Add migration guide

aemada-aws · aemada-aws · commit a6f46db6f347 · 2026-01-08T00:40:19.000+01:00
diff --git a/packages/@aws-cdk/aws-eks-v2-alpha/README.md b/packages/@aws-cdk/aws-eks-v2-alpha/README.md
@@ -840,6 +840,20 @@ bucket.grantReadWrite(serviceAccount);
 Note that adding service accounts requires running `kubectl` commands against the cluster which requires you to provide `kubectlProviderOptions` in the cluster props to create the `kubectl` provider. See [Kubectl Support](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-eks-v2-alpha-readme.html#kubectl-support)
 
 
+### OpenID Connect (OIDC) Provider
+
+IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce. You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account.
+
+The construct implementation has default values for thumbprints and clientIds props
+that will be compatible with the eks cluster.
+
+```ts
+declare const cluster: eks.Cluster;
+const provider = new eks.OpenIdConnectProviderNative(this, 'OpenIdConnectProvider', {
+  url: cluster.clusterOpenIdConnectIssuerUrl,
+});
+```
+
 #### Migrating from the deprecated eks.OpenIdConnectProvider to eks.OpenIdConnectProviderNative
 
 If your `eks.OpenIdConnectProvider` is created automatically via the `ServiceAccount` construct, follow these steps:
@@ -876,9 +890,9 @@ Resources
 2. Run `cdk deploy` to apply any pending changes. This apply the destroy/orphan changes in the above example.
 
 
-If you are creating the OpenIdConnectProvider manually via `new eks.OpenIdConnectProvider`, follow these steps:
+If you are creating the OpenIdConnectProvider manually via `new eks.OpenIdConnectProvider`, follow these steps to migrate to `eks.OpenIdConnectProviderNative`:
 
-1. Set the `removalPolicy` of the existing `OpenIdConnectProvider` to `RemovalPolicy.RETAIN`.
+1. Set the `removalPolicy` of the existing `eks.OpenIdConnectProvider` to `RETAIN`.
 
 ```ts
 // Step 1: Add retain policy to existing provider
@@ -888,13 +902,13 @@ const existingProvider = new eks.OpenIdConnectProvider(this, 'Provider', {
 });
 ```
 
-1. Deploy with the retain policy to avoid deletion of the underlying resource.
+2. Deploy with the retain policy to avoid deletion of the underlying resource.
 
 ```bash
 cdk deploy
 ```
 
-1. Replace `OpenIdConnectProvider` with `OpenIdConnectProviderNative` in your code.
+3. Replace `OpenIdConnectProvider` with `OpenIdConnectProviderNative` in your code.
 
 ```ts
 // Step 3: Replace with native provider
@@ -903,7 +917,7 @@ const nativeProvider = new eks.OpenIdConnectProviderNative(this, 'Provider', {
 });
 ```
 
-1. Run `cdk diff` and verify the changes are expected. Example of an expected diff:
+4. Run `cdk diff` and verify the changes are expected. Example of an expected diff:
 
 ```bash
 Resources
diff --git a/packages/aws-cdk-lib/aws-eks/README.md b/packages/aws-cdk-lib/aws-eks/README.md
@@ -1459,8 +1459,21 @@ Note that adding service accounts requires running `kubectl` commands against th
 This means you must also pass the `kubectlRoleArn` when importing the cluster.
 See [Using existing Clusters](https://github.com/aws/aws-cdk/tree/main/packages/aws-cdk-lib/aws-eks#using-existing-clusters).
 
+### OpenID Connect (OIDC) Provider
 
-##### Migrating from the deprecated eks.OpenIdConnectProvider to eks.OpenIdConnectProviderNative
+IAM OIDC identity providers are entities in IAM that describe an external identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce. You use an IAM OIDC identity provider when you want to establish trust between an OIDC-compatible IdP and your AWS account.
+
+The construct implementation has default values for thumbprints and clientIds props
+that will be compatible with the eks cluster.
+
+```ts
+declare const cluster: eks.Cluster;
+const provider = new eks.OpenIdConnectProviderNative(this, 'OpenIdConnectProvider', {
+  url: cluster.clusterOpenIdConnectIssuerUrl,
+});
+```
+
+### Migrating from the deprecated eks.OpenIdConnectProvider to eks.OpenIdConnectProviderNative
 
 If your `eks.OpenIdConnectProvider` is created via the `ServiceAccount` construct, follow these steps:
 
