feat(eks): add deletionProtection property to Cluster construct

[matoom-nomu]

Issue # (if applicable)

Closes #36460

Reason for this change

AWS EKS supports deletion protection to prevent accidental cluster deletion, as documented in the CloudFormation reference.

Description of changes

• Add deletionProtection optional property to ClusterProps interface
• Update README with usage example

Describe any new or updated permissions being added

None

Description of how you validated changes

Added unit/integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results	100 ran	99 passed		1 failed

Test	Result
Security Guardian Results
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-deletion-protection.js.snapshot/aws-cdk-eks-cluster-deletion-protection.template.json
iam-no-world-accessible-trust-policy.guard	❌ failure

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results with resolved templates	100 ran	97 passed		3 failed

Test	Result
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-deletion-protection.js.snapshot/aws-cdk-eks-cluster-deletion-protection.template.json
codepipeline-cross-account-role-trust-scope.guard	❌ failure
guardhooks-no-root-principals-except-kms-secrets.guard	❌ failure
iam-role-no-broad-principals.guard	❌ failure

• View Security Guardian Results with resolved templates

[badmintoncryer]

Thank you for your contribution!! I've added some comments.

[badmintoncryer]

You can describe test conditions more simply.

Suggested change

	test.each([
	[true, true],
	[false, false],
	])('deletionProtection(%s) should work', (input, expected) => {
	// GIVEN
	const { stack } = testFixture();
	// WHEN
	new eks.Cluster(stack, 'Cluster', {
	version: CLUSTER_VERSION,
	deletionProtection: input,
	kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
	});
	// THEN
	Template.fromStack(stack).hasResourceProperties('Custom::AWSCDK-EKS-Cluster', {
	Config: {
	deletionProtection: expected,
	},
	});
	});
	test.each([
	true, false
	])('deletionProtection(%s) should work', (deletionProtection) => {
	// GIVEN
	const { stack } = testFixture();
	// WHEN
	new eks.Cluster(stack, 'Cluster', {
	version: CLUSTER_VERSION,
	deletionProtection,
	kubectlLayer: new KubectlV31Layer(stack, 'KubectlLayer'),
	});
	// THEN
	Template.fromStack(stack).hasResourceProperties('Custom::AWSCDK-EKS-Cluster', {
	Config: {
	deletionProtection,
	},
	});
	});

[matoom-nomu]

I've simplified the test descriptions as you suggested.

[badmintoncryer]

Is it better to use Match.absent()?

[matoom-nomu]

You're absolutely right, updated it to use Match.absent().

[badmintoncryer]

Because false is the default setting, it may be better to remove this line.

Suggested change

diffAssets: false,

[matoom-nomu]

The integ-test file I referenced was using diffAssets: false,
but as you mentioned it's the default setting, so I removed it.
I'll be more careful about checking default values next time.

[badmintoncryer]

Have you forgotten to push the modification?

[badmintoncryer]

Is this condition needed? I think rollback: true is default setting for cdk deploy.

[matoom-nomu]

same as above

[badmintoncryer]

This line is not needed.

Suggested change

app.synth();

[badmintoncryer]

Could you please describe the default value or behavior that happens if this property is not supplied?

Suggested change

	* @default - none
	// default value
	* @default false
	// default behaviour
	* @default - deletion protection is disabled

[matoom-nomu]

I fixed comment to use
@default - deletion protection is disabled instead of @default - none

[badmintoncryer]

Could you please add @see section?

Suggested change

	*
	*
	* @see https://docs.aws.amazon.com/eks/latest/userguide/deletion-protection.html
	*

[matoom-nomu]

I added it.

[badmintoncryer]

Could you please add the link to the documentation?

https://docs.aws.amazon.com/eks/latest/userguide/deletion-protection.html

[matoom-nomu]

I added it.

[badmintoncryer]

Could you please resolve build error?

aws-cdk-lib: /codebuild/output/src3139386751/src/actions-runner/_work/aws-cdk/aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts
aws-cdk-lib:   740:5  error  Trailing spaces not allowed  no-trailing-spaces
aws-cdk-lib:   742:5  error  Trailing spaces not allowed  no-trailing-spaces
aws-cdk-lib: /codebuild/output/src3139386751/src/actions-runner/_work/aws-cdk/aws-cdk/packages/aws-cdk-lib/aws-eks/test/cluster.test.ts
aws-cdk-lib:   3968:16  error  Missing trailing comma  @stylistic/comma-dangle

[matoom-nomu]

@badmintoncryer

Could you please resolve build error?

aws-cdk-lib: /codebuild/output/src3139386751/src/actions-runner/_work/aws-cdk/aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts
aws-cdk-lib:   740:5  error  Trailing spaces not allowed  no-trailing-spaces
aws-cdk-lib:   742:5  error  Trailing spaces not allowed  no-trailing-spaces
aws-cdk-lib: /codebuild/output/src3139386751/src/actions-runner/_work/aws-cdk/aws-cdk/packages/aws-cdk-lib/aws-eks/test/cluster.test.ts
aws-cdk-lib:   3968:16  error  Missing trailing comma  @stylistic/comma-dangle

Sorry for being late, I resoleved those linting errors.
Should i resolve security gurdian checks as well ?

[badmintoncryer]

@matoom-nomu Thanks!

Should i resolve security gurdian checks as well ?

It may be not essential. Security guardian CI is introduced experimentally and I think it has no effect to review process.

Could you please address this comment? I'll approve this PR after that.

#36474 (comment)

Have a happy new year!!

[badmintoncryer]

Thanks!

[matoom-nomu]

@matoom-nomu Thanks!
Could you please address this comment? I'll approve this PR after that.

#36474 (comment)

Have a happy new year!!

Thanks for the review, have a happy new year too!

And it seems there is a build error due to the year change....

@aws-cdk/mixins-preview: - [license/notice-file] NOTICE does NOT begin with AWS Cloud Development Kit (AWS CDK),Copyright 2018-2026 Amazon.com, Inc. or its affiliates. All Rights Reserved.,'

aws-cdk/packages/@aws-cdk/mixins-preview/NOTICE

Line 2 in 2845d47

Copyright 2018-2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.

Shall i make the Issue ticket about this ?

[badmintoncryer]

@matoom-nomu This is annual problem. How about submit PR like this?

#32705