Invalid k8s resource and provider for encryption upon creating EKS Cluster

Question

I am using CloudFormation to create AWS EKS to enable secrets encyption

AWSTemplateFormatVersion: '2010-09-09'
Description: 'Amazon EKS Cluster Control Plane'

Resources:

  eksCluster:
    Type: AWS::EKS::Cluster
    Properties:
      Name: MY-EKS-CLUSTER
      Version: "1.20"
      RoleArn: !ImportValue EKS-Cluster-RoleArn
      EncryptionConfig: 
        - Provider:
            KeyArn: VALID_EXISTING_ARN_IN_AWS_REGION_SAME_AS_CLOUDFORMATION
          Resources: 
          - Secrets
      ResourcesVpcConfig: 
        SecurityGroupIds: 
          - !ImportValue EKS-Cluster-ControlPlaneSecurityGroupId
        SubnetIds: 
          - !ImportValue EKS-Cluster-PublicSubnetId
          - !ImportValue EKS-Cluster-PublicSubnetId2
          - !ImportValue EKS-Cluster-PrivateSubnet01
          - !ImportValue EKS-Cluster-PrivateSubnet02

But, I keep getting an error

Invalid k8s resource and provider for encryption. (Service: AmazonEKS; Status Code: 400; Error Code: InvalidParameterException; Request ID: cda5299d-82ee-4062-a2f6-5e320f8da145; Proxy: null)

even though the KMS KEY exists and ARN is valid.

If I create cluster without secrets encryption enabled, it does let me change the KMS encryption configuration for cluster using AWS CLI with below command, it works.

aws eks associate-encryption-config \
  --cluster-name MY-EKS-CLUSTER \
  --encryption-config '[{"resources":["secrets"],"provider":{"keyArn":"SAME_ARN_AS_CF_TEMPLATE"}}]' \
  --region ${AWS::Region}

What is wrong with my cloudformation template?

Answer 1

According to the docs, the only supported value is secrets, and apparently it has to be in lowercase. This fixed the CloudFormation deployment for me:

  Resources: 
  - secrets