disassociate secondary CIDR after subnets are deleted

cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go

@@ -402,6 +402,8 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument {
 			Effect: iamv1.EffectAllow,
 		}, {
 			Action: iamv1.Actions{
+				"ec2:AssociateVpcCidrBlock",
+				"ec2:DisassociateVpcCidrBlock",
 				"eks:ListAddons",
 				"eks:CreateAddon",
 				"eks:DescribeAddonVersions",

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/customsuffix.yaml

@@ -324,6 +324,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/default.yaml

@@ -324,6 +324,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_all_secret_backends.yaml

@@ -337,6 +337,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_bootstrap_user.yaml

@@ -331,6 +331,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_custom_bootstrap_user.yaml

@@ -331,6 +331,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_different_instance_profiles.yaml

@@ -324,6 +324,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_console.yaml

@@ -324,6 +324,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_default_roles.yaml

@@ -324,6 +324,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_eks_kms_prefix.yaml

@@ -324,6 +324,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_extra_statements.yaml

@@ -331,6 +331,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_s3_bucket.yaml

@@ -333,6 +333,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

cmd/clusterawsadm/cloudformation/bootstrap/fixtures/with_ssm_secret_backend.yaml

@@ -324,6 +324,8 @@ Resources:
           - arn:*:eks:*:*:cluster/*
           - arn:*:eks:*:*:nodegroup/*/*/*
         - Action:
+          - ec2:AssociateVpcCidrBlock
+          - ec2:DisassociateVpcCidrBlock
           - eks:ListAddons
           - eks:CreateAddon
           - eks:DescribeAddonVersions

pkg/cloud/services/network/network.go

@@ -91,13 +91,6 @@ func (s *Service) DeleteNetwork() (err error) {
 
 	vpc.DeepCopyInto(s.scope.VPC())
 
-	// Secondary CIDR
-	conditions.MarkFalse(s.scope.InfraCluster(), infrav1.SecondaryCidrsReadyCondition, clusterv1.DeletingReason, clusterv1.ConditionSeverityInfo, "")
-	if err := s.disassociateSecondaryCidr(); err != nil {
-		conditions.MarkFalse(s.scope.InfraCluster(), infrav1.SecondaryCidrsReadyCondition, "DisassociateFailed", clusterv1.ConditionSeverityWarning, err.Error())
-		return err
-	}
-
 	// Routing tables.
 	conditions.MarkFalse(s.scope.InfraCluster(), infrav1.RouteTablesReadyCondition, clusterv1.DeletingReason, clusterv1.ConditionSeverityInfo, "")
 	if err := s.scope.PatchObject(); err != nil {
@@ -151,6 +144,13 @@ func (s *Service) DeleteNetwork() (err error) {
 	}
 	conditions.MarkFalse(s.scope.InfraCluster(), infrav1.SubnetsReadyCondition, clusterv1.DeletedReason, clusterv1.ConditionSeverityInfo, "")
 
+	// Secondary CIDR.
+	conditions.MarkFalse(s.scope.InfraCluster(), infrav1.SecondaryCidrsReadyCondition, clusterv1.DeletingReason, clusterv1.ConditionSeverityInfo, "")
+	if err := s.disassociateSecondaryCidr(); err != nil {
+		conditions.MarkFalse(s.scope.InfraCluster(), infrav1.SecondaryCidrsReadyCondition, "DisassociateFailed", clusterv1.ConditionSeverityWarning, err.Error())
+		return err
+	}
+
 	// VPC.
 	conditions.MarkFalse(s.scope.InfraCluster(), infrav1.VpcReadyCondition, clusterv1.DeletingReason, clusterv1.ConditionSeverityInfo, "")
 	if err := s.scope.PatchObject(); err != nil {

test/e2e/data/eks/cluster-template-eks-control-plane-only-withaddon.yaml

@@ -34,3 +34,4 @@ spec:
   identityRef:
     kind: AWSClusterStaticIdentity
     name: e2e-account
+  secondaryCidrBlock: 100.64.0.0/16