fix(eks-v2-alpha): ensure kubectl provider access entry is depended upon by downstream resources

[Abogical]

Note: Copied from #34898 with updated snapshots, credit to @msessa.

Closes #34897

Reason for this change

The AccessEntry for kubectl provider should be included as a dependency of the kubectl ready barrier.

Description of changes

Add the kubectl AccessEntry to the explicit dependencies for the ready barrier resource

Description of how you validated changes

• Updated unit test
• Updated integration tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	384 ran	384 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results with resolved templates	384 ran	376 passed		8 failed

Test	Result
Security Guardian Results with resolved templates
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-al2023-nodegroup.js.snapshot/aws-cdk-eks-cluster-al2023-nodegroup-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-auto.js.snapshot/eks-auto-mode-empty-nodepools-stack.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-auto.js.snapshot/eks-auto-mode-stack.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-cluster-imported.js.snapshot/aws-cdk-eks-import-cluster-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-cluster-private-endpoint.js.snapshot/aws-cdk-eks-cluster-private-endpoint-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-cluster.js.snapshot/aws-cdk-eks-cluster.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-helm-asset.js.snapshot/aws-cdk-eks-helm-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk/aws-eks-v2-alpha/test/integ.eks-windows-ng.js.snapshot/aws-cdk-eks-cluster-windows-ng-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure

• View Security Guardian Results with resolved templates

[Abogical]

Snapshots successfully deployed locally.

[kumvprat]

Couple of high level comments :

• Can we look into why the linter says snapshot updates are required, even though the snapshots have literally changed ? (add the exemption requested label with some clarification around why we are not changing the integ tests itself but only the snapshots)
• Can we look into security guardian failures ? It looks like errors like these are the reason : Check was not compliant as property [Condition] is missing. Value traversed to [Path=/Resources/AdminRole38563C57/Properties/AssumeRolePolicyDocument/Statement/0[L:8,C:12] Value={"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"}}]. If this indeed an exception we can suppress this rule for eks v2 tests and if not we need to investigate as to the reason behind security guardian alerts.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[Abogical]

• Added linter exemption to add integration test. The linter checks if a change is made to the integ test script itself, not the snapshots.
• Security guardian errors relevant to EKS v2 alpha seem to be false positives. The root role is added as a dependency, not as a resource that will be assumed.

[kumvprat]

#36734 (comment)

Added linter exemption to add integration test. The linter checks if a change is made to the integ test script itself, not the snapshots.

Agreed, can we have a comment explaining why we are witnessing snapshot changes even though we didn't change any integration tests ? (a one-liner like : changed/added a critical dependency in core eks setup which leads to all integration test use case snapshot changes)

Security guardian errors relevant to EKS v2 alpha seem to be false positives. The root role is added as a dependency, not as a resource that will be assumed.

Can you expand on this a bit ? Looks like the errors below are allowing :root access to assume an AdminRole. So in effect we are assuming a role is it not ?

Check was not compliant as property [Condition] is missing. Value traversed to [Path=/Resources/AdminRole38563C57/Properties/AssumeRolePolicyDocument/Statement/0[L:8,C:12] Value={"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:root"}}].

[Abogical]

• Snapshot changes are expected as CFN schemas now note the dependency of the kubectl provider.
• It seems these errors are coming from integ tests previously like this: https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-eks-v2-alpha/test/integ.eks-helm-asset.ts#L20, whether or not this should be fixed is outside of the scope the PR.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

✅ The pull request has been merged at 19947cb

This pull request spent 5 hours 13 minutes 18 seconds in the queue, including 31 minutes 30 seconds running CI.
The checks were run in-place.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • fix(eks-v2-alpha): ensure kubectl provider access entry is depended upon by downstream resources #36734
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • fix(eks-v2-alpha): ensure kubectl provider access entry is depended upon by downstream resources #36734
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.