py index 8cbcf0e..3c094f3 100644 --- a/python-pulumi/src/ptd/pulumi_resources/aws_control_room_cluster.py +++ b/python-pulumi/src/ptd/pulumi_resources/aws_control_room_cluster.py @@ -133,7 +133,11 @@ def _define_eks(self) -> None: ami_type="AL2023_x86_64_STANDARD", ) - self.eks.with_aws_auth() + self.eks.with_aws_auth( + use_eks_access_entries=self.control_room.cfg.eks_access_entries.enabled, + additional_access_entries=self.control_room.cfg.eks_access_entries.additional_entries, + include_poweruser=self.control_room.cfg.eks_access_entries.include_same_account_poweruser, + ) self.eks.with_gp3() From 74755d33a3f0b6fe7062935b6b57a9d81244c5b5 Mon Sep 17 00:00:00 2001 From: ian-flores Date: Wed, 28 Jan 2026 09:25:00 -0800 Subject: [PATCH 2/2] fix(lib): fix flaky TestGenerateRandomString test The randomness check for length=1 strings had ~1.6% collision probability (1/62 charset), causing intermittent CI failures. Only check randomness for lengths >= 4 where collision is negligible. --- lib/helpers/helpers_test.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/helpers/helpers_test.go b/lib/helpers/helpers_test.go index 23c4833..09a3af1 100644 --- a/lib/helpers/helpers_test.go +++ b/lib/helpers/helpers_test.go @@ -91,9 +91,10 @@ func TestGenerateRandomString(t *testing.T) { assert.Equal(t, tt.length, len(result)) // Generate another string of same length and verify they're different - // This is a probabilistic test, but the chance of two random strings being - // identical is extremely low for any reasonable length - if tt.length > 0 { + // Only check randomness for lengths >= 4 where collision probability + // is negligible (1/62^4 ≈ 0.00007%). For shorter lengths, the collision + // probability is too high for a reliable test (1/62 ≈ 1.6% for length 1). + if tt.length >= 4 { anotherResult := GenerateRandomString(tt.length) assert.NotEqual(t, result, anotherResult, "Generated strings should be random") }