fix(eks-v2-alpha): prevent IAM role creation when node pools are empty

[pahud]

When node pools are disabled (by setting an empty array in nodePools), the IAM role will not be created, preventing deployment failures with the error 'When Compute Config nodeRoleArn is not null or empty, nodePool value(s) must be provided.

Issue # (if applicable)

Fixes #33771

Reason for this change

When using EKS Auto Mode with empty node pools (by setting nodePools: []), the IAM role was still being created by the L2 construct, causing stack deployment failures. The AWS service returns an error stating that when nodeRoleArn is provided, node pool values must also be provided.

Description of changes

Modified the computeConfig section in the CfnCluster resource to check if nodePools is empty before assigning nodeRoleArn. If nodePools is empty, nodeRoleArn will be set to undefined to prevent the unnecessary creation of the IAM role.

The change ensures that when users explicitly disable node pools by providing an empty array, the IAM role won't be created, allowing the cluster to be provisioned successfully.

Added a test case to verify that when node pools are empty:

1. The nodeRoleArn is not included in the CloudFormation template
2. No IAM role resource is created for node pools

Describe any new or updated permissions being added

No new or updated IAM permissions are being added. This change actually prevents the creation of an IAM role when it's not needed.

Description of how you validated changes

Added a new test case in automode.test.ts that verifies:

• The nodeRoleArn property is not included in the CloudFormation template when node pools are empty
• No IAM role resource is created for node pools when they are disabled

The test passes, confirming that our fix works as expected.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.38%. Comparing base (3d948c4) to head (e69a9bd).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33780   +/-   ##
=======================================
  Coverage   82.38%   82.38%           
=======================================
  Files         120      120           
  Lines        6937     6937           
  Branches     1170     1170           
=======================================
  Hits         5715     5715           
  Misses       1119     1119           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.38% <ø> (ø)

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: e69a9bd
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[pahud]

Exemption Request for snapshots update

[shikha372]

Thanks @pahud for contributing this PR, i verified that this can be disabled through nodePool as an empty array from the doc https://docs.aws.amazon.com/eks/latest/userguide/create-node-pool.html#_cluster_without_built_in_node_pools, but can we add an integration test for this use case where we pass empty nodePool with EKS automode??

[pahud]

Hi @shikha372

I was able to deploy this using npx cdk -a test/integ.eks-auto.js deploy eks-auto-mode-stack2

import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as iam from 'aws-cdk-lib/aws-iam';
import { App, Stack, StackProps } from 'aws-cdk-lib';
import { KubectlV32Layer } from '@aws-cdk/lambda-layer-kubectl-v32';
import * as eks from '../lib';
import { Construct } from 'constructs';
import * as integ from '@aws-cdk/integ-tests-alpha';

export class EksAutoModeCluster extends Stack {
  constructor(scope: Construct, id: string, props: StackProps) {
    super(scope, id, props);

    const vpc = ec2.Vpc.fromLookup(this, 'Vpc', { isDefault: true });
    const mastersRole = new iam.Role(this, 'Role', {
      assumedBy: new iam.AccountRootPrincipal(),
    });

    new eks.Cluster(this, 'hello-eks2', {
      vpc,
      mastersRole,
      version: eks.KubernetesVersion.V1_32,
      kubectlProviderOptions: {
        kubectlLayer: new KubectlV32Layer(this, 'kubectl'),
      },
      defaultCapacityType: eks.DefaultCapacityType.AUTOMODE,
      compute: {
        nodePools: [],
      },
    });
  }
}

const app = new App();

const env = {
  account: process.env.CDK_DEFAULT_ACCOUNT,
  region: process.env.CDK_DEFAULT_REGION,
};

const stack = new EksAutoModeCluster(app, 'eks-auto-mode-stack2', { env });

new integ.IntegTest(app, 'aws-cdk-eks-cluster-integ', {
  testCases: [stack],
});

Do we still want to add a new integ test just for this as adding a new integ test for eks cluster would create additional time when we re-run all integ tests for EKS but I am pretty sure it deploys.