fix(eks): Cluster.FromClusterAttributes ignores KubectlLambdaRole (#20373)

This PR will fix #20008.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: cm-iwata

packages/@aws-cdk/aws-eks/lib/cluster.ts

@@ -2054,6 +2054,7 @@ class ImportedCluster extends ClusterBase {
     this.clusterName = props.clusterName;
     this.clusterArn = this.stack.formatArn(clusterArnComponents(props.clusterName));
     this.kubectlRole = props.kubectlRoleArn ? iam.Role.fromRoleArn(this, 'KubectlRole', props.kubectlRoleArn) : undefined;
+    this.kubectlLambdaRole = props.kubectlLambdaRole;
     this.kubectlSecurityGroup = props.kubectlSecurityGroupId ? ec2.SecurityGroup.fromSecurityGroupId(this, 'KubectlSecurityGroup', props.kubectlSecurityGroupId) : undefined;
     this.kubectlEnvironment = props.kubectlEnvironment;
     this.kubectlPrivateSubnets = props.kubectlPrivateSubnetIds ? props.kubectlPrivateSubnetIds.map((subnetid, index) => ec2.Subnet.fromSubnetId(this, `KubectlSubnet${index}`, subnetid)) : undefined;

packages/@aws-cdk/aws-eks/test/cluster.test.ts

@@ -11,6 +11,7 @@ import * as cdk8s from 'cdk8s';
 import * as constructs from 'constructs';
 import * as YAML from 'yaml';
 import * as eks from '../lib';
+import { HelmChart } from '../lib';
 import { KubectlProvider } from '../lib/kubectl-provider';
 import { BottleRocketImage } from '../lib/private/bottlerocket';
 import { testFixture, testFixtureNoVpc } from './util';
@@ -2422,43 +2423,77 @@ describe('cluster', () => {
 
   });
 
-  test('kubectl provider passes iam role environment to kube ctl lambda', () => {
+  describe('kubectl provider passes iam role environment to kube ctl lambda', ()=>{
+    test('new cluster', () => {
 
-    const { stack } = testFixture();
+      const { stack } = testFixture();
 
-    const kubectlRole = new iam.Role(stack, 'KubectlIamRole', {
-      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
-    });
+      const kubectlRole = new iam.Role(stack, 'KubectlIamRole', {
+        assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+      });
 
-    // using _ syntax to silence warning about _cluster not being used, when it is
-    const cluster = new eks.Cluster(stack, 'Cluster1', {
-      version: CLUSTER_VERSION,
-      prune: false,
-      endpointAccess: eks.EndpointAccess.PRIVATE,
-      kubectlLambdaRole: kubectlRole,
-    });
+      // using _ syntax to silence warning about _cluster not being used, when it is
+      const cluster = new eks.Cluster(stack, 'Cluster1', {
+        version: CLUSTER_VERSION,
+        prune: false,
+        endpointAccess: eks.EndpointAccess.PRIVATE,
+        kubectlLambdaRole: kubectlRole,
+      });
 
-    cluster.addManifest('resource', {
-      kind: 'ConfigMap',
-      apiVersion: 'v1',
-      data: {
-        hello: 'world',
-      },
-      metadata: {
-        name: 'config-map',
-      },
-    });
+      cluster.addManifest('resource', {
+        kind: 'ConfigMap',
+        apiVersion: 'v1',
+        data: {
+          hello: 'world',
+        },
+        metadata: {
+          name: 'config-map',
+        },
+      });
+
+      // the kubectl provider is inside a nested stack.
+      const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack;
+      Template.fromStack(nested).hasResourceProperties('AWS::Lambda::Function', {
+        Role: {
+          Ref: 'referencetoStackKubectlIamRole02F8947EArn',
+        },
+      });
 
-    // the kubectl provider is inside a nested stack.
-    const nested = stack.node.tryFindChild('@aws-cdk/aws-eks.KubectlProvider') as cdk.NestedStack;
-    Template.fromStack(nested).hasResourceProperties('AWS::Lambda::Function', {
-      Role: {
-        Ref: 'referencetoStackKubectlIamRole02F8947EArn',
-      },
     });
+    test('imported cluster', ()=> {
 
-  });
+      const clusterName = 'my-cluster';
+      const stack = new cdk.Stack();
+      const kubectlLambdaRole = new iam.Role(stack, 'KubectlLambdaRole', {
+        assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+      });
+      const cluster = eks.Cluster.fromClusterAttributes(stack, 'Imported', {
+        clusterName,
+        kubectlRoleArn: 'arn:aws:iam::1111111:role/iam-role-that-has-masters-access',
+        kubectlLambdaRole: kubectlLambdaRole,
+      });
+
+      const chart = 'hello-world';
+      cluster.addHelmChart('test-chart', {
+        chart,
+      });
 
+      const nested = stack.node.tryFindChild('Imported-KubectlProvider') as cdk.NestedStack;
+      Template.fromStack(nested).hasResourceProperties('AWS::Lambda::Function', {
+        Role: {
+          Ref: 'referencetoKubectlLambdaRole7D084D94Arn',
+        },
+      });
+      Template.fromStack(stack).hasResourceProperties(HelmChart.RESOURCE_TYPE, {
+        ClusterName: clusterName,
+        RoleArn: 'arn:aws:iam::1111111:role/iam-role-that-has-masters-access',
+        Release: 'importedcharttestchartf3acd6e5',
+        Chart: chart,
+        Namespace: 'default',
+        CreateNamespace: true,
+      });
+    });
+  });
   describe('endpoint access', () => {
 
     test('public restricted', () => {