feat: add Fargate profile support for beta endpoint

Author: HusainZafar

pkg/cfn/builder/beta.go

@@ -251,3 +251,17 @@ func addBetaAccessEntry(stackName string, accessEntryType string) *gfn.CustomRes
 	customResource.Properties["Type"] = gfnt.NewString(accessEntryType)
 	return customResource
 }
+
+func createBetaFargateAssumeRolePolicy(sourceArnCondition cft.MapOfInterfaces) interface{} {
+	statements := []cft.MapOfInterfaces{
+		{
+			"Effect": "Allow",
+			"Principal": cft.MapOfInterfaces{
+				"Service": "eks-fargate-pods.aws.internal",
+			},
+			"Action":    "sts:AssumeRole",
+			"Condition": sourceArnCondition,
+		},
+	}
+	return cft.MakePolicyDocument(statements...)
+}

pkg/cfn/builder/fargate.go

@@ -84,11 +84,19 @@ func addResourcesForFargate(rs *resourceSet, cfg *api.ClusterConfig) error {
 		return fmt.Errorf("restricting access based on SourceArn: %w", err)
 	}
 
-	role := &gfniam.Role{
-		AssumeRolePolicyDocument: cft.MakeAssumeRolePolicyDocumentForServicesWithConditions(
+	var assumeRolePolicyDocument interface{}
+	if cfg.IsCustomEksEndpoint() {
+		// Use beta assume role policy for beta stacks with Fargate-specific service principals
+		assumeRolePolicyDocument = createBetaFargateAssumeRolePolicy(sourceArnCondition)
+	} else {
+		assumeRolePolicyDocument = cft.MakeAssumeRolePolicyDocumentForServicesWithConditions(
 			sourceArnCondition,
 			MakeServiceRef("EKSFargatePods"), // Ensure that EKS can schedule pods onto Fargate.
-		),
+		)
+	}
+
+	role := &gfniam.Role{
+		AssumeRolePolicyDocument: assumeRolePolicyDocument,
 		ManagedPolicyArns: gfnt.NewSlice(makePolicyARNs(
 			iamPolicyAmazonEKSFargatePodExecutionRolePolicy,
 		)...),