add docs and update capabilities api

Author: zjaco13

docs/capabilities/ack-capability.md

@@ -0,0 +1,36 @@
+# ACK Capability
+
+The [ACK capability](https://docs.aws.amazon.com/eks/latest/userguide/capabilities.html) enables management of AWS resources using Kubernetes APIs. It continuously reconciles the desired state with the actual state in AWS, correcting any drift. ACK supports cross-account and cross-region resource management.
+
+This is the AWS-managed alternative to the self-managed [AckAddOn](../addons/ack.md). Using both on the same cluster will result in a conflict error.
+
+## Usage
+
+```typescript
+import * as blueprints from '@aws-quickstart/eks-blueprints';
+
+const stack = blueprints.EksBlueprint.builder()
+  .version("auto")
+  .capabilities({
+    ack: new blueprints.capabilities.AckCapability(),
+  })
+  .build(app, 'my-cluster');
+```
+
+## Configuration
+
+| Property | Type | Default | Description |
+|----------|------|---------|-------------|
+| `capabilityName` | `string` | `blueprints-ack-capability` | Name for the capability resource |
+| `roleArn` | `string` | Auto-created | Existing IAM role ARN to use |
+| `policyName` | `string` | - | Custom managed policy name |
+| `policyDocument` | `iam.PolicyDocument` | - | Custom inline policy |
+| `tags` | `CfnTag[]` | - | CloudFormation tags |
+
+The default IAM policy is `AdministratorAccess`. For production, scope this down to only the AWS services you need:
+
+```typescript
+new blueprints.capabilities.AckCapability({
+  policyName: "AmazonRDSFullAccess",
+})
+```

docs/capabilities/argocd-capability.md

@@ -0,0 +1,67 @@
+# ArgoCD Capability
+
+The [ArgoCD capability](https://docs.aws.amazon.com/eks/latest/userguide/capabilities.html) enables GitOps-based continuous deployment, automatically syncing application resources to clusters from Git repositories. It integrates with AWS Identity Center for authentication and authorization.
+
+This is the AWS-managed alternative to the self-managed [ArgoCDAddOn](../addons/argocd.md). Using both on the same cluster will result in a conflict error.
+
+## Usage
+
+```typescript
+import * as blueprints from '@aws-quickstart/eks-blueprints';
+
+const stack = blueprints.EksBlueprint.builder()
+  .version("auto")
+  .capabilities({
+    argocd: new blueprints.capabilities.ArgoCapability({
+      idcInstanceArn: "arn:aws:sso:::instance/ssoins-1234567890abcdef",
+    }),
+  })
+  .build(app, 'my-cluster');
+```
+
+## Configuration
+
+| Property | Type | Default | Description |
+|----------|------|---------|-------------|
+| `idcInstanceArn` | `string` | **Required** | AWS Identity Center instance ARN |
+| `idcManagedApplicationArn` | `string` | - | IDC managed application ARN |
+| `idcRegion` | `string` | - | IDC region |
+| `capabilityName` | `string` | `blueprints-argocd-capability` | Name for the capability resource |
+| `namespace` | `string` | `argocd` | Kubernetes namespace for ArgoCD |
+| `serverUrl` | `string` | - | ArgoCD server URL |
+| `networkAccessVpcEndpoints` | `IVpcEndpoint[]` | - | VPC endpoints for network access |
+| `roleMappings` | `Record<ArgoCDSsoRole, ...>` | - | SSO role-to-identity mappings |
+| `roleArn` | `string` | Auto-created | Existing IAM role ARN |
+| `tags` | `CfnTag[]` | - | CloudFormation tags |
+
+The default IAM policy is `AWSSecretsManagerClientReadOnlyAccess`.
+
+## Role Mappings
+
+Map AWS Identity Center users or groups to ArgoCD RBAC roles. Two approaches:
+
+**Simplified props:**
+```typescript
+new blueprints.capabilities.ArgoCapability({
+  idcInstanceArn: "arn:aws:sso:::instance/ssoins-1234567890abcdef",
+  roleMappings: {
+    adminUsers: ["<sso-user-id>"],
+    viewerGroups: ["<sso-group-id>"],
+    editorUsers: ["<sso-user-id>"],
+  },
+})
+```
+
+**Builder methods:**
+```typescript
+new blueprints.capabilities.ArgoCapability({
+  idcInstanceArn: "arn:aws:sso:::instance/ssoins-1234567890abcdef",
+})
+.addAdmin("<sso-user-id>", blueprints.SsoIdentityType.SSO_USER)
+.addViewer("<sso-group-id>", blueprints.SsoIdentityType.SSO_GROUP)
+.addEditor("<sso-user-id>", blueprints.SsoIdentityType.SSO_USER)
+```
+
+Both approaches can be combined — mappings are merged at deploy time.
+
+Available roles: `ADMIN`, `EDITOR`, `VIEWER`.

docs/capabilities/index.md

@@ -0,0 +1,50 @@
+# EKS Capabilities
+
+[EKS Capabilities](https://docs.aws.amazon.com/eks/latest/userguide/capabilities.html) are fully managed cluster features that eliminate the need to install, maintain, and scale foundational cluster services. Each capability is an AWS resource that runs in EKS and is managed by AWS.
+
+Available capabilities:
+
+- **[ACK](ack-capability.md)** — Manage AWS resources using Kubernetes APIs
+- **[ArgoCD](argocd-capability.md)** — GitOps-based continuous deployment with AWS Identity Center integration
+- **[kro](kro-capability.md)** — Create custom Kubernetes APIs that compose multiple resources into higher-level abstractions
+
+## Capabilities vs Addons
+
+Capabilities are the AWS-managed equivalent of self-managed addons. They differ in that AWS handles installation, upgrades, scaling, and security patching. The blueprints framework automatically detects conflicts — if you add both a capability and its corresponding addon (e.g. `AckCapability` and `AckAddOn`), the build will fail with a conflict error.
+
+## Usage
+
+```typescript
+import * as blueprints from '@aws-quickstart/eks-blueprints';
+
+const stack = blueprints.EksBlueprint.builder()
+  .version("auto")
+  .capabilities({
+    ack: new blueprints.capabilities.AckCapability(),
+    kro: new blueprints.capabilities.KroCapability(),
+  })
+  .build(app, 'my-cluster');
+```
+
+Each capability key (`ack`, `argocd`, `kro`) can only appear once — the type system enforces this at compile time.
+
+## IAM Roles
+
+Each capability requires an IAM role with the `capabilities.eks.amazonaws.com` service principal. By default, the framework creates a role with the capability's default managed policy. You can customize this:
+
+```typescript
+// Use a custom existing role
+new blueprints.capabilities.AckCapability({
+  roleArn: "arn:aws:iam::123456789:role/my-custom-role",
+})
+
+// Use a custom managed policy
+new blueprints.capabilities.AckCapability({
+  policyName: "MyCustomAckPolicy",
+})
+
+// Use an inline policy document
+new blueprints.capabilities.AckCapability({
+  policyDocument: new iam.PolicyDocument({ ... }),
+})
+```

docs/capabilities/kro-capability.md

@@ -0,0 +1,46 @@
+# kro Capability
+
+The [kro capability](https://docs.aws.amazon.com/eks/latest/userguide/capabilities.html) enables creation of custom Kubernetes APIs that compose multiple resources into higher-level abstractions. Platform teams can define reusable patterns for common resource combinations, enabling self-service with appropriate guardrails.
+
+This is the AWS-managed alternative to the self-managed [KroAddOn](../addons/kro.md). kro itself does not require AWS IAM permissions — it orchestrates Kubernetes resources only. AWS resource creation is handled by controllers like ACK.
+
+## Usage
+
+```typescript
+import * as blueprints from '@aws-quickstart/eks-blueprints';
+
+const stack = blueprints.EksBlueprint.builder()
+  .version("auto")
+  .capabilities({
+    kro: new blueprints.capabilities.KroCapability(),
+  })
+  .build(app, 'my-cluster');
+```
+
+## Configuration
+
+| Property | Type | Default | Description |
+|----------|------|---------|-------------|
+| `capabilityName` | `string` | `blueprints-kro-capability` | Name for the capability resource |
+| `roleArn` | `string` | Auto-created | Existing IAM role ARN to use |
+| `policyName` | `string` | - | Custom managed policy name |
+| `policyDocument` | `iam.PolicyDocument` | - | Custom inline policy |
+| `tags` | `CfnTag[]` | - | CloudFormation tags |
+
+No default IAM policy is attached since kro doesn't interact with AWS APIs directly.
+
+## Using with ACK
+
+kro is commonly paired with the ACK capability to create custom APIs that provision AWS resources:
+
+```typescript
+const stack = blueprints.EksBlueprint.builder()
+  .version("auto")
+  .capabilities({
+    ack: new blueprints.capabilities.AckCapability(),
+    kro: new blueprints.capabilities.KroCapability(),
+  })
+  .build(app, 'my-cluster');
+```
+
+See the [kro addon documentation](../addons/kro.md) for ResourceGraphDefinition examples.

examples/capabilities-test.ts

@@ -8,30 +8,15 @@ const app = new cdk.App();
 
 const account = process.env.CDK_DEFAULT_ACCOUNT;
 const region = process.env.CDK_DEFAULT_REGION;
+
+// Must have identity center set up for ArgoCD Capability
 const identityCenterArn = process.env.AWS_IDENTITY_CENTER_ARN;
 const identityCenterUserId = process.env.AWS_IDENTITY_CENTER_USER_ID;
 
-// Example customer issue reproduction:
 const addOns: Array<blueprints.ClusterAddOn> = [
     new blueprints.addons.EksPodIdentityAgentAddOn(),
-    new blueprints.addons.AwsNetworkFlowMonitorAddOn()
 ];
 
-const capabilities: Array<blueprints.ClusterCapability> = [
-    new blueprints.capabilities.AckCapability(),
-    new blueprints.capabilities.ArgoCapability({
-        idcInstanceArn: identityCenterArn!,
-        roleMappings: {
-            "ADMIN": [{
-                identityId: identityCenterUserId!,
-                identityType: blueprints.SsoIdentityType.SSO_USER
-            }],
-
-        }
-    }),
-    new blueprints.capabilities.KroCapability(),
-]
-
 const clusterProvider = new blueprints.GenericClusterProvider({
   authenticationMode: eks.AuthenticationMode.API_AND_CONFIG_MAP,
   managedNodeGroups: [{
@@ -45,7 +30,16 @@ const stack = blueprints.EksBlueprint.builder()
     .account(account)
     .region(region)
     .clusterProvider(clusterProvider)
-    .capabilities(...capabilities)
+    .capabilities({
+        ack: new blueprints.capabilities.AckCapability(),
+        argocd: new blueprints.capabilities.ArgoCapability({
+            idcInstanceArn: identityCenterArn!,
+            roleMappings: {
+                adminUsers: [identityCenterUserId!],
+            }
+        }),
+        kro: new blueprints.capabilities.KroCapability(),
+    })
     .addOns(...addOns)
     .version("auto")
     .build(app, 'capabilities-debug-stack');

lib/addons/ack/index.ts

@@ -6,7 +6,7 @@ import "reflect-metadata";
 import { conflictsWithCapabilities, createNamespace, setPath, supportsX86 } from "../../utils";
 import { HelmAddOn, HelmAddOnProps, HelmAddOnUserProps } from "../helm-addon";
 import { AckServiceName, serviceMappings } from './serviceMappings';
-import { AckCapability } from '../../capabilities';
+import { CapabilityType } from '../../spi';
 
 export * from "./serviceMappings";
 
@@ -71,7 +71,7 @@ export class AckAddOn extends HelmAddOn {
   }
 
 
-  @conflictsWithCapabilities(AckCapability.name)
+  @conflictsWithCapabilities(CapabilityType.ACK)
   deploy(clusterInfo: ClusterInfo): Promise<Construct> {
     const cluster = clusterInfo.cluster;
     const context = clusterInfo.getResourceContext();

lib/addons/argocd/index.ts

@@ -12,7 +12,6 @@ import { HelmAddOn, HelmAddOnUserProps } from '../helm-addon';
 import { ArgoApplication } from './application';
 import { createSecretRef } from './manifest-utils';
 import { GitRepositoryReference } from "../../spi";
-import * as capabilities from "../../capabilities";
 
 
 /**
@@ -120,7 +119,7 @@ export class ArgoCDAddOn implements spi.ClusterAddOn, spi.ClusterPostDeploy {
     /**
      * Implementation of the add-on contract deploy method.
     */
-    @conflictsWithCapabilities(capabilities.ArgoCapability.name)
+    @conflictsWithCapabilities(spi.CapabilityType.ARGOCD)
     async deploy(clusterInfo: spi.ClusterInfo): Promise<Construct> {
         const namespace = createNamespace(this.options.namespace!, clusterInfo.cluster, true);
 

lib/capabilities/ack-capability.ts

@@ -19,7 +19,6 @@ export class AckCapability extends Capability {
 
   /** Default configuration for ACK capabilities */
   static readonly defaultProps: AckCapabilityProps= {
-    useDefaultPolicy: true,
     capabilityName: "blueprints-ack-capability"
   };