feat(ec2): throw ValidationErrors instead of untyped Errors (#34127)

### Issue # (if applicable)

Relates to #32569

### Reason for this change
Untyped Errors are not recommended.


### Description of changes
Change Error to ValidationError / UnscopedValidationError


### Describe any new or updated permissions being added
None



### Description of how you validated changes
Existing tests. Exemptions granted as this is a refactor of existing code.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: tttol

packages/aws-cdk-lib/.eslintrc.js

@@ -50,6 +50,7 @@ const enableNoThrowDefaultErrorIn = [
   'aws-config',
   'aws-docdb',
   'aws-dynamodb',
+  'aws-ec2',
   'aws-ecr',
   'aws-ecr-assets',
   'aws-efs',

packages/aws-cdk-lib/aws-ec2/lib/bastion-host.ts

@@ -10,7 +10,7 @@ import { ISecurityGroup } from './security-group';
 import { BlockDevice } from './volume';
 import { IVpc, SubnetSelection } from './vpc';
 import { IPrincipal, IRole, PolicyStatement } from '../../aws-iam';
-import { CfnOutput, FeatureFlags, Resource, Stack } from '../../core';
+import { CfnOutput, FeatureFlags, Resource, Stack, UnscopedValidationError } from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { BASTION_HOST_USE_AMAZON_LINUX_2023_BY_DEFAULT } from '../../cx-api';
 
@@ -246,7 +246,7 @@ export class BastionHostLinux extends Resource implements IInstance {
       return AmazonLinuxCpuType.X86_64;
     }
 
-    throw new Error(`Unsupported instance architecture '${architecture}'`);
+    throw new UnscopedValidationError(`Unsupported instance architecture '${architecture}'`);
   }
 
   /**

packages/aws-cdk-lib/aws-ec2/lib/cfn-init-elements.ts

@@ -3,7 +3,7 @@ import { InitBindOptions, InitElementConfig, InitElementType, InitPlatform } fro
 import * as iam from '../../aws-iam';
 import * as s3 from '../../aws-s3';
 import * as s3_assets from '../../aws-s3-assets';
-import { Duration } from '../../core';
+import { Duration, UnscopedValidationError, ValidationError } from '../../core';
 import { md5hash } from '../../core/lib/helpers-internal';
 
 /**
@@ -220,7 +220,7 @@ export class InitCommand extends InitElement {
    */
   public static argvCommand(argv: string[], options: InitCommandOptions = {}): InitCommand {
     if (argv.length === 0) {
-      throw new Error('Cannot define argvCommand with an empty arguments');
+      throw new UnscopedValidationError('Cannot define argvCommand with an empty arguments');
     }
     return new InitCommand(argv, options);
   }
@@ -236,7 +236,7 @@ export class InitCommand extends InitElement {
     const commandKey = this.options.key || `${options.index}`.padStart(3, '0'); // 001, 005, etc.
 
     if (options.platform !== InitPlatform.WINDOWS && this.options.waitAfterCompletion !== undefined) {
-      throw new Error(`Command '${this.command}': 'waitAfterCompletion' is only valid for Windows systems.`);
+      throw new ValidationError(`Command '${this.command}': 'waitAfterCompletion' is only valid for Windows systems.`, options.scope);
     }
 
     for (const handle of this.options.serviceRestartHandles ?? []) {
@@ -325,7 +325,7 @@ export abstract class InitFile extends InitElement {
    */
   public static fromString(fileName: string, content: string, options: InitFileOptions = {}): InitFile {
     if (!content) {
-      throw new Error(`InitFile ${fileName}: cannot create empty file. Please supply at least one character of content.`);
+      throw new UnscopedValidationError(`InitFile ${fileName}: cannot create empty file. Please supply at least one character of content.`);
     }
     return new class extends InitFile {
       protected _doBind(bindOptions: InitBindOptions) {
@@ -345,7 +345,7 @@ export abstract class InitFile extends InitElement {
   public static symlink(fileName: string, target: string, options: InitFileOptions = {}): InitFile {
     const { mode, ...otherOptions } = options;
     if (mode && mode.slice(0, 3) !== '120') {
-      throw new Error('File mode for symlinks must begin with 120XXX');
+      throw new UnscopedValidationError('File mode for symlinks must begin with 120XXX');
     }
     return InitFile.fromString(fileName, target, { mode: (mode || '120644'), ...otherOptions });
   }
@@ -489,7 +489,7 @@ export abstract class InitFile extends InitElement {
   protected _standardConfig(fileOptions: InitFileOptions, platform: InitPlatform, contentVars: Record<string, any>): Record<string, any> {
     if (platform === InitPlatform.WINDOWS) {
       if (fileOptions.group || fileOptions.owner || fileOptions.mode) {
-        throw new Error('Owner, group, and mode options not supported for Windows.');
+        throw new UnscopedValidationError('Owner, group, and mode options not supported for Windows.');
       }
       return {
         [this.fileName]: { ...contentVars },
@@ -529,7 +529,7 @@ export class InitGroup extends InitElement {
   /** @internal */
   public _bind(options: InitBindOptions): InitElementConfig {
     if (options.platform === InitPlatform.WINDOWS) {
-      throw new Error('Init groups are not supported on Windows');
+      throw new UnscopedValidationError('Init groups are not supported on Windows');
     }
 
     return {
@@ -593,7 +593,7 @@ export class InitUser extends InitElement {
   /** @internal */
   public _bind(options: InitBindOptions): InitElementConfig {
     if (options.platform === InitPlatform.WINDOWS) {
-      throw new Error('Init users are not supported on Windows');
+      throw new UnscopedValidationError('Init users are not supported on Windows');
     }
 
     return {
@@ -712,14 +712,14 @@ export class InitPackage extends InitElement {
   public _bind(options: InitBindOptions): InitElementConfig {
     if ((this.type === 'msi') !== (options.platform === InitPlatform.WINDOWS)) {
       if (this.type === 'msi') {
-        throw new Error('MSI installers are only supported on Windows systems.');
+        throw new UnscopedValidationError('MSI installers are only supported on Windows systems.');
       } else {
-        throw new Error('Windows only supports the MSI package type');
+        throw new UnscopedValidationError('Windows only supports the MSI package type');
       }
     }
 
     if (!this.packageName && !['rpm', 'msi'].includes(this.type)) {
-      throw new Error('Package name must be specified for all package types besides RPM and MSI.');
+      throw new UnscopedValidationError('Package name must be specified for all package types besides RPM and MSI.');
     }
 
     const packageName = this.packageName || `${options.index}`.padStart(3, '0');
@@ -826,11 +826,11 @@ export class InitService extends InitElement {
    */
   public static systemdConfigFile(serviceName: string, options: SystemdConfigFileOptions): InitFile {
     if (!options.command.startsWith('/')) {
-      throw new Error(`SystemD executables must use an absolute path, got '${options.command}'`);
+      throw new UnscopedValidationError(`SystemD executables must use an absolute path, got '${options.command}'`);
     }
 
     if (options.environmentFiles?.some(file => !file.startsWith('/'))) {
-      throw new Error('SystemD environment files must use absolute paths');
+      throw new UnscopedValidationError('SystemD environment files must use absolute paths');
     }
 
     const lines = [

packages/aws-cdk-lib/aws-ec2/lib/cfn-init.ts

@@ -5,7 +5,7 @@ import { OperatingSystemType } from './machine-image';
 import { InitBindOptions, InitElementConfig, InitElementType, InitPlatform } from './private/cfn-init-internal';
 import { UserData } from './user-data';
 import * as iam from '../../aws-iam';
-import { Aws, CfnResource } from '../../core';
+import { Aws, CfnResource, UnscopedValidationError, ValidationError } from '../../core';
 
 /**
  * A CloudFormation-init configuration
@@ -50,7 +50,7 @@ export class CloudFormationInit {
    */
   public addConfig(configName: string, config: InitConfig) {
     if (this._configs[configName]) {
-      throw new Error(`CloudFormationInit already contains a config named '${configName}'`);
+      throw new UnscopedValidationError(`CloudFormationInit already contains a config named '${configName}'`);
     }
     this._configs[configName] = config;
   }
@@ -62,12 +62,12 @@ export class CloudFormationInit {
    */
   public addConfigSet(configSetName: string, configNames: string[] = []) {
     if (this._configSets[configSetName]) {
-      throw new Error(`CloudFormationInit already contains a configSet named '${configSetName}'`);
+      throw new UnscopedValidationError(`CloudFormationInit already contains a configSet named '${configSetName}'`);
     }
 
     const unk = configNames.filter(c => !this._configs[c]);
     if (unk.length > 0) {
-      throw new Error(`Unknown configs referenced in definition of '${configSetName}': ${unk}`);
+      throw new UnscopedValidationError(`Unknown configs referenced in definition of '${configSetName}': ${unk}`);
     }
 
     this._configSets[configSetName] = [...configNames];
@@ -91,13 +91,13 @@ export class CloudFormationInit {
    */
   public attach(attachedResource: CfnResource, attachOptions: AttachInitOptions) {
     if (attachOptions.platform === OperatingSystemType.UNKNOWN) {
-      throw new Error('Cannot attach CloudFormationInit to an unknown OS type');
+      throw new ValidationError('Cannot attach CloudFormationInit to an unknown OS type', attachedResource);
     }
 
     const CFN_INIT_METADATA_KEY = 'AWS::CloudFormation::Init';
 
     if (attachedResource.getMetadata(CFN_INIT_METADATA_KEY) !== undefined) {
-      throw new Error(`Cannot bind CfnInit: resource '${attachedResource.node.path}' already has '${CFN_INIT_METADATA_KEY}' attached`);
+      throw new ValidationError(`Cannot bind CfnInit: resource '${attachedResource.node.path}' already has '${CFN_INIT_METADATA_KEY}' attached`, attachedResource);
     }
 
     // Note: This will not reflect mutations made after attaching.
@@ -270,7 +270,7 @@ export class InitConfig {
         return InitPlatform.WINDOWS;
       }
       default: {
-        throw new Error('Cannot attach CloudFormationInit to an unknown OS type');
+        throw new UnscopedValidationError('Cannot attach CloudFormationInit to an unknown OS type');
       }
     }
   }
@@ -308,7 +308,7 @@ function deepMerge(target?: Record<string, any>, src?: Record<string, any>) {
 
     if (Array.isArray(value)) {
       if (target[key] && !Array.isArray(target[key])) {
-        throw new Error(`Trying to merge array [${value}] into a non-array '${target[key]}'`);
+        throw new UnscopedValidationError(`Trying to merge array [${value}] into a non-array '${target[key]}'`);
       }
       if (key === 'command') { // don't deduplicate command arguments
         target[key] = new Array(

packages/aws-cdk-lib/aws-ec2/lib/cidr-splits.ts

@@ -1,3 +1,5 @@
+import { UnscopedValidationError } from '../../core';
+
 /**
  * Return the splits necessary to allocate the given sequence of cidrs in the given order
  *
@@ -43,7 +45,7 @@ export function calculateCidrSplits(rootNetmask: number, netmasks: number[]): Ci
   }
 
   if (offset > Math.pow(2, 32 - rootNetmask)) {
-    throw new Error(`IP space of size /${rootNetmask} not big enough to allocate subnets of sizes ${netmasks.map(x => `/${x}`)}`);
+    throw new UnscopedValidationError(`IP space of size /${rootNetmask} not big enough to allocate subnets of sizes ${netmasks.map(x => `/${x}`)}`);
   }
 
   return ret;

packages/aws-cdk-lib/aws-ec2/lib/client-vpn-authorization-rule.ts

@@ -1,7 +1,7 @@
 import { Construct } from 'constructs';
 import { IClientVpnEndpoint } from './client-vpn-endpoint-types';
 import { CfnClientVpnAuthorizationRule } from './ec2.generated';
-import { Resource } from '../../core';
+import { Resource, ValidationError } from '../../core';
 import { addConstructMetadata } from '../../core/lib/metadata-resource';
 
 /**
@@ -54,14 +54,16 @@ export interface ClientVpnAuthorizationRuleProps extends ClientVpnAuthorizationR
 export class ClientVpnAuthorizationRule extends Resource {
   constructor(scope: Construct, id: string, props: ClientVpnAuthorizationRuleProps) {
     if (!props.clientVpnEndoint && !props.clientVpnEndpoint) {
-      throw new Error(
+      throw new ValidationError(
         'ClientVpnAuthorizationRule: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified',
+        scope,
       );
     }
     if (props.clientVpnEndoint && props.clientVpnEndpoint) {
-      throw new Error(
+      throw new ValidationError(
         'ClientVpnAuthorizationRule: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified' +
           ', but not both',
+        scope,
       );
     }
     const clientVpnEndpoint = props.clientVpnEndoint || props.clientVpnEndpoint;

packages/aws-cdk-lib/aws-ec2/lib/client-vpn-endpoint.ts

@@ -9,7 +9,7 @@ import { ISecurityGroup, SecurityGroup } from './security-group';
 import { IVpc, SubnetSelection } from './vpc';
 import { ISamlProvider } from '../../aws-iam';
 import * as logs from '../../aws-logs';
-import { CfnOutput, Resource, Token } from '../../core';
+import { CfnOutput, Resource, Token, UnscopedValidationError, ValidationError } from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 
 /**
@@ -300,28 +300,28 @@ export class ClientVpnEndpoint extends Resource implements IClientVpnEndpoint {
       const clientCidr = new CidrBlock(props.cidr);
       const vpcCidr = new CidrBlock(props.vpc.vpcCidrBlock);
       if (vpcCidr.containsCidr(clientCidr)) {
-        throw new Error('The client CIDR cannot overlap with the local CIDR of the VPC');
+        throw new ValidationError('The client CIDR cannot overlap with the local CIDR of the VPC', this);
       }
     }
 
     if (props.dnsServers && props.dnsServers.length > 2) {
-      throw new Error('A client VPN endpoint can have up to two DNS servers');
+      throw new ValidationError('A client VPN endpoint can have up to two DNS servers', this);
     }
 
     if (props.logging == false && (props.logGroup || props.logStream)) {
-      throw new Error('Cannot specify `logGroup` or `logStream` when logging is disabled');
+      throw new ValidationError('Cannot specify `logGroup` or `logStream` when logging is disabled', this);
     }
 
     if (props.clientConnectionHandler
       && !Token.isUnresolved(props.clientConnectionHandler.functionName)
       && !props.clientConnectionHandler.functionName.startsWith('AWSClientVPN-')) {
-      throw new Error('The name of the Lambda function must begin with the `AWSClientVPN-` prefix');
+      throw new ValidationError('The name of the Lambda function must begin with the `AWSClientVPN-` prefix', this);
     }
 
     if (props.clientLoginBanner
       && !Token.isUnresolved(props.clientLoginBanner)
       && props.clientLoginBanner.length > 1400) {
-      throw new Error(`The maximum length for the client login banner is 1400, got ${props.clientLoginBanner.length}`);
+      throw new ValidationError(`The maximum length for the client login banner is 1400, got ${props.clientLoginBanner.length}`, this);
     }
 
     const logging = props.logging ?? true;
@@ -379,7 +379,7 @@ export class ClientVpnEndpoint extends Resource implements IClientVpnEndpoint {
     const subnetIds = props.vpc.selectSubnets(props.vpcSubnets).subnetIds;
 
     if (Token.isUnresolved(subnetIds)) {
-      throw new Error('Cannot associate subnets when VPC are imported from parameters or exports containing lists of subnet IDs.');
+      throw new ValidationError('Cannot associate subnets when VPC are imported from parameters or exports containing lists of subnet IDs.', this);
     }
 
     for (const [idx, subnetId] of Object.entries(subnetIds)) {
@@ -439,7 +439,7 @@ function renderAuthenticationOptions(
   }
 
   if (authenticationOptions.length === 0) {
-    throw new Error('A client VPN endpoint must use at least one authentication option');
+    throw new UnscopedValidationError('A client VPN endpoint must use at least one authentication option');
   }
   return authenticationOptions;
 }

packages/aws-cdk-lib/aws-ec2/lib/client-vpn-route.ts

@@ -2,7 +2,7 @@ import { Construct } from 'constructs';
 import { IClientVpnEndpoint } from './client-vpn-endpoint-types';
 import { CfnClientVpnRoute } from './ec2.generated';
 import { ISubnet } from './vpc';
-import { Resource } from '../../core';
+import { Resource, ValidationError } from '../../core';
 import { addConstructMetadata } from '../../core/lib/metadata-resource';
 
 /**
@@ -83,14 +83,15 @@ export interface ClientVpnRouteProps extends ClientVpnRouteOptions {
 export class ClientVpnRoute extends Resource {
   constructor(scope: Construct, id: string, props: ClientVpnRouteProps) {
     if (!props.clientVpnEndoint && !props.clientVpnEndpoint) {
-      throw new Error(
-        'ClientVpnRoute: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified',
+      throw new ValidationError(
+        'ClientVpnRoute: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified', scope,
       );
     }
     if (props.clientVpnEndoint && props.clientVpnEndpoint) {
-      throw new Error(
+      throw new ValidationError(
         'ClientVpnRoute: either clientVpnEndpoint or clientVpnEndoint (deprecated) must be specified' +
           ', but not both',
+        scope,
       );
     }
     const clientVpnEndpoint = props.clientVpnEndoint || props.clientVpnEndpoint;

packages/aws-cdk-lib/aws-ec2/lib/connections.ts

@@ -1,6 +1,7 @@
 import { IPeer, Peer } from './peer';
 import { Port } from './port';
 import { ISecurityGroup } from './security-group';
+import { UnscopedValidationError } from '../../core';
 
 /**
  * The goal of this module is to make possible to write statements like this:
@@ -201,7 +202,7 @@ export class Connections implements IConnectable {
    */
   public allowDefaultPortFrom(other: IConnectable, description?: string) {
     if (!this.defaultPort) {
-      throw new Error('Cannot call allowDefaultPortFrom(): this resource has no default port');
+      throw new UnscopedValidationError('Cannot call allowDefaultPortFrom(): this resource has no default port');
     }
     this.allowFrom(other, this.defaultPort, description);
   }
@@ -211,7 +212,7 @@ export class Connections implements IConnectable {
    */
   public allowDefaultPortInternally(description?: string) {
     if (!this.defaultPort) {
-      throw new Error('Cannot call allowDefaultPortInternally(): this resource has no default port');
+      throw new UnscopedValidationError('Cannot call allowDefaultPortInternally(): this resource has no default port');
     }
     this.allowInternally(this.defaultPort, description);
   }
@@ -221,7 +222,7 @@ export class Connections implements IConnectable {
    */
   public allowDefaultPortFromAnyIpv4(description?: string) {
     if (!this.defaultPort) {
-      throw new Error('Cannot call allowDefaultPortFromAnyIpv4(): this resource has no default port');
+      throw new UnscopedValidationError('Cannot call allowDefaultPortFromAnyIpv4(): this resource has no default port');
     }
     this.allowFromAnyIpv4(this.defaultPort, description);
   }
@@ -231,7 +232,7 @@ export class Connections implements IConnectable {
    */
   public allowToDefaultPort(other: IConnectable, description?: string) {
     if (other.connections.defaultPort === undefined) {
-      throw new Error('Cannot call allowToDefaultPort(): other resource has no default port');
+      throw new UnscopedValidationError('Cannot call allowToDefaultPort(): other resource has no default port');
     }
 
     this.allowTo(other, other.connections.defaultPort, description);
@@ -244,7 +245,7 @@ export class Connections implements IConnectable {
    */
   public allowDefaultPortTo(other: IConnectable, description?: string) {
     if (!this.defaultPort) {
-      throw new Error('Cannot call allowDefaultPortTo(): this resource has no default port');
+      throw new UnscopedValidationError('Cannot call allowDefaultPortTo(): this resource has no default port');
     }
     this.allowTo(other, this.defaultPort, description);
   }