Fix reusing instanceRoleARN for nodegroups authorized with access entry

eksctl-io · Apr 9, 2024 · f4890b9 · f4890b9
1 parent d53aa6c
commit f4890b9
Show file tree

Hide file tree

Showing 27 changed files with 596 additions and 447 deletions.
diff --git a/go.mod b/go.mod
@@ -14,19 +14,19 @@ require (
 	github.com/aws/aws-sdk-go-v2 v1.26.1
 	github.com/aws/aws-sdk-go-v2/config v1.27.11
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.11
-	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.40.4
-	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.48.0
-	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.39.1
-	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.35.0
+	github.com/aws/aws-sdk-go-v2/service/autoscaling v1.40.5
+	github.com/aws/aws-sdk-go-v2/service/cloudformation v1.49.0
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.39.2
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.35.1
 	github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.36.3
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.156.0
-	github.com/aws/aws-sdk-go-v2/service/eks v1.41.2
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.24.3
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.30.4
-	github.com/aws/aws-sdk-go-v2/service/iam v1.31.3
+	github.com/aws/aws-sdk-go-v2/service/eks v1.42.1
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.24.4
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.30.5
+	github.com/aws/aws-sdk-go-v2/service/iam v1.31.4
 	github.com/aws/aws-sdk-go-v2/service/kms v1.27.5
-	github.com/aws/aws-sdk-go-v2/service/outposts v1.37.3
-	github.com/aws/aws-sdk-go-v2/service/ssm v1.49.4
+	github.com/aws/aws-sdk-go-v2/service/outposts v1.37.4
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.49.5
 	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6
 	github.com/aws/smithy-go v1.20.2
 	github.com/benjamintf1/unmarshalledmatchers v1.0.0
@@ -124,7 +124,7 @@ require (
 	github.com/ashanbrown/forbidigo v1.6.0 // indirect
 	github.com/ashanbrown/makezero v1.1.1 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect

diff --git a/go.sum b/go.sum
@@ -718,8 +718,8 @@ github.com/aws/aws-sdk-go v1.51.16/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3Tj
 github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k=
 github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA=
 github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 h1:gTK2uhtAPtFcdRRJilZPx8uJLL2J85xK11nKtWL0wfU=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1/go.mod h1:sxpLb+nZk7tIfCWChfd+h4QwHNUR57d8hA1cleTkjJo=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
 github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA=
 github.com/aws/aws-sdk-go-v2/config v1.27.11/go.mod h1:SMsV78RIOYdve1vf36z8LmnszlRWkwMQtomCAI0/mIE=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.11 h1:YuIB1dJNf1Re822rriUOTxopaHHvIq0l/pX3fwO+Tzs=
@@ -734,38 +734,38 @@ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3C
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
-github.com/aws/aws-sdk-go-v2/service/autoscaling v1.40.4 h1:f4pkN5PVSqlGxD2gZvboz6SRaeoykgknflMPBVuhcGs=
-github.com/aws/aws-sdk-go-v2/service/autoscaling v1.40.4/go.mod h1:NZBgGUf6LD2KS6Ns5xTK+cR1LK5hZwNkeOt8nDKXzMA=
-github.com/aws/aws-sdk-go-v2/service/cloudformation v1.48.0 h1:uMlYsoHdd2Gr9sDGq2ieUR5jVu7F5AqPYz6UBJmdRhY=
-github.com/aws/aws-sdk-go-v2/service/cloudformation v1.48.0/go.mod h1:G2qcp9xrwch6TH9AlzWoYbV9QScyZhLCoMCQ1+BD404=
-github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.39.1 h1:3gmWxPT3URe8Yswfm0uiyqURRat8P7Gxv9SFSN0KOxY=
-github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.39.1/go.mod h1:d6xG6uOYwvPcLfgAqYVYJziH1kO2xwaNlReUk2jJeyQ=
-github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.35.0 h1:Tpy3mOh9ladwf9bhlAr38OTnZk/Uh9UuN4UNg3MFB/U=
-github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.35.0/go.mod h1:bIFyamdY1PRTmifPT7uHCq4+af0SooBn9hmK9UW/hmg=
+github.com/aws/aws-sdk-go-v2/service/autoscaling v1.40.5 h1:vhdJymxlWS2qftzLiuCjSswjXBRLGfzo/BEE9LDveBA=
+github.com/aws/aws-sdk-go-v2/service/autoscaling v1.40.5/go.mod h1:ZErgk/bPaaZIpj+lUWGlwI1A0UFhSIscgnCPzTLnb2s=
+github.com/aws/aws-sdk-go-v2/service/cloudformation v1.49.0 h1:XSUAzNAV7kCSWhV8duijMz+FrOdMqbLiRXXWBs6BA9A=
+github.com/aws/aws-sdk-go-v2/service/cloudformation v1.49.0/go.mod h1:/v2KYdCW4BaHKayenaWEXOOdxItIwEA3oU0XzuQY3F0=
+github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.39.2 h1:svl3DNKWpcLOlz+bFzmOxGp8gcbvSZ6m2t44Zzaet9U=
+github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.39.2/go.mod h1:gAJs+mKIoK4JTQD1KMZtHgyBRZ8S6Oy5+qjJzoDAvbE=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.35.1 h1:suWu59CRsDNhw2YXPpa6drYEetIUUIMUhkzHmucbCf8=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.35.1/go.mod h1:tZiRxrv5yBRgZ9Z4OOOxwscAZRFk5DgYhEcjX1QpvgI=
 github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.36.3 h1:JNWpkjImTP2e308bv7ihfwgOawf640BY/pyZWrBb9rw=
 github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.36.3/go.mod h1:TiLZ2/+WAEyG2PnuAYj/un46UJ7qBf5BWWTAKgaHP8I=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.156.0 h1:TFK9GeUINErClL2+A+GLYhjiChVdaXCgIUiCsS/UQrE=
 github.com/aws/aws-sdk-go-v2/service/ec2 v1.156.0/go.mod h1:xejKuuRDjz6z5OqyeLsz01MlOqqW7CqpAB4PabNvpu8=
-github.com/aws/aws-sdk-go-v2/service/eks v1.41.2 h1:0X5g5H8YyW9QVtlp6j+ZGHl/h0ZS58jiLRXabyiB5uw=
-github.com/aws/aws-sdk-go-v2/service/eks v1.41.2/go.mod h1:T2MBMUUCoSEvHuKPplubyQJbWNghbHhx3ToJpLoipDs=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.24.3 h1:pjgSJEvgJzv+e0frrqspeYdHz2JSW1KAGMXRe1FuQ1M=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.24.3/go.mod h1:dhRVzB/bmggoMEBhYXKZrTE+jqN34O4+webZSjGi12c=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.30.4 h1:Lq2q/AWzFv5jHVoGJ2Hz1PkxwHYNdGzAB3lbw2g7IEU=
-github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.30.4/go.mod h1:SNhjWOsnsHSveL4fDQL0sDiAIMVnKrvJTp9Z/MNspx0=
-github.com/aws/aws-sdk-go-v2/service/iam v1.31.3 h1:cJn9Snros9WmDA7/qCCN7jSkowcu1CqnwhFpv4ipHEE=
-github.com/aws/aws-sdk-go-v2/service/iam v1.31.3/go.mod h1:+nAQlxsBxPFf6GrL93lvCuv5PxSTX3GO0RYrURyzl/Q=
+github.com/aws/aws-sdk-go-v2/service/eks v1.42.1 h1:q7MWjPP0uCmUvuGDFCvkbqRkqfH+Bq6di9RTd64S0YM=
+github.com/aws/aws-sdk-go-v2/service/eks v1.42.1/go.mod h1:UhKBrO0Ezz8iIg02a6u4irGKBKh0gTz3fF8LNdD2vDI=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.24.4 h1:V5YvSMQwZklktzYeOOhYdptx7rP650XP3RnxwNu1UEQ=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.24.4/go.mod h1:aYygRYqRxmLGrxRxAisgNarwo4x8bcJG14rh4r57VqE=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.30.5 h1:/x2u/TOx+n17U+gz98TOw1HKJom0EOqrhL4SjrHr0cQ=
+github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.30.5/go.mod h1:e1McVqsud0JOERidvppLEHnuCdh/X6MRyL5L0LseAUk=
+github.com/aws/aws-sdk-go-v2/service/iam v1.31.4 h1:eVm30ZIDv//r6Aogat9I88b5YX1xASSLcEDqHYRPVl0=
+github.com/aws/aws-sdk-go-v2/service/iam v1.31.4/go.mod h1:aXWImQV0uTW35LM0A/T4wEg6R1/ReXUu4SM6/lUHYK0=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk=
 github.com/aws/aws-sdk-go-v2/service/kms v1.27.5 h1:7lKTr8zJ2nVaVgyII+7hUayTi7xWedMuANiNVXiD2S8=
 github.com/aws/aws-sdk-go-v2/service/kms v1.27.5/go.mod h1:D9FVDkZjkZnnFHymJ3fPVz0zOUlNSd0xcIIVmmrAac8=
-github.com/aws/aws-sdk-go-v2/service/outposts v1.37.3 h1:FJVXeS+dVDBMr7g0vNl7Z5mekQu+JdwbWZmDX1O+C/s=
-github.com/aws/aws-sdk-go-v2/service/outposts v1.37.3/go.mod h1:eL+8XoNJVASkW/kDpjNVpcJMSfxUVotaoouYLekSQzU=
+github.com/aws/aws-sdk-go-v2/service/outposts v1.37.4 h1:nItBrTJbK72LWI3jWtpLC22yLjPrzVL998pp+yRAnQk=
+github.com/aws/aws-sdk-go-v2/service/outposts v1.37.4/go.mod h1:6fqELmjNXUPBviJYhN4QzmMQRtuPAREMRKlhzfBD8j0=
 github.com/aws/aws-sdk-go-v2/service/pricing v1.17.0 h1:RQOMvPwte2H4ZqsiZmrla1crhBWDFnW8bZynkec5cGU=
 github.com/aws/aws-sdk-go-v2/service/pricing v1.17.0/go.mod h1:LJyh9figH3ZpSiVjR5umzbl6V3EpQdZR4Se1ayoUtfI=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.49.4 h1:2f1Gkbe9O15DntphmbdEInn6MGIZ3x2bbv8b0p/4awQ=
-github.com/aws/aws-sdk-go-v2/service/ssm v1.49.4/go.mod h1:BlIdE/k0lwn8xyn8piK02oYjqKsxulo6yPV3BuIWuMI=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.49.5 h1:KBwyHzP2QG8J//hoGuPyHWZ5tgL1BzaoMURUkecpI4g=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.49.5/go.mod h1:Ebk/HZmGhxWKDVxM4+pwbxGjm3RQOQLMjAEosI3ss9Q=
 github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 h1:vN8hEbpRnL7+Hopy9dzmRle1xmDc7o8tmY0klsr175w=
 github.com/aws/aws-sdk-go-v2/service/sso v1.20.5/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 h1:Jux+gDDyi1Lruk+KHF91tK2KCuY61kzoCpvtvJJBtOE=

diff --git a/pkg/actions/nodegroup/create.go b/pkg/actions/nodegroup/create.go
@@ -254,7 +254,13 @@ func (m *Manager) nodeCreationTasks(ctx context.Context, isOwnedCluster, skipEgr
 		Parallel: true,
 	}
 	disableAccessEntryCreation := !m.accessEntry.IsEnabled() || updateAuthConfigMap != nil
-	nodeGroupTasks := m.stackManager.NewUnmanagedNodeGroupTask(ctx, cfg.NodeGroups, !awsNodeUsesIRSA, skipEgressRules, disableAccessEntryCreation, vpcImporter)
+	unmanagedNodeGroupTaskCreator := m.unmanagedNodeGroupTask.NewCreator(m.cfg, m.ctl.AWSProvider, m.stackManager)
+	nodeGroupTasks := unmanagedNodeGroupTaskCreator.Create(ctx, manager.CreateNodeGroupOptions{
+		ForceAddCNIPolicy:          !awsNodeUsesIRSA,
+		SkipEgressRules:            skipEgressRules,
+		DisableAccessEntryCreation: disableAccessEntryCreation,
+		VPCImporter:                vpcImporter,
+	})
 	if nodeGroupTasks.Len() > 0 {
 		allNodeGroupTasks.Append(nodeGroupTasks)
 	}

diff --git a/pkg/actions/nodegroup/create_test.go b/pkg/actions/nodegroup/create_test.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/weaveworks/eksctl/pkg/actions/nodegroup/fakes"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/cloudformation"
 	cftypes "github.com/aws/aws-sdk-go-v2/service/cloudformation/types"
@@ -21,7 +23,6 @@ import (
 	core "k8s.io/client-go/testing"
 
 	"github.com/weaveworks/eksctl/pkg/actions/nodegroup"
-	ngfakes "github.com/weaveworks/eksctl/pkg/actions/nodegroup/fakes"
 	api "github.com/weaveworks/eksctl/pkg/apis/eksctl.io/v1alpha5"
 	"github.com/weaveworks/eksctl/pkg/authconfigmap"
 	"github.com/weaveworks/eksctl/pkg/cfn/manager"
@@ -58,22 +59,12 @@ type mockCalls struct {
 type expectedCalls struct {
 	kubeProvider         *eksfakes.FakeKubeProvider
 	nodeGroupFilter      *utilfakes.FakeNodegroupFilter
-	nodeGroupTaskCreator *ngfakes.FakeNodeGroupTaskCreator
 	clientset            *fake.Clientset
-}
-
-//counterfeiter:generate -o fakes/fake_nodegroup_task_creator.go . nodeGroupTaskCreator
-type nodeGroupTaskCreator interface {
-	NewUnmanagedNodeGroupTask(context.Context, []*api.NodeGroup, bool, bool, bool, vpc.Importer) *tasks.TaskTree
+	nodeGroupTaskCreator *fakes.FakeUnmanagedNodeGroupTaskCreator
 }
 
 type stackManagerDelegate struct {
 	manager.StackManager
-	ngTaskCreator nodeGroupTaskCreator
-}
-
-func (s *stackManagerDelegate) NewUnmanagedNodeGroupTask(ctx context.Context, nodeGroups []*api.NodeGroup, forceAddCNIPolicy, skipEgressRules, disableAccessEntryCreation bool, vpcImporter vpc.Importer) *tasks.TaskTree {
-	return s.ngTaskCreator.NewUnmanagedNodeGroupTask(ctx, nodeGroups, forceAddCNIPolicy, skipEgressRules, disableAccessEntryCreation, vpcImporter)
 }
 
 func (s *stackManagerDelegate) NewManagedNodeGroupTask(context.Context, []*api.ManagedNodeGroup, bool, vpc.Importer) *tasks.TaskTree {
@@ -106,20 +97,18 @@ var _ = DescribeTable("Create", func(t ngEntry) {
 	}
 
 	clientset := fake.NewSimpleClientset()
-	m := nodegroup.New(cfg, ctl, clientset, nil)
+	var fakeTask fakes.FakeUnmanagedNodeGroupTask
+	var fakeCreator fakes.FakeUnmanagedNodeGroupTaskCreator
+	fakeCreator.CreateReturns(&tasks.TaskTree{})
+	fakeTask.NewCreatorReturns(&fakeCreator)
+
+	m := nodegroup.New(cfg, ctl, clientset, nil, &fakeTask)
 
 	k := &eksfakes.FakeKubeProvider{}
 	m.MockKubeProvider(k)
 
-	var ngTaskCreator ngfakes.FakeNodeGroupTaskCreator
-	ngTaskCreator.NewUnmanagedNodeGroupTaskStub = func(_ context.Context, _ []*api.NodeGroup, _, _, _ bool, _ vpc.Importer) *tasks.TaskTree {
-		return &tasks.TaskTree{
-			Tasks: []tasks.Task{noopTask},
-		}
-	}
 	stackManager := &stackManagerDelegate{
-		ngTaskCreator: &ngTaskCreator,
-		StackManager:  m.GetStackManager(),
+		StackManager: m.GetStackManager(),
 	}
 	m.SetStackManager(stackManager)
 
@@ -154,8 +143,8 @@ var _ = DescribeTable("Create", func(t ngEntry) {
 		t.expectedCalls(expectedCalls{
 			kubeProvider:         k,
 			nodeGroupFilter:      &ngFilter,
-			nodeGroupTaskCreator: &ngTaskCreator,
 			clientset:            clientset,
+			nodeGroupTaskCreator: &fakeCreator,
 		})
 	}
 },
@@ -534,7 +523,7 @@ var _ = DescribeTable("Create", func(t ngEntry) {
 		expectedErr: errors.New("--update-auth-configmap is not supported when authenticationMode is set to API"),
 	}),
 
-	Entry("creates nodegroup using access entries when authenticationMode is API_AND_CONFIG_MAP and updateAuthConfigMap is not supplied", ngEntry{
+	FEntry("creates nodegroup using access entries when authenticationMode is API_AND_CONFIG_MAP and updateAuthConfigMap is not supplied", ngEntry{
 		mockCalls: func(m mockCalls) {
 			mockProviderWithConfig(m.mockProvider, defaultOutput, nil, nil, &ekstypes.AccessConfigResponse{
 				AuthenticationMode: ekstypes.AuthenticationModeApiAndConfigMap,
@@ -544,9 +533,9 @@ var _ = DescribeTable("Create", func(t ngEntry) {
 		expectedCalls: func(e expectedCalls) {
 			Expect(e.kubeProvider.NewRawClientCallCount()).To(Equal(1))
 			Expect(e.nodeGroupFilter.SetOnlyLocalCallCount()).To(Equal(1))
-			Expect(e.nodeGroupTaskCreator.NewUnmanagedNodeGroupTaskCallCount()).To(Equal(1))
-			_, _, _, _, disableAccessEntryCreation, _ := e.nodeGroupTaskCreator.NewUnmanagedNodeGroupTaskArgsForCall(0)
-			Expect(disableAccessEntryCreation).To(BeFalse())
+			Expect(e.nodeGroupTaskCreator.CreateCallCount()).To(Equal(1))
+			_, options := e.nodeGroupTaskCreator.CreateArgsForCall(0)
+			Expect(options.DisableAccessEntryCreation).To(BeFalse())
 			Expect(getIAMIdentities(e.clientset)).To(HaveLen(0))
 		},
 	}),
@@ -593,9 +582,9 @@ var _ = DescribeTable("Create", func(t ngEntry) {
 		expectedCalls: func(e expectedCalls) {
 			Expect(e.kubeProvider.NewRawClientCallCount()).To(Equal(1))
 			Expect(e.nodeGroupFilter.SetOnlyLocalCallCount()).To(Equal(1))
-			Expect(e.nodeGroupTaskCreator.NewUnmanagedNodeGroupTaskCallCount()).To(Equal(1))
-			_, _, _, _, disableAccessEntryCreation, _ := e.nodeGroupTaskCreator.NewUnmanagedNodeGroupTaskArgsForCall(0)
-			Expect(disableAccessEntryCreation).To(BeTrue())
+			Expect(e.nodeGroupTaskCreator.CreateCallCount()).To(Equal(1))
+			_, options := e.nodeGroupTaskCreator.CreateArgsForCall(0)
+			Expect(options.DisableAccessEntryCreation).To(BeTrue())
 			Expect(getIAMIdentities(e.clientset)).To(HaveLen(0))
 		},
 	}),
@@ -614,9 +603,9 @@ var _ = DescribeTable("Create", func(t ngEntry) {
 		expectedCalls: func(e expectedCalls) {
 			Expect(e.kubeProvider.NewRawClientCallCount()).To(Equal(1))
 			Expect(e.nodeGroupFilter.SetOnlyLocalCallCount()).To(Equal(1))
-			Expect(e.nodeGroupTaskCreator.NewUnmanagedNodeGroupTaskCallCount()).To(Equal(1))
-			_, _, _, _, disableAccessEntryCreation, _ := e.nodeGroupTaskCreator.NewUnmanagedNodeGroupTaskArgsForCall(0)
-			Expect(disableAccessEntryCreation).To(BeTrue())
+			Expect(e.nodeGroupTaskCreator.CreateCallCount()).To(Equal(1))
+			_, options := e.nodeGroupTaskCreator.CreateArgsForCall(0)
+			Expect(options.DisableAccessEntryCreation).To(BeTrue())
 			Expect(getIAMIdentities(e.clientset)).To(HaveLen(0))
 		},
 	}),
@@ -668,19 +657,39 @@ var _ = DescribeTable("Create", func(t ngEntry) {
 	}),
 )
 
-var noopTask = &tasks.GenericTask{
-	Doer: func() error {
-		return nil
-	},
-}
-
 func newClusterConfig() *api.ClusterConfig {
+	ng := &api.NodeGroup{
+		NodeGroupBase: &api.NodeGroupBase{
+			Name:             "my-ng",
+			AMIFamily:        api.NodeImageFamilyAmazonLinux2,
+			AMI:              "ami-123",
+			SSH:              &api.NodeGroupSSH{Allow: api.Disabled()},
+			InstanceSelector: &api.InstanceSelector{},
+			ScalingConfig:    &api.ScalingConfig{},
+			IAM: &api.NodeGroupIAM{
+				InstanceRoleARN: "arn:aws:iam::1234567890:role/my-ng",
+			},
+		},
+	}
+	mng := &api.ManagedNodeGroup{
+		NodeGroupBase: &api.NodeGroupBase{
+			Name:             "my-ng",
+			AMIFamily:        api.NodeImageFamilyAmazonLinux2,
+			SSH:              &api.NodeGroupSSH{Allow: api.Disabled()},
+			InstanceSelector: &api.InstanceSelector{},
+			ScalingConfig:    &api.ScalingConfig{},
+		},
+	}
+	meta := &api.ClusterMeta{
+		Name:    "my-cluster",
+		Version: api.DefaultVersion,
+	}
+	api.SetNodeGroupDefaults(ng, meta, false)
+	api.SetManagedNodeGroupDefaults(mng, meta, false)
+
 	return &api.ClusterConfig{
 		TypeMeta: api.ClusterConfigTypeMeta(),
-		Metadata: &api.ClusterMeta{
-			Name:    "my-cluster",
-			Version: api.DefaultVersion,
-		},
+		Metadata: meta,
 		Status: &api.ClusterStatus{
 			Endpoint:                 "https://localhost/",
 			CertificateAuthorityData: []byte("dGVzdAo="),
@@ -690,30 +699,10 @@ func newClusterConfig() *api.ClusterConfig {
 		CloudWatch: &api.ClusterCloudWatch{
 			ClusterLogging: &api.ClusterCloudWatchLogging{},
 		},
-		AccessConfig:   &api.AccessConfig{},
-		PrivateCluster: &api.PrivateCluster{},
-		NodeGroups: []*api.NodeGroup{{
-			NodeGroupBase: &api.NodeGroupBase{
-				Name:             "my-ng",
-				AMIFamily:        api.NodeImageFamilyAmazonLinux2,
-				AMI:              "ami-123",
-				SSH:              &api.NodeGroupSSH{Allow: api.Disabled()},
-				InstanceSelector: &api.InstanceSelector{},
-				ScalingConfig:    &api.ScalingConfig{},
-				IAM: &api.NodeGroupIAM{
-					InstanceRoleARN: "arn:aws:iam::1234567890:role/my-ng",
-				},
-			}},
-		},
-		ManagedNodeGroups: []*api.ManagedNodeGroup{{
-			NodeGroupBase: &api.NodeGroupBase{
-				Name:             "my-ng",
-				AMIFamily:        api.NodeImageFamilyAmazonLinux2,
-				SSH:              &api.NodeGroupSSH{Allow: api.Disabled()},
-				InstanceSelector: &api.InstanceSelector{},
-				ScalingConfig:    &api.ScalingConfig{},
-			}},
-		},
+		AccessConfig:      &api.AccessConfig{},
+		PrivateCluster:    &api.PrivateCluster{},
+		NodeGroups:        []*api.NodeGroup{ng},
+		ManagedNodeGroups: []*api.ManagedNodeGroup{mng},
 	}
 }
 
@@ -747,9 +736,9 @@ func getIAMIdentities(clientset kubernetes.Interface) []iam.Identity {
 func expectedCallsForAWSAuth(e expectedCalls) {
 	Expect(e.kubeProvider.NewRawClientCallCount()).To(Equal(1))
 	Expect(e.nodeGroupFilter.SetOnlyLocalCallCount()).To(Equal(1))
-	Expect(e.nodeGroupTaskCreator.NewUnmanagedNodeGroupTaskCallCount()).To(Equal(1))
-	_, _, _, _, disableAccessEntryCreation, _ := e.nodeGroupTaskCreator.NewUnmanagedNodeGroupTaskArgsForCall(0)
-	Expect(disableAccessEntryCreation).To(BeTrue())
+	Expect(e.nodeGroupTaskCreator.CreateCallCount()).To(Equal(1))
+	_, options := e.nodeGroupTaskCreator.CreateArgsForCall(0)
+	Expect(options.DisableAccessEntryCreation).To(BeTrue())
 	identities := getIAMIdentities(e.clientset)
 	Expect(identities).To(HaveLen(1))
 	for _, id := range identities {