[aws-eks] After upgrading to CDK 1.22 existing EKS Resource Fail to Upgrade

[rahouskiids]

The Question

After upgrading from CDK 1.19 to version 1.22 we are having problems with K8 resources. There were no changes to the stack code. The only change is upgrading the CDK version. The stack diff shows the following changes -

[~] Custom::AWSCDK-EKS-Cluster il10-build-cluster/Resource/Resource il10buildclusterDE0F0D4A 
 ├─ [+] AssumeRoleArn
 │   └─ {"Fn::GetAtt":["il10buildclusterCreationRole4ABBD58E","Arn"]}
 ├─ [~] Config
 │   └─ [~] .roleArn:
 │       └─ [~] .Fn::GetAtt:
 │           └─ @@ -1,4 +1,4 @@
 │              [ ] [
 │              [-]   "il10buildclusterClusterRole523A084A",
 │              [+]   "il10buildclusterRole11FAFA34",
 │              [ ]   "Arn"
 │              [ ] ]
 ├─ [~] ServiceToken
 │   └─ [~] .Fn::GetAtt:
 │       └─ @@ -1,4 +1,4 @@
 │          [ ] [
 │          [-]   "il10buildclusterResourceHandler67426064",
 │          [-]   "Arn"
 │          [+]   "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454",
 │          [+]   "Outputs.scmvpcv2awscdkawseksClusterResourceProviderframeworkonEvent2EAB98F8Arn"
 │          [ ] ]

The formation fails after with the following error -

 15/46 | 12:31:45 PM | UPDATE_FAILED        | Custom::AWSCDK-EKS-Cluster                  | il10-build-cluster/Resource/Resource/Default (il10buildclusterDE0F0D4A) Modifying service token is not allowed.
	new CustomResource (/tmp/jsii-kernel-QAslnr/node_modules/@aws-cdk/aws-cloudformation/lib/custom-resource.js:56:25)
	\_ new ClusterResource (/tmp/jsii-kernel-QAslnr/node_modules/@aws-cdk/aws-eks/lib/cluster-resource.js:69:26)
	\_ new Cluster (/tmp/jsii-kernel-QAslnr/node_modules/@aws-cdk/aws-eks/lib/cluster.js:73:24)
	\_ /mnt/d/devscm-stack/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7762:49
	\_ Kernel._wrapSandboxCode (/mnt/d/devscm-stack/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8222:20)
	\_ Kernel._create (/mnt/d/devscm-stack/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7762:26)
	\_ Kernel.create (/mnt/d/devscm-stack/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7509:21)
	\_ KernelHost.processRequest (/mnt/d/devscm-stack/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7296:28)
	\_ KernelHost.run (/mnt/d/devscm-stack/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7236:14)
	\_ Immediate._onImmediate (/mnt/d/devscm-stack/.env/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7239:37)

Looking for a solution or even any work around. Thanks!

Environment

• CDK CLI Version: 1.22.0 (build 309ac1b)
• Module Version:
• OS: Ubuntu
• Language: Python

[eladb]

I believe this is because your ECS cluster was created with CDK < 1.20.0. Unfortunately since EKS is an experimental module, we weren't able to offer a migration path to >= 1.20.0 that doesn't require recreating the cluster. See #5544 for instructions on how to migrate manually.