fix(eks-v2-alpha): prevent IAM role creation when node pools are empty (#33894)

When node pools are disabled (by setting an empty array in nodePools), the IAM role will not be created, preventing deployment failures with the error 'When Compute Config nodeRoleArn is not null or empty, nodePool value(s) must be provided.

### Issue # (if applicable)

Fixes #33771

### Reason for this change

When using EKS Auto Mode with empty node pools (by setting `nodePools: []`), the IAM role was still being created by the L2 construct, causing stack deployment failures. The AWS service returns an error stating that when `nodeRoleArn` is provided, node pool values must also be provided.

### Description of changes

Modified the `computeConfig` section in the `CfnCluster` resource to check if `nodePools` is empty before assigning `nodeRoleArn`. If `nodePools` is empty, `nodeRoleArn` will be set to `undefined` to prevent the unnecessary creation of the IAM role.

The change ensures that when users explicitly disable node pools by providing an empty array, the IAM role won't be created, allowing the cluster to be provisioned successfully.

Added a test case to verify that when node pools are empty:
1. The nodeRoleArn is not included in the CloudFormation template
2. No IAM role resource is created for node pools

### Describe any new or updated permissions being added

No new or updated IAM permissions are being added. This change actually prevents the creation of an IAM role when it's not needed.

### Description of how you validated changes

Added a new test case in `automode.test.ts` that verifies:
- The `nodeRoleArn` property is not included in the CloudFormation template when node pools are empty
- No IAM role resource is created for node pools when they are disabled

The test passes, confirming that our fix works as expected.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: pahud

packages/@aws-cdk/aws-eks-v2-alpha/README.md

@@ -148,6 +148,22 @@ const cluster = new eks.Cluster(this, 'EksAutoCluster', {
 
 For more information, see [Create a Node Pool for EKS Auto Mode](https://docs.aws.amazon.com/eks/latest/userguide/create-node-pool.html).
 
+### Disabling Default Node Pools
+
+You can disable the default node pools entirely by setting an empty array for `nodePools`. This is useful when you want to use Auto Mode features but manage your compute resources separately:
+
+```ts
+const cluster = new eks.Cluster(this, 'EksAutoCluster', {
+  version: eks.KubernetesVersion.V1_32,
+  defaultCapacityType: eks.DefaultCapacityType.AUTOMODE,
+  compute: {
+    nodePools: [], // Disable default node pools
+  },
+});
+```
+
+When node pools are disabled this way, no IAM role will be created for the node pools, preventing deployment failures that would otherwise occur when a role is created without any node pools.
+
 ### Node Groups as the default capacity type
 
 If you prefer to manage your own node groups instead of using Auto Mode, you can use the traditional node group approach by specifying `defaultCapacityType` as `NODEGROUP`:

packages/@aws-cdk/aws-eks-v2-alpha/lib/cluster.ts

@@ -1184,8 +1184,11 @@ export class Cluster extends ClusterBase {
         enabled: autoModeEnabled,
         // If the computeConfig enabled flag is set to false when creating a cluster with Auto Mode,
         // the request must not include values for the nodeRoleArn or nodePools fields.
+        // Also, if nodePools is empty, nodeRoleArn should not be included to prevent deployment failures
         nodePools: !autoModeEnabled ? undefined : props.compute?.nodePools ?? ['system', 'general-purpose'],
-        nodeRoleArn: !autoModeEnabled ? undefined : props.compute?.nodeRole?.roleArn ?? this.addNodePoolRole(`${id}nodePoolRole`).roleArn,
+        nodeRoleArn: !autoModeEnabled || (props.compute?.nodePools && props.compute.nodePools.length === 0) ?
+          undefined :
+          props.compute?.nodeRole?.roleArn ?? this.addNodePoolRole(`${id}nodePoolRole`).roleArn,
       },
       storageConfig: {
         blockStorage: {

packages/@aws-cdk/aws-eks-v2-alpha/test/automode.test.ts

@@ -235,6 +235,43 @@ describe('eks auto mode', () => {
         },
       });
     });
+
+    test('does not include nodeRoleArn when nodePools is empty', () => {
+      const { stack } = testFixtureNoVpc();
+
+      new eks.Cluster(stack, 'Cluster', {
+        version: CLUSTER_VERSION,
+        defaultCapacityType: eks.DefaultCapacityType.AUTOMODE,
+        compute: {
+          nodePools: [],
+        },
+      });
+
+      // Verify that nodeRoleArn is not included in the CloudFormation template
+      Template.fromStack(stack).hasResourceProperties('AWS::EKS::Cluster', {
+        ComputeConfig: {
+          Enabled: true,
+          NodePools: [],
+        },
+      });
+
+      // Verify that nodeRoleArn is not present in the ComputeConfig
+      const template = Template.fromStack(stack);
+      const cluster = template.findResources('AWS::EKS::Cluster');
+      const clusterLogicalId = Object.keys(cluster)[0];
+      const computeConfig = cluster[clusterLogicalId].Properties.ComputeConfig;
+
+      expect(computeConfig).not.toHaveProperty('NodeRoleArn');
+
+      // Verify that no IAM role resource is created for node pools
+      // The role would typically have a logical ID like 'ClusterClusternodePoolRole...'
+      const iamRoles = template.findResources('AWS::IAM::Role');
+      const nodePoolRoleKeys = Object.keys(iamRoles).filter(key =>
+        key.includes('nodePoolRole'),
+      );
+
+      expect(nodePoolRoleKeys.length).toBe(0);
+    });
   });
 
   describe('network configuration', () => {