From 4549cdf25de31021e000a5fc1a2b88ba6b7b0cac Mon Sep 17 00:00:00 2001
From: Colin Francis <131073567+colifran@users.noreply.github.com>
Date: Fri, 17 May 2024 10:33:00 -0700
Subject: [PATCH] chore(eks): improve documentation for updating a cluster
 (#30259)

### Reason for this change

In our EKS documentation, we note that you need to add a temporary policy to the cluster admin role for
successful replacement when renaming a cluster. The temporary policy we recommend adding to the cluster admin role is:

```ts
cluster.adminRole.addToPolicy(new iam.PolicyStatement({
  actions: [
    'eks:DeleteCluster',
  ],
  resources: [
    Stack.of(this).formatArn({ service: 'eks', resource: 'cluster', resourceName: 'foo' }),
	]
}))
```

Changing the cluster name is an update that requires replacement. This will cause the old cluster to be automatically deleted by CloudFormation upon success. Since this policy doesn't have the `eks:DescribeCluster` action, the delete will fail:

<img width="893" alt="image" src="https://github.com/aws/aws-cdk/assets/131073567/bb3cf3ff-3a6d-48f9-b84d-c6d0b8a495a7">

### Description of changes

Added `eks:DescribeCluster` to the actions of the recommended temporary policy.

### Checklist

- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/aws-cdk-lib/aws-eks/README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/aws-cdk-lib/aws-eks/README.md b/packages/aws-cdk-lib/aws-eks/README.md
index 4e03e066dab05..72c39be8ddd91 100644
--- a/packages/aws-cdk-lib/aws-eks/README.md
+++ b/packages/aws-cdk-lib/aws-eks/README.md
@@ -400,7 +400,10 @@ const cluster = new eks.Cluster(this, 'cluster-to-rename', {
 
 // allow the cluster admin role to delete the cluster 'foo'
 cluster.adminRole.addToPolicy(new iam.PolicyStatement({
-  actions: ['eks:DeleteCluster'],
+  actions: [
+    'eks:DeleteCluster',
+    'eks:DescribeCluster',
+  ],
   resources: [ 
     Stack.of(this).formatArn({ service: 'eks', resource: 'cluster', resourceName: 'foo' }),
 ]