feat(eks): add removal policy support for EKS cluster construct

[aemada-aws]

Issue # (if applicable)

Closes #25544

Reason for this change

Added the removalPolicy prop to the EKS cluster. This will apply the removal policy to all resources created by the cluster including node groups, roles, vpc and security groups. This also includes the custom resource that created the construct. Currently this is possible with RemovalPolicies.of(cluster).apply but this is not a user friendly API, this PR just abstracts that with a removalPolicy prop which is the expected behavior when using L2s.

Description of changes

Added removalPolicy property to the ClusterProps interface in the EKS library that allows users to specify a removal policy for all CloudFormation resources created by the EKS cluster construct.

• Added readonly removalPolicy?: RemovalPolicy to ClusterProps interface
• Added integration test integ.eks-cluster-retain.ts to verify removal policy functionality with RemovalPolicy.DESTROY. If it deploys with destroy, it will also deploy with retain. The reason we don't write a specific retain integ test is that it will orphan resources in the account for anyone who deploys the integ test.

The removal policy affects the EKS cluster itself, associated IAM roles, node groups, security groups, VPC resources, and any other CloudFormation resources managed by this construct.

Describe any new or updated permissions being added

No new IAM permissions are required for this change.

Description of how you validated changes

• Added integration test integ.eks-cluster-retain.ts that creates an EKS cluster with RemovalPolicy.RETAIN
• The test verifies that all resources can be deployed successfully with the removal policy applied, and the snapshot validates we added the policy to all resources.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[kumsmrit]

Shouldn't the default value be RETAIN here?

[aemada-aws]

The default is delete in CFN, i can update that.

[kumsmrit]

removal policy applied to all CloudFormation resources created by this construct

Is this intended? When removalPolicy is set to DESTROY, it could affect shared resources like VPC, security groups, etc. that might be getting used elsewhere?

[aemada-aws]

It should not affect the VPC passed by the user (if any), only if the construct created its own default vpc. I will add a unit test to verify that. RemovalPolicies.of(this).apply affects resources created under the construct, not the ones passed to it.

[kumsmrit]

RemovalPolicies.of(this).apply affects resources created under the construct

But can these resources created by the construct be shared or referenced by other resources outside this construct?
For example, if this construct creates security groups or IAM roles that are later referenced by other services, applying DESTROY removal policy on such resources could cause issues.

[aemada-aws]

It is not expected that customers reuse the default resources created the construct on another service, instead they should have provided a role to the construct. Anyway the default is delete, and this is a known default by CFN. If they pass RETAIN, and the role/vpc are retained then it is also expected because the cluster cannot function without them. If a resource is referenced somewhere else in the stack, you cannot even delete it because that will fail the deployment and in CDK the typechecking/synth would also fail.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aemada-aws]

@Mergifyio update

[mergify]

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/integration-test-deployment.yml without workflows permission

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.