feat(eks): add OidcProviderNative using L1 and deprecate OpenIdConnectProvider custom resource

[aemada-aws]

Issue # (if applicable)

Reason for this change

EKS V2 use a custom resource for OpenIdConnectProvider. There is already an L1 for OpenIdConnectProvider, which should be used instead of the custom resource. The L1 construct is needed for migrating from v1 to v2 as custom resources are not importable and recreating the OIDC provider results in a conflict.

Description of changes

• Deprecate OpenIdConnectProvider in eks-v2-alpha
• Add migration instructions
• Add OidcProviderNative
• Add integ tests
• Add unit tests
• Add feature flag to use OidcProviderNative inside EKS cluster construct.
• Add removal policy support for OpenIdConnectProvider so users can use it in order to migrate.
• Add token support for OidcProviderNative in aws-iam to prevent trying to validate token values. This was breaking when using it with EKS and should have been there anyway from the beginning.

BREAKING CHANGE: The openIdConnectProviderArn and openIdConnectProviderIssuer properties have been added as required members of the IOidcProvider interface.

This was the least disruptive change required to allow existing EKS constructs to support the OidcProviderNative construct.

This change is non-breaking for consumers of the interface, but breaking for implementors. If you implement iam.IOidcProvider, you must now add these two properties, typically as aliases to the existing oidcProviderArn and oidcProviderIssuer properties.

Describe any new or updated permissions being added

None

Description of how you validated changes

Integ tests deployed

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	240 ran	240 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	240 ran	240 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[kumsmrit]

This thumbprints property is not exposed in the interface IOpenIdConnectProvider which would lead to interface inconsistency.

[aemada-aws]

I switched from duplicating the props in the interface to match the EKS interface to instead adding oidcProviderNative as a different attribute that matches the new interface while leaving the old one.

I don't think molding the new interface to fit the old one is a good idea as it will create confusion as to why we have duplicate props with different namings and a maintenance burden when moving to cdk v3 as the duplicate props are not deprecated and it doesn't make sense to add something now that is instantly deprecated just to fit the interface.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

✅ The pull request has been merged at 622be9b

This pull request spent 8 hours 30 minutes 4 seconds in the queue, including 7 hours 32 minutes 26 seconds running CI.
The checks were run in-place.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(eks): add OidcProviderNative using L1 and deprecate OpenIdConnectProvider custom resource #36589
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(eks): add OidcProviderNative using L1 and deprecate OpenIdConnectProvider custom resource #36589
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[aws-cdk-automation]

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.