fix(ec2-alpha): add multiple NATGW to the VPC using addNatGateway method (#34094)

Closes #<issue number here>.

### Reason for this change

Cannot add multiple NATGW to current VPC construct as it is using the same construct id which cause conflict.

### Description of changes

- Fix the NATGW construct id to be unique using provided subnet.
- Fix the current domain being set in EIP to be `vpc` instead of `vpcId`.
- Fix the validation for subnet IP ranges as those can be unresolved token values referred in VPC construct using vpc.attr.<ipaddressblock> .

### Describe any new or updated permissions being added

NA

### Description of how you validated changes

- Added unit test and integration test for NATGW.
- Added unit test for EIP

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

BREAKING CHANGE: The logical ID for the NAT Gateway, defined using the `addNatGateways` method, will be changed, resulting in the NAT Gateway being recreated. Additionally, the domain for the Elastic IP (EIP) will be set to `vpc`, which will also trigger its recreation in the account.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: shikha372

Diff for: packages/@aws-cdk/aws-ec2-alpha/lib/route.ts

@@ -1,6 +1,6 @@
 import { CfnEIP, CfnEgressOnlyInternetGateway, CfnInternetGateway, CfnNatGateway, CfnVPCPeeringConnection, CfnRoute, CfnRouteTable, CfnVPCGatewayAttachment, CfnVPNGateway, CfnVPNGatewayRoutePropagation, GatewayVpcEndpoint, IRouteTable, IVpcEndpoint, RouterType } from 'aws-cdk-lib/aws-ec2';
 import { Construct, IDependable } from 'constructs';
-import { Annotations, Duration, IResource, Resource, Tags } from 'aws-cdk-lib/core';
+import { Annotations, Duration, IResource, Resource, Tags, ValidationError } from 'aws-cdk-lib/core';
 import { IVpcV2, VPNGatewayV2Options } from './vpc-v2-base';
 import { NetworkUtils, allRouteTableIds, CidrBlock } from './util';
 import { ISubnetV2 } from './subnet-v2';
@@ -438,7 +438,7 @@ export class NatGateway extends Resource implements IRouteTarget {
 
     if (this.connectivityType === NatConnectivityType.PUBLIC) {
       if (!props.vpc && !props.allocationId) {
-        throw new Error('Either provide vpc or allocationId');
+        throw new ValidationError('Either provide vpc or allocationId', this);
       }
     }
 
@@ -451,7 +451,7 @@ export class NatGateway extends Resource implements IRouteTarget {
     if (this.connectivityType === NatConnectivityType.PUBLIC) {
       if (!props.allocationId) {
         let eip = new CfnEIP(this, 'EIP', {
-          domain: props.vpc?.vpcId,
+          domain: 'vpc',
         });
         aId = eip.attrAllocationId;
       } else {
@@ -504,16 +504,16 @@ export class VPCPeeringConnection extends Resource implements IRouteTarget {
     const isCrossAccount = props.requestorVpc.ownerAccountId !== props.acceptorVpc.ownerAccountId;
 
     if (!isCrossAccount && props.peerRoleArn) {
-      throw new Error('peerRoleArn is not needed for same account peering');
+      throw new ValidationError('peerRoleArn is not needed for same account peering', this);
     }
 
     if (isCrossAccount && !props.peerRoleArn) {
-      throw new Error('Cross account VPC peering requires peerRoleArn');
+      throw new ValidationError('Cross account VPC peering requires peerRoleArn', this);
     }
 
     const overlap = this.validateVpcCidrOverlap(props.requestorVpc, props.acceptorVpc);
     if (overlap) {
-      throw new Error('CIDR block should not overlap with each other for establishing a peering connection');
+      throw new ValidationError('CIDR block should not overlap with each other for establishing a peering connection', this);
     }
     if (props.vpcPeeringConnectionName) {
       Tags.of(this).add(NAME_TAG, props.vpcPeeringConnectionName);
@@ -735,11 +735,11 @@ export class Route extends Resource implements IRouteV2 {
     }
 
     if (this.target.gateway?.routerType === RouterType.EGRESS_ONLY_INTERNET_GATEWAY && isDestinationIpv4) {
-      throw new Error('Egress only internet gateway does not support IPv4 routing');
+      throw new ValidationError('Egress only internet gateway does not support IPv4 routing', this);
     }
 
     if ((props.target.gateway && props.target.endpoint) || (!props.target.gateway && !props.target.endpoint)) {
-      throw new Error('Exactly one of `gateway` or `endpoint` must be specified.');
+      throw new ValidationError('Exactly one of `gateway` or `endpoint` must be specified.', this);
     }
     this.targetRouterType = this.target.gateway ? this.target.gateway.routerType : RouterType.VPC_ENDPOINT;
     // Gateway generates route automatically via its RouteTable, thus we don't need to generate the resource for it

Diff for: packages/@aws-cdk/aws-ec2-alpha/lib/subnet-v2.ts

@@ -1,4 +1,4 @@
-import { Resource, Names, Lazy, Tags } from 'aws-cdk-lib';
+import { Resource, Names, Lazy, Tags, Token, ValidationError, UnscopedValidationError } from 'aws-cdk-lib';
 import { CfnSubnet, CfnSubnetRouteTableAssociation, INetworkAcl, IRouteTable, ISubnet, NetworkAcl, SubnetNetworkAclAssociation, SubnetType } from 'aws-cdk-lib/aws-ec2';
 import { Construct, DependencyGroup, IDependable } from 'constructs';
 import { IVpcV2 } from './vpc-v2-base';
@@ -262,30 +262,32 @@ export class SubnetV2 extends Resource implements ISubnetV2 {
     const ipv6CidrBlock = props.ipv6CidrBlock?.cidr;
 
     if (!checkCidrRanges(props.vpc, props.ipv4CidrBlock.cidr)) {
-      throw new Error('CIDR block should be within the range of VPC');
+      throw new ValidationError('CIDR block should be within the range of VPC', this);
     }
 
     let overlap: boolean = false;
     let overlapIpv6: boolean = false;
 
-    overlap = validateOverlappingCidrRanges(props.vpc, props.ipv4CidrBlock.cidr);
+    if (!Token.isUnresolved(props.ipv4CidrBlock)) {
+      overlap = validateOverlappingCidrRanges(props.vpc, props.ipv4CidrBlock.cidr);
+    }
 
     // check whether VPC supports ipv6
-    if (props.ipv6CidrBlock?.cidr) {
+    if (props.ipv6CidrBlock?.cidr && !Token.isUnresolved(props.ipv6CidrBlock?.cidr)) {
       validateSupportIpv6(props.vpc);
       overlapIpv6 = validateOverlappingCidrRangesipv6(props.vpc, props.ipv6CidrBlock?.cidr);
     }
 
     if (overlap || overlapIpv6) {
-      throw new Error('CIDR block should not overlap with existing subnet blocks');
+      throw new ValidationError('CIDR block should not overlap with existing subnet blocks', this);
     }
 
     if (props.assignIpv6AddressOnCreation && !props.ipv6CidrBlock) {
-      throw new Error('IPv6 CIDR block is required when assigning IPv6 address on creation');
+      throw new ValidationError('IPv6 CIDR block is required when assigning IPv6 address on creation', this);
     }
 
     if (props.mapPublicIpOnLaunch === true && props.subnetType !== SubnetType.PUBLIC) {
-      throw new Error('mapPublicIpOnLaunch can only be set to true for public subnets');
+      throw new ValidationError('mapPublicIpOnLaunch can only be set to true for public subnets', this);
     }
 
     const subnet = new CfnSubnet(this, 'Subnet', {
@@ -445,7 +447,7 @@ function storeSubnetToVpcByType(vpc: IVpcV2, subnet: SubnetV2, type: SubnetType)
   if (findFunctionType) {
     findFunctionType(vpc, subnet);
   } else {
-    throw new Error(`Unsupported subnet type: ${type}`);
+    throw new UnscopedValidationError(`Unsupported subnet type: ${type}`);
   }
 
   /**
@@ -463,7 +465,7 @@ function storeSubnetToVpcByType(vpc: IVpcV2, subnet: SubnetV2, type: SubnetType)
  * Validates whether the provided VPC supports IPv6 addresses.
  *
  * @param vpc The VPC instance to be validated.
- * @throws Error if the VPC does not support IPv6 addresses.
+ * @throws ValidationError if the VPC does not support IPv6 addresses.
  * @returns True if the VPC supports IPv6 addresses, false otherwise.
  * @internal
  */
@@ -473,7 +475,7 @@ function validateSupportIpv6(vpc: IVpcV2) {
   secondaryAddress.ipv6IpamPoolId !== undefined || secondaryAddress.ipv6Pool !== undefined)) {
       return true;
     } else {
-      throw new Error('To use IPv6, the VPC must enable IPv6 support.');
+      throw new UnscopedValidationError('To use IPv6, the VPC must enable IPv6 support.');
     }
   } else {return false;}
 }
@@ -510,7 +512,7 @@ function checkCidrRanges(vpc: IVpcV2, cidrRange: string) {
 
   // If no IPv4 is assigned as secondary address
   if (allCidrs.length === 0) {
-    throw new Error('No secondary IP address attached to VPC');
+    throw new UnscopedValidationError('No secondary IP address attached to VPC');
   }
 
   return allCidrs.some(c => c.containsCidr(subnetCidrBlock));
@@ -560,7 +562,7 @@ function validateOverlappingCidrRanges(vpc: IVpcV2, ipv4CidrBlock: string): bool
  * @param vpc The VPC instance to check against.
  * @param ipv6CidrBlock The IPv6 CIDR block to be validated.
  * @returns True if the IPv6 CIDR block overlaps with existing subnet CIDR blocks, false otherwise.
- * @throws Error if no subnets are found in the VPC.
+ * @throws ValidationError if no subnets are found in the VPC.
  * @internal
  */
 function validateOverlappingCidrRangesipv6(vpc: IVpcV2, ipv6CidrBlock: string): boolean {

Diff for: packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2-base.ts

@@ -1,4 +1,4 @@
-import { Aws, Resource, Annotations } from 'aws-cdk-lib';
+import { Aws, Resource, Annotations, ValidationError } from 'aws-cdk-lib';
 import { IVpc, ISubnet, SubnetSelection, SelectedSubnets, EnableVpnGatewayOptions, VpnGateway, VpnConnectionType, CfnVPCGatewayAttachment, CfnVPNGatewayRoutePropagation, VpnConnectionOptions, VpnConnection, ClientVpnEndpointOptions, ClientVpnEndpoint, InterfaceVpcEndpointOptions, InterfaceVpcEndpoint, GatewayVpcEndpointOptions, GatewayVpcEndpoint, FlowLogOptions, FlowLog, FlowLogResourceType, SubnetType, SubnetFilter } from 'aws-cdk-lib/aws-ec2';
 import { allRouteTableIds, flatten, subnetGroupNameFromConstructId } from './util';
 import { IDependable, Dependable, IConstruct, DependencyGroup } from 'constructs';
@@ -559,9 +559,9 @@ export abstract class VpcV2Base extends Resource implements IVpcV2 {
    */
   public addNatGateway(options: NatGatewayOptions): NatGateway {
     if (options.connectivityType === NatConnectivityType.PUBLIC && !this._internetGatewayId) {
-      throw new Error('Cannot add a Public NAT Gateway without an Internet Gateway enabled on VPC');
+      throw new ValidationError('Cannot add a Public NAT Gateway without an Internet Gateway enabled on VPC', this);
     }
-    return new NatGateway(this, 'NATGateway', {
+    return new NatGateway(this, `NATGateway-${options.subnet.node.id}`, {
       vpc: this,
       ...options,
     });