aws-eks: EKS Auto Mode - IAM role should not be created when default node pools are disabled

[daniel-rhoades]

Describe the bug

When provisioning an EKS cluster in Auto Mode using the L2 construct within the aws_eks_v2_alpha library, if the default node pools are disabled the corresponding IAM Role for the nodes (nodeRole) should also not be created. Currently, the node role will created regardless and this cause a stack deployment failure as the request is essentially invalid.

For context. Within our environment, we use separate subnet groups for the EKS control plane, workers, and ingress components. The rationale for removing the default node pools is because the corresponding auto-generated NodeClass is defaulting to the control plane subnets. Also, we want to ensure nodes are using a specific KMS CMK for EBS encryption. So we plan to create our own customised versions of the 'system' and 'general' pools accordingly.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

When the default node pools have explicitly been disabled, the supporting IAM role (nodeRole) should not be created.

Current Behavior

With the node pool disabled, the IAM role will still attempt to be created by the L2 construct, this will cause a stack deployment failure with the following message:

When Compute Config nodeRoleArn is not null or empty, nodePool value(s) must be provided

Reproduction Steps

Attempt to provision an EKS cluster using the L2 aws_eks_v2_alpha construct and specify an empty node pool within the compute config:

new eks_v2.Cluster(
   ...
   compute=eks_v2.ComputeConfig(nodePools=[])
)

Possible Solution

Add an additional check before creating the node role as to the status of the default node pools, either here:

aws-cdk/packages/@aws-cdk/aws-eks-v2-alpha/lib/cluster.ts

Line 1188 in 4128ff4

nodeRoleArn: !autoModeEnabled ? undefined : props.compute?.nodeRole?.roleArn ?? this.addNodePoolRole(`${id}nodePoolRole`).roleArn,

Or here:

aws-cdk/packages/@aws-cdk/aws-eks-v2-alpha/lib/cluster.ts

Lines 1609 to 1620 in 4128ff4

	private addNodePoolRole(id: string): iam.Role {
	const role = new iam.Role(this, id, {
	assumedBy: new iam.ServicePrincipal('ec2.amazonaws.com'),
	// to be able to access the AWSLoadBalancerController
	managedPolicies: [
	// see https://docs.aws.amazon.com/eks/latest/userguide/automode-get-started-cli.html#auto-mode-create-roles
	iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKSWorkerNodePolicy'),
	iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEC2ContainerRegistryReadOnly'),
	],
	});
	return role;

Additional Information/Context

Workaround

Use a CDK escape hatch to remove the node role reference within the cluster properties:

cluster.node.defaultChild.addDeletionOverride('Properties.ComputeConfig.NodeRoleArn')

This will allow the cluster to be provisioned successfully without any default node groups or the corresponding IAM role.

CDK CLI Version

2.1002.0 (build 09ef5a0)

Framework Version

No response

Node.js Version

v22.14.0

OS

MacOS

Language

Python

Language Version

3.11.11

Other information

No response

[pahud]

Thank you for reporting this issue. This is indeed a valid bug in the AWS CDK EKS v2 alpha construct.

Analysis:
When creating an EKS cluster with Auto Mode and explicitly disabling default node pools (nodePools: []), the construct is incorrectly creating an IAM role even though no node pools exist. This causes deployment failure since EKS requires node pools when a nodeRoleArn is provided.

Current vs Expected Behavior:

graph TB
    A[Create EKS Cluster] --> B{Auto Mode Enabled?}
    B -->|Yes| C{Check nodePools}
    
    C -->|"nodePools: []"| E["Current: Creates Role<br/>Expected: Skip Role"]
    C -->|"nodePools: ['system']"| F["Create Role<br/>as Expected"]
    
    E -->|Current| G["Deployment Fails"]
    E -->|After Fix| H["Deployment Succeeds"]

Loading

Solution Plan:

1. Modify the CfnCluster configuration to only create/assign node role when node pools exist
2. Add validation to prevent role assignment when no pools exist
3. Add test coverage for empty node pools scenario

This fix will ensure that:

• No IAM role is created when node pools are disabled
• Clear validation errors are shown for invalid configurations
• Existing functionality remains unchanged for valid configurations

In the meantime, your workaround using the CDK escape hatch is correct:

cluster.node.defaultChild.addDeletionOverride('Properties.ComputeConfig.NodeRoleArn')

We'll implement this fix in an upcoming PR. Thank you for helping improve AWS CDK!

[pahud]

Here's the proposed implementation plan:

Code Changes

// In cluster.ts

// 1. Modify CfnCluster configuration
const resource = this._clusterResource = new CfnCluster(this, 'Resource', {
  // ...
  computeConfig: {
    enabled: autoModeEnabled,
    // Only create/assign role if we have node pools
    nodeRoleArn: !autoModeEnabled ? undefined : (
      (props.compute?.nodePools && props.compute.nodePools.length > 0)
        ? (props.compute?.nodeRole?.roleArn ?? this.addNodePoolRole(`${id}nodePoolRole`).roleArn)
        : undefined
    ),
    nodePools: !autoModeEnabled ? undefined : props.compute?.nodePools ?? ['system', 'general-purpose'],
  },
  // ...
});

// 2. Add explicit validation
private isValidAutoModeConfig(props: ClusterProps): boolean {
  const autoModeEnabled = props.defaultCapacityType === undefined || 
    props.defaultCapacityType == DefaultCapacityType.AUTOMODE;
    
  if (autoModeEnabled) {
    // Add validation for node role without pools
    if (props.compute?.nodeRole && (!props.compute.nodePools || props.compute.nodePools.length === 0)) {
      throw new Error('Cannot specify nodeRole when nodePools is empty or undefined');
    }

    // Existing validations...
  }
  return autoModeEnabled;
}

Test Coverage

// In test/automode.test.ts

describe('EKS Auto Mode Node Pools', () => {
  test('empty nodePools should not create node role', () => {
    // GIVEN
    const { stack } = testFixture();

    // WHEN
    new eks.Cluster(stack, 'Cluster', {
      version: eks.KubernetesVersion.V1_32,
      defaultCapacityType: eks.DefaultCapacityType.AUTOMODE,
      compute: {
        nodePools: [],  // Empty node pools
      },
    });

    // THEN
    Template.fromStack(stack).hasResourceProperties('AWS::EKS::Cluster', {
      ComputeConfig: {
        Enabled: true,
        NodePools: [],
        NodeRoleArn: ABSENT,  // Verify no role is created
      },
    });
  });

  test('should throw error when nodeRole provided with empty nodePools', () => {
    // GIVEN
    const { stack } = testFixture();
    const role = new iam.Role(stack, 'TestRole', {
      assumedBy: new iam.ServicePrincipal('eks.amazonaws.com'),
    });

    // WHEN / THEN
    expect(() => {
      new eks.Cluster(stack, 'Cluster', {
        version: eks.KubernetesVersion.V1_32,
        defaultCapacityType: eks.DefaultCapacityType.AUTOMODE,
        compute: {
          nodePools: [],        // Empty node pools
          nodeRole: role,       // But role provided
        },
      });
    }).toThrow(/Cannot specify nodeRole when nodePools is empty/);
  });

  test('regular node pools should create role as expected', () => {
    // GIVEN
    const { stack } = testFixture();

    // WHEN
    new eks.Cluster(stack, 'Cluster', {
      version: eks.KubernetesVersion.V1_32,
      defaultCapacityType: eks.DefaultCapacityType.AUTOMODE,
      compute: {
        nodePools: ['system'],
      },
    });

    // THEN
    Template.fromStack(stack).hasResourceProperties('AWS::EKS::Cluster', {
      ComputeConfig: {
        Enabled: true,
        NodePools: ['system'],
        NodeRoleArn: {
          'Fn::GetAtt': [
            Match.stringLikeRegexp('ClusterNodePoolRole.*'),
            'Arn',
          ],
        },
      },
    });
  });
});

This implementation:

1. Ensures no role is created for empty node pools
2. Adds validation to prevent role assignment without pools
3. Maintains existing functionality for valid configurations
4. Provides comprehensive test coverage for all scenarios

PR WIP