aws-eks: can't update EndpointAccess.PUBLIC_AND_PRIVATE.only_from with multiple CIDRs

[wvidana]

Describe the bug

When having a cluster with EndpointAccess.PUBLIC_AND_PRIVATE, using the method only_from with multiple CIDRs makes the deployment to fail (and the stack to get into the state UPDATE_ROLLBACK_FAILED).

The exact error is:

MyCluster |  1/92 | 5:04:43 PM | UPDATE_FAILED        | Custom::AWSCDK-EKS-Cluster            | MyCluster-MyEnv/Resource/Resource/Default (MyClusterMyEnvAE1A0674) Received response status [FAILED] from custom resource. Message returned: The following CIDRs are invalid in publicAccessCidrs: [1.2.3.4/32,5.6.7.8/32,12.34.56.78/32,21.43.65.87/32,54.12.34.56/32,54.21.43.65/32]

Logs: /aws/lambda/MyCluster-awscdkawseksCl-OnEventHandler42BEBAE0-lTfEIlcUc8As

    at de_InvalidParameterExceptionRes (/var/runtime/node_modules/@aws-sdk/client-eks/dist-cjs/index.js:2594:21)
    at de_CommandError (/var/runtime/node_modules/@aws-sdk/client-eks/dist-cjs/index.js:2492:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/core/dist-cjs/index.js:165:18
    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22
    at async tB.onUpdate (/var/task/index.js:63:13143) (RequestId: ffbca063-012d-4883-8431-da3cccf08068)

I believe the problem is that CDK enforces the CIDR input to be a string, which doesn't even accept a comma separated list. The cluster does accept multiple CIDR blocks when updating manually/cli, but using the only_from method from cdk only allows for a single cidr block. More importantly, the code itself overrides that property in the underlying stack, so once you put it into CDK code, you can't have multiple blocks.

aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts

Lines 787 to 799 in f8e6207

	public onlyFrom(...cidr: string[]) {
	if (!this._config.privateAccess) {
	// when private access is disabled, we can't restric public
	// access since it will render the kubectl provider unusable.
	throw new Error('Cannot restric public access to endpoint when private access is disabled. Use PUBLIC_AND_PRIVATE.onlyFrom() instead.');
	}
	return new EndpointAccess({
	...this._config,
	// override CIDR
	publicCidrs: cidr,
	});
	}
	}

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The method should accept multiple CIDR blocks (through an array/list or a comma separated list)

Current Behavior

CDK errors out doing CIDR validation over a comma separated list

Reproduction Steps

Create an eks cluster with EndpointAccess.PUBLIC_AND_PRIVATE. Try to have more than one CIDR block as the allowed restricted list of public endpoints. This can be perfectly done through the aws console, the aws cli and even using a library like boto3. Or with the cfn resource. But the method provided on cdk makes it impossible to have multiple cidr blocks for this property

Possible Solution

Allow having a list of strings as the input argument for EndpointAccess.PUBLIC_AND_PRIVATE.only_from, or add some code to handle a comma separated list

Additional Information/Context

No response

CDK CLI Version

2.173.2

Framework Version

No response

Node.js Version

22.11

OS

alpine:3.21

Language

Python

Language Version

Python (3.12.8)

Other information

No response

[wvidana]

nvm no need for a list of string, the method accepts in python multiple arguments

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.