Add back eks defaultAddonsToRemove property (#5716)

Adding back the patch for `defaultAddonsToRemove` by popular demand.

fixes #5715
re #4755

Author: corymhall

examples/eks-remove-addons/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: eks-remove-addons
+runtime: nodejs
+description: A simple example of using the defaultAddonsToRemove flag

examples/eks-remove-addons/README.md

@@ -0,0 +1,3 @@
+# examples/eks-remove-addons
+
+An example for how you can use the `bootstrapSelfManagedAddons` flag to disable add-ons.

examples/eks-remove-addons/index.ts

@@ -0,0 +1,105 @@
+// Copyright 2016-2018, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as aws from "@pulumi/aws";
+
+const clusterRole = new aws.iam.Role('test-cluster-role', {
+    assumeRolePolicy: {
+        Version: '2012-10-17',
+        Statement: [{
+            Principal: {
+                Service: 'eks.amazonaws.com',
+            },
+            Effect: 'Allow',
+            Action: 'sts:AssumeRole',
+        }]
+    }
+});
+
+new aws.iam.RolePolicyAttachment('attachment', {
+    policyArn: aws.iam.ManagedPolicy.AmazonEKSClusterPolicy,
+    role: clusterRole.name,
+});
+
+const vpc = new aws.ec2.Vpc('test-vpc', {
+    cidrBlock: '10.192.0.0/16'
+});
+
+const azs = aws.getAvailabilityZonesOutput({
+    state: 'available',
+    allAvailabilityZones: false,
+    filters: [
+        {
+            name: 'opt-in-status',
+            values: ['opt-in-not-required'],
+        },
+    ],
+});
+
+const subnet1 = new aws.ec2.Subnet('test-subnet1', {
+    vpcId: vpc.id,
+    cidrBlock: '10.192.20.0/24',
+    availabilityZone: azs.apply(az => az.names[0]),
+    mapPublicIpOnLaunch: false,
+});
+
+const subnet2 = new aws.ec2.Subnet('test-subnet2', {
+    vpcId: vpc.id,
+    availabilityZone: azs.apply(az => az.names[1]),
+    cidrBlock: '10.192.21.0/24',
+    mapPublicIpOnLaunch: false,
+});
+
+const cluster = new aws.eks.Cluster('test-cluster', {
+    roleArn: clusterRole.arn,
+    vpcConfig: {
+        subnetIds: [subnet1.id, subnet2.id],
+    },
+    bootstrapSelfManagedAddons: false,
+});
+
+// TODO: example needs node group
+// const corednsVersion = aws.eks.getAddonVersionOutput({
+//   addonName: "coredns",
+//   kubernetesVersion: cluster.version,
+//   mostRecent: true,
+// });
+//
+// new aws.eks.Addon("coredns", {
+//   clusterName: cluster.name,
+//   addonName: "coredns",
+//   addonVersion: corednsVersion.version,
+//   resolveConflictsOnUpdate: "PRESERVE",
+//   configurationValues: JSON.stringify({
+//     replicaCount: 4,
+//     resources: {
+//       limits: {
+//         cpu: "100m",
+//         memory: "150Mi",
+//       },
+//       requests: {
+//         cpu: "100m",
+//         memory: "150Mi",
+//       },
+//     },
+//   }),
+// });
+
+const cluster2 = new aws.eks.Cluster('test-cluster2', {
+    roleArn: clusterRole.arn,
+    vpcConfig: {
+        subnetIds: [subnet1.id, subnet2.id],
+    },
+    defaultAddonsToRemove: ['vpc-cni', 'kube-proxy'],
+});

examples/eks-remove-addons/package.json

@@ -0,0 +1,15 @@
+{
+    "name": "bucket",
+    "version": "0.0.1",
+    "license": "Apache-2.0",
+    "scripts": {
+        "build": "tsc"
+    },
+    "dependencies": {
+        "@pulumi/aws": "^7.0.0",
+        "@pulumi/pulumi": "^3.0.0"
+    },
+    "devDependencies": {
+        "@types/node": "^8.0.0"
+    }
+}

examples/eks-remove-addons/tsconfig.json

@@ -0,0 +1,18 @@
+{
+    "compilerOptions": {
+        "strict": true,
+        "outDir": "bin",
+        "target": "es2020",
+        "module": "commonjs",
+        "moduleResolution": "node",
+        "sourceMap": true,
+        "experimentalDecorators": true,
+        "pretty": true,
+        "noFallthroughCasesInSwitch": true,
+        "noImplicitReturns": true,
+        "forceConsistentCasingInFileNames": true
+    },
+    "files": [
+        "index.ts"
+    ]
+}

examples/examples_nodejs_test.go

@@ -1346,6 +1346,7 @@ func TestUpstreamWarningsPropagated(t *testing.T) {
 }
 
 func TestAccProviderRoleChaining(t *testing.T) {
+	skipIfShort(t)
 	region := getEnvRegion(t)
 	test := integration.ProgramTestOptions{
 		Dir: filepath.Join(getCwd(t), "provider-role-chaining"),
@@ -1361,6 +1362,22 @@ func TestAccProviderRoleChaining(t *testing.T) {
 	integration.ProgramTest(t, &test)
 }
 
+func TestAccConfigureClusterAddons(t *testing.T) {
+	skipIfShort(t)
+	region := getEnvRegion(t)
+	test := integration.ProgramTestOptions{
+		Dir: filepath.Join(getCwd(t), "eks-remove-addons"),
+		Dependencies: []string{
+			"@pulumi/aws",
+		},
+		Config: map[string]string{
+			"aws:region": region,
+		},
+	}
+	skipRefresh(&test)
+	integration.ProgramTest(t, &test)
+}
+
 // also test the release verification test so it will also fail in CI
 func TestReleaseVerification(t *testing.T) {
 	region := getEnvRegion(t)

patches/0026-aws_eks_cluster-implement-default_addons_to_remove.patch

@@ -0,0 +1,184 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: corymhall <[email protected]>
+Date: Fri, 1 Aug 2025 14:29:38 -0400
+Subject: [PATCH] aws_eks_cluster: implement default_addons_to_remove
+
+add back this feature and set it to deprecated. Users should instead
+set `bootstrapSelfManagedAddons: false` and selectively add the addons
+they want with the `aws.eks.Addon` resource.
+
+diff --git a/internal/service/eks/cluster.go b/internal/service/eks/cluster.go
+index 8a7d28be91..a62c86208f 100644
+--- a/internal/service/eks/cluster.go
++++ b/internal/service/eks/cluster.go
+@@ -168,6 +168,14 @@ func resourceCluster() *schema.Resource {
+ 				Type:     schema.TypeString,
+ 				Computed: true,
+ 			},
++			"default_addons_to_remove": {
++				Type:       schema.TypeList,
++				Deprecated: "Configure bootstrap_self_managed_addons instead. This attribute will be removed in the next major version of the provider",
++				Optional:   true,
++				Elem: &schema.Schema{
++					Type: schema.TypeString,
++				},
++			},
+ 			"enabled_cluster_log_types": {
+ 				Type:     schema.TypeSet,
+ 				Optional: true,
+@@ -600,6 +608,10 @@ func resourceClusterCreate(ctx context.Context, d *schema.ResourceData, meta any
+ 		return sdkdiag.AppendErrorf(diags, "waiting for EKS Cluster (%s) create: %s", d.Id(), err)
+ 	}
+ 
++	if err := removeAddons(d, conn); err != nil {
++		return sdkdiag.AppendErrorf(diags, "removing addons (%s): %s", d.Id(), err)
++	}
++
+ 	return append(diags, resourceClusterRead(ctx, d, meta)...)
+ }
+ 
+diff --git a/internal/service/eks/cluster_addon_removal.go b/internal/service/eks/cluster_addon_removal.go
+new file mode 100644
+index 0000000000..bd53bad5c1
+--- /dev/null
++++ b/internal/service/eks/cluster_addon_removal.go
+@@ -0,0 +1,139 @@
++package eks
++
++import (
++	"context"
++	"fmt"
++	"log"
++	"sync"
++	"time"
++
++	"github.com/aws/aws-sdk-go-v2/aws"
++	"github.com/aws/aws-sdk-go-v2/service/eks"
++	"github.com/aws/aws-sdk-go-v2/service/eks/types"
++
++	"github.com/hashicorp/go-multierror"
++	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/id"
++	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/retry"
++	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
++	"github.com/hashicorp/terraform-provider-aws/internal/errs"
++
++	"github.com/hashicorp/terraform-provider-aws/internal/flex"
++	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
++)
++
++const (
++	addonCreatedTimeout = 20 * time.Minute
++	addonUpdatedTimeout = 20 * time.Minute
++	addonDeletedTimeout = 40 * time.Minute
++)
++
++func removeAddons(d *schema.ResourceData, conn *eks.Client) error {
++	if v, ok := d.GetOk("default_addons_to_remove"); ok && len(v.([]interface{})) > 0 {
++		ctx := context.Background()
++		var wg sync.WaitGroup
++		var removalErrors *multierror.Error
++
++		for _, addon := range flex.ExpandStringList(v.([]interface{})) {
++			if addon == nil {
++				return fmt.Errorf("addonName cannot be dereferenced")
++			}
++			addonName := *addon
++			wg.Add(1)
++
++			go func() {
++				defer wg.Done()
++				removalErrors = multierror.Append(removalErrors, removeAddon(d, conn, addonName, ctx))
++			}()
++		}
++		wg.Wait()
++		return removalErrors.ErrorOrNil()
++	}
++	return nil
++}
++
++func removeAddon(d *schema.ResourceData, conn *eks.Client, addonName string, ctx context.Context) error {
++	log.Printf("[DEBUG] Creating EKS Add-On: %s", addonName)
++	createAddonInput := &eks.CreateAddonInput{
++		AddonName:          aws.String(addonName),
++		ClientRequestToken: aws.String(id.UniqueId()),
++		ClusterName:        aws.String(d.Id()),
++		ResolveConflicts:   types.ResolveConflictsOverwrite,
++	}
++
++	err := retry.RetryContext(ctx, propagationTimeout, func() *retry.RetryError {
++		_, err := conn.CreateAddon(ctx, createAddonInput)
++
++		if errs.IsAErrorMessageContains[*types.InvalidParameterException](err, "CREATE_FAILED") {
++			return retry.RetryableError(err)
++		}
++
++		if errs.IsAErrorMessageContains[*types.InvalidParameterException](err, "does not exist") {
++			return retry.RetryableError(err)
++		}
++
++		if err != nil {
++			return retry.NonRetryableError(err)
++		}
++
++		return nil
++	})
++
++	if tfresource.TimedOut(err) {
++		_, err = conn.CreateAddon(ctx, createAddonInput)
++	}
++
++	if err != nil {
++		return fmt.Errorf("error creating EKS Add-On (%s): %w", addonName, err)
++	}
++
++	_, err = waitAddonCreatedAllowDegraded(ctx, conn, d.Id(), addonName)
++
++	if err != nil {
++		return fmt.Errorf("unexpected EKS Add-On (%s) state returned during creation: %w", addonName, err)
++	}
++	log.Printf("[DEBUG] Created EKS Add-On: %s", addonName)
++
++	deleteAddonInput := &eks.DeleteAddonInput{
++		AddonName:   aws.String(addonName),
++		ClusterName: aws.String(d.Id()),
++	}
++
++	log.Printf("[DEBUG] Deleting EKS Add-On: %s", addonName)
++	_, err = conn.DeleteAddon(ctx, deleteAddonInput)
++
++	if err != nil {
++		return fmt.Errorf("error deleting EKS Add-On (%s): %w", addonName, err)
++	}
++
++	_, err = waitAddonDeleted(ctx, conn, d.Id(), addonName, addonDeletedTimeout)
++
++	if err != nil {
++		return fmt.Errorf("error waiting for EKS Add-On (%s) to delete: %w", addonName, err)
++	}
++	log.Printf("[DEBUG] Deleted EKS Add-On: %s", addonName)
++	return nil
++}
++
++func waitAddonCreatedAllowDegraded(ctx context.Context, conn *eks.Client, clusterName, addonName string) (*types.Addon, error) {
++	// We do not care about the addons actually being created successfully here. We only want them to be adopted by
++	// Terraform to be able to fully remove them afterwards again.
++
++	stateConf := retry.StateChangeConf{
++		Pending: []string{string(types.AddonStatusCreating)},
++		Target:  []string{string(types.AddonStatusActive), string(types.AddonStatusDegraded)},
++		Refresh: statusAddon(ctx, conn, clusterName, addonName),
++		Timeout: addonCreatedTimeout,
++	}
++
++	outputRaw, err := stateConf.WaitForStateContext(ctx)
++
++	if output, ok := outputRaw.(*types.Addon); ok {
++		if status, health := output.Status, output.Health; status == types.AddonStatusCreateFailed && health != nil {
++			tfresource.SetLastError(err, addonIssuesError(health.Issues))
++		}
++
++		return output, err
++	}
++
++	return nil, err
++}

provider/cmd/pulumi-resource-aws/bridge-metadata.json

@@ -12776,6 +12776,9 @@
                             }
                         }
                     },
+                    "default_addons_to_remove": {
+                        "maxItemsOne": false
+                    },
                     "enabled_cluster_log_types": {
                         "maxItemsOne": false
                     },