fix(eks): fargateCluster compatibility with AuthenticationMode.API

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.fargate-cluster.ts

@@ -1,30 +1,53 @@
 /// !cdk-integ pragma:disable-update-workflow
-import { App, Stack } from 'aws-cdk-lib';
-import * as integ from '@aws-cdk/integ-tests-alpha';
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+// import * as integ from '@aws-cdk/integ-tests-alpha';
 import { getClusterVersionConfig } from './integ-tests-kubernetes-version';
 import * as eks from 'aws-cdk-lib/aws-eks';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from 'aws-cdk-lib/cx-api';
 
+interface EksFargateClusterStackProps extends StackProps {
+  authMode?: eks.AuthenticationMode;
+  vpc?: ec2.IVpc;
+}
 class EksFargateClusterStack extends Stack {
-
-  constructor(scope: App, id: string) {
-    super(scope, id);
+  public readonly vpc: ec2.IVpc;
+  constructor(scope: App, id: string, props?: EksFargateClusterStackProps) {
+    super(scope, id, props);
 
     this.node.setContext(EC2_RESTRICT_DEFAULT_SECURITY_GROUP, false);
+    this.vpc = props?.vpc ?? this.createDummyVpc();
     new eks.FargateCluster(this, 'FargateCluster', {
       ...getClusterVersionConfig(this),
       prune: false,
+      authenticationMode: props?.authMode,
+      vpc: this.vpc,
     });
   }
+  private createDummyVpc(): ec2.IVpc {
+    return new ec2.Vpc(this, 'DummyVpc', { maxAzs: 2, natGateways: 1, restrictDefaultSecurityGroup: false });
+  }
 }
 
 const app = new App();
 
-const stack = new EksFargateClusterStack(app, 'aws-cdk-eks-fargate-cluster-test');
-new integ.IntegTest(app, 'aws-cdk-eks-fargate-cluster', {
-  testCases: [stack],
-  // Test includes assets that are updated weekly. If not disabled, the upgrade PR will fail.
-  diffAssets: false,
+// create fargate cluster with undefined auth mode
+const stack1 = new EksFargateClusterStack(app, 'aws-cdk-eks-fargate-cluster-test', {
+  authMode: eks.AuthenticationMode.API,
 });
 
-app.synth();
+Array.isArray(stack1);
+
+// // create the 2nd fargate cluster in the same vpc, but with api auth mode
+// const stack2 = new EksFargateClusterStack(app, 'aws-cdk-eks-fargate-cluster-test2', {
+//   authMode: eks.AuthenticationMode.API,
+//   vpc: stack1.vpc,
+// });
+
+// new integ.IntegTest(app, 'aws-cdk-eks-fargate-cluster', {
+//   testCases: [stack1, stack2],
+//   // Test includes assets that are updated weekly. If not disabled, the upgrade PR will fail.
+//   diffAssets: false,
+// });
+
+// app.synth();

packages/aws-cdk-lib/aws-eks/lib/fargate-profile.ts

@@ -1,5 +1,5 @@
 import { Construct } from 'constructs';
-import { Cluster } from './cluster';
+import { Cluster, AuthenticationMode } from './cluster';
 import { FARGATE_PROFILE_RESOURCE_TYPE } from './cluster-resource-handler/consts';
 import { ClusterResourceProvider } from './cluster-resource-provider';
 import * as ec2 from '../../aws-ec2';
@@ -201,15 +201,18 @@ export class FargateProfile extends Construct implements ITaggable {
       resource.node.addDependency(previousProfile);
     }
 
-    // map the fargate pod execution role to the relevant groups in rbac
-    // see https://github.com/aws/aws-cdk/issues/7981
-    props.cluster.awsAuth.addRoleMapping(this.podExecutionRole, {
-      username: 'system:node:{{SessionName}}',
-      groups: [
-        'system:bootstrappers',
-        'system:nodes',
-        'system:node-proxier',
-      ],
-    });
+    const supportConfigMap = props.cluster.authenticationMode !== AuthenticationMode.API ? true : false;
+    if (supportConfigMap) {
+      // map the fargate pod execution role to the relevant groups in rbac
+      // see https://github.com/aws/aws-cdk/issues/7981
+      props.cluster.awsAuth.addRoleMapping(this.podExecutionRole, {
+        username: 'system:node:{{SessionName}}',
+        groups: [
+          'system:bootstrappers',
+          'system:nodes',
+          'system:node-proxier',
+        ],
+      });
+    }
   }
 }