feat(eks): throw ValidationErrors instead of untyped errors (#34428)

mrgrain · web-flow · commit 2e7c55b9a56b · 2025-05-12T20:34:09.000Z
### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/.eslintrc.js b/packages/aws-cdk-lib/.eslintrc.js
@@ -19,7 +19,6 @@ baseConfig.rules['@cdklabs/no-throw-default-error'] = ['error'];
 const noThrowDefaultErrorNotYetSupported = [
   'aws-ecs-patterns',
   'aws-ecs',
-  'aws-eks',
   'aws-elasticsearch',
   'aws-events-targets',
   'aws-globalaccelerator',
diff --git a/packages/aws-cdk-lib/aws-eks/lib/aws-auth.ts b/packages/aws-cdk-lib/aws-eks/lib/aws-auth.ts
@@ -3,7 +3,7 @@ import { AwsAuthMapping } from './aws-auth-mapping';
 import { Cluster, AuthenticationMode } from './cluster';
 import { KubernetesManifest } from './k8s-manifest';
 import * as iam from '../../aws-iam';
-import { Lazy, Stack } from '../../core';
+import { Lazy, Stack, ValidationError } from '../../core';
 
 /**
  * Configuration props for the AwsAuth construct.
@@ -45,7 +45,7 @@ export class AwsAuth extends Construct {
     const supportConfigMap = props.cluster.authenticationMode !== AuthenticationMode.API ? true : false;
 
     if (!supportConfigMap) {
-      throw new Error('ConfigMap not supported in the AuthenticationMode');
+      throw new ValidationError('ConfigMap not supported in the AuthenticationMode', this);
     }
 
     this.stack = Stack.of(this);
@@ -123,7 +123,7 @@ export class AwsAuth extends Construct {
       // a dependency on the cluster, allowing those resources to be in a different stack,
       // will create a circular dependency. granted, it won't always be the case,
       // but we opted for the more cautious and restrictive approach for now.
-      throw new Error(`${construct.node.path} should be defined in the scope of the ${thisStack.stackName} stack to prevent circular dependencies`);
+      throw new ValidationError(`${construct.node.path} should be defined in the scope of the ${thisStack.stackName} stack to prevent circular dependencies`, this);
     }
   }
 
diff --git a/packages/aws-cdk-lib/aws-eks/lib/cluster-resource.ts b/packages/aws-cdk-lib/aws-eks/lib/cluster-resource.ts
@@ -6,7 +6,7 @@ import * as ec2 from '../../aws-ec2';
 import * as iam from '../../aws-iam';
 import * as kms from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
-import { ArnComponents, CustomResource, Token, Stack, Lazy } from '../../core';
+import { ArnComponents, CustomResource, Token, Stack, Lazy, ValidationError } from '../../core';
 
 export interface ClusterResourceProps {
   readonly resourcesVpcConfig: CfnCluster.ResourcesVpcConfigProperty;
@@ -56,7 +56,7 @@ export class ClusterResource extends Construct {
     super(scope, id);
 
     if (!props.roleArn) {
-      throw new Error('"roleArn" is required');
+      throw new ValidationError('"roleArn" is required', this);
     }
 
     const provider = ClusterResourceProvider.getOrCreate(this, {
diff --git a/packages/aws-cdk-lib/aws-eks/lib/cluster.ts b/packages/aws-cdk-lib/aws-eks/lib/cluster.ts
@@ -26,7 +26,7 @@ import * as iam from '../../aws-iam';
 import * as kms from '../../aws-kms';
 import * as lambda from '../../aws-lambda';
 import * as ssm from '../../aws-ssm';
-import { Annotations, CfnOutput, CfnResource, IResource, Resource, Stack, Tags, Token, Duration, Size } from '../../core';
+import { Annotations, CfnOutput, CfnResource, IResource, Resource, Stack, Tags, Token, Duration, Size, ValidationError, UnscopedValidationError } from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 
 // defaults are based on https://eksctl.io
@@ -782,7 +782,7 @@ export class EndpointAccess {
      */
     public readonly _config: EndpointAccessConfig) {
     if (!_config.publicAccess && _config.publicCidrs && _config.publicCidrs.length > 0) {
-      throw new Error('CIDR blocks can only be configured when public access is enabled');
+      throw new UnscopedValidationError('CIDR blocks can only be configured when public access is enabled');
     }
   }
 
@@ -796,7 +796,7 @@ export class EndpointAccess {
     if (!this._config.privateAccess) {
       // when private access is disabled, we can't restric public
       // access since it will render the kubectl provider unusable.
-      throw new Error('Cannot restric public access to endpoint when private access is disabled. Use PUBLIC_AND_PRIVATE.onlyFrom() instead.');
+      throw new UnscopedValidationError('Cannot restric public access to endpoint when private access is disabled. Use PUBLIC_AND_PRIVATE.onlyFrom() instead.');
     }
     return new EndpointAccess({
       ...this._config,
@@ -1156,7 +1156,7 @@ abstract class ClusterBase extends Resource implements ICluster {
 
     // see https://github.com/awslabs/cdk8s/blob/master/packages/cdk8s/src/chart.ts#L84
     if (typeof cdk8sChart.toJson !== 'function') {
-      throw new Error(`Invalid cdk8s chart. Must contain a 'toJson' method, but found ${typeof cdk8sChart.toJson}`);
+      throw new ValidationError(`Invalid cdk8s chart. Must contain a 'toJson' method, but found ${typeof cdk8sChart.toJson}`, this);
     }
 
     const manifest = new KubernetesManifest(this, id, {
@@ -1238,7 +1238,7 @@ abstract class ClusterBase extends Resource implements ICluster {
 
     const bootstrapEnabled = options.bootstrapEnabled ?? true;
     if (options.bootstrapOptions && !bootstrapEnabled) {
-      throw new Error('Cannot specify "bootstrapOptions" if "bootstrapEnabled" is false');
+      throw new ValidationError('Cannot specify "bootstrapOptions" if "bootstrapEnabled" is false', this);
     }
 
     if (bootstrapEnabled) {
@@ -1626,7 +1626,7 @@ export class Cluster extends ClusterBase {
 
     const selectedSubnetIdsPerGroup = this.vpcSubnets.map(s => this.vpc.selectSubnets(s).subnetIds);
     if (selectedSubnetIdsPerGroup.some(Token.isUnresolved) && selectedSubnetIdsPerGroup.length > 1) {
-      throw new Error('eks.Cluster: cannot select multiple subnet groups from a VPC imported from list tokens with unknown length. Select only one subnet group, pass a length to Fn.split, or switch to Vpc.fromLookup.');
+      throw new ValidationError('eks.Cluster: cannot select multiple subnet groups from a VPC imported from list tokens with unknown length. Select only one subnet group, pass a length to Fn.split, or switch to Vpc.fromLookup.', this);
     }
 
     // Get subnetIds for all selected subnets
@@ -1665,29 +1665,29 @@ export class Cluster extends ClusterBase {
     if (!hasPendingLookup) {
       if (privateSubnets.length === 0 && publicAccessDisabled) {
         // no private subnets and no public access at all, no good.
-        throw new Error('Vpc must contain private subnets when public endpoint access is disabled');
+        throw new ValidationError('Vpc must contain private subnets when public endpoint access is disabled', this);
       }
 
       if (privateSubnets.length === 0 && publicAccessRestricted) {
       // no private subnets and public access is restricted, no good.
-        throw new Error('Vpc must contain private subnets when public endpoint access is restricted');
+        throw new ValidationError('Vpc must contain private subnets when public endpoint access is restricted', this);
       }
     }
 
     const placeClusterHandlerInVpc = props.placeClusterHandlerInVpc ?? false;
 
     if (!hasPendingLookup) {
       if (placeClusterHandlerInVpc && privateSubnets.length === 0) {
-        throw new Error('Cannot place cluster handler in the VPC since no private subnets could be selected');
+        throw new ValidationError('Cannot place cluster handler in the VPC since no private subnets could be selected', this);
       }
     }
 
     if (props.clusterHandlerSecurityGroup && !placeClusterHandlerInVpc) {
-      throw new Error('Cannot specify clusterHandlerSecurityGroup without placeClusterHandlerInVpc set to true');
+      throw new ValidationError('Cannot specify clusterHandlerSecurityGroup without placeClusterHandlerInVpc set to true', this);
     }
 
     if (props.serviceIpv4Cidr && props.ipFamily == IpFamily.IP_V6) {
-      throw new Error('Cannot specify serviceIpv4Cidr with ipFamily equal to IpFamily.IP_V6');
+      throw new ValidationError('Cannot specify serviceIpv4Cidr with ipFamily equal to IpFamily.IP_V6', this);
     }
 
     this.validateRemoteNetworkConfig(props);
@@ -1745,7 +1745,7 @@ export class Cluster extends ClusterBase {
 
       // validate VPC properties according to: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
       if (this.vpc instanceof ec2.Vpc && !(this.vpc.dnsHostnamesEnabled && this.vpc.dnsSupportEnabled)) {
-        throw new Error('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.');
+        throw new ValidationError('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.', this);
       }
 
       this.kubectlPrivateSubnets = privateSubnets;
@@ -1934,7 +1934,7 @@ export class Cluster extends ClusterBase {
   @MethodMetadata()
   public addAutoScalingGroupCapacity(id: string, options: AutoScalingGroupCapacityOptions): autoscaling.AutoScalingGroup {
     if (options.machineImageType === MachineImageType.BOTTLEROCKET && options.bootstrapOptions !== undefined) {
-      throw new Error('bootstrapOptions is not supported for Bottlerocket');
+      throw new ValidationError('bootstrapOptions is not supported for Bottlerocket', this);
     }
     const asg = new autoscaling.AutoScalingGroup(this, id, {
       ...options,
@@ -2143,7 +2143,7 @@ export class Cluster extends ClusterBase {
     // wanted to avoid resource tear down, we decided for now that we will only
     // support a single EKS cluster per CFN stack.
     if (this.stack.node.tryFindChild(uid)) {
-      throw new Error('Only a single EKS cluster can be defined within a CloudFormation stack');
+      throw new ValidationError('Only a single EKS cluster can be defined within a CloudFormation stack', this);
     }
 
     return new KubectlProvider(this.stack, uid, { cluster: this });
@@ -2264,7 +2264,7 @@ export class Cluster extends ClusterBase {
       if (cidrs.length > 1) {
         cidrs.forEach((cidr1, j) => {
           if (cidrs.slice(j + 1).some(cidr2 => validateCidrPairOverlap(cidr1, cidr2))) {
-            throw new Error(`CIDR ${cidr1} should not overlap with another CIDR in remote node network #${index + 1}`);
+            throw new ValidationError(`CIDR ${cidr1} should not overlap with another CIDR in remote node network #${index + 1}`, this);
           }
         });
       }
@@ -2275,7 +2275,7 @@ export class Cluster extends ClusterBase {
       props.remoteNodeNetworks!.slice(i + 1).forEach((network2, j) => {
         const [overlap, remoteNodeCidr1, remoteNodeCidr2] = validateCidrBlocksOverlap(network1.cidrs, network2.cidrs);
         if (overlap) {
-          throw new Error(`CIDR block ${remoteNodeCidr1} in remote node network #${i + 1} should not overlap with CIDR block ${remoteNodeCidr2} in remote node network #${i + j + 2}`);
+          throw new ValidationError(`CIDR block ${remoteNodeCidr1} in remote node network #${i + 1} should not overlap with CIDR block ${remoteNodeCidr2} in remote node network #${i + j + 2}`, this);
         }
       });
     });
@@ -2287,7 +2287,7 @@ export class Cluster extends ClusterBase {
         if (cidrs.length > 1) {
           cidrs.forEach((cidr1, j) => {
             if (cidrs.slice(j + 1).some(cidr2 => validateCidrPairOverlap(cidr1, cidr2))) {
-              throw new Error(`CIDR ${cidr1} should not overlap with another CIDR in remote pod network #${index + 1}`);
+              throw new ValidationError(`CIDR ${cidr1} should not overlap with another CIDR in remote pod network #${index + 1}`, this);
             }
           });
         }
@@ -2298,7 +2298,7 @@ export class Cluster extends ClusterBase {
         props.remotePodNetworks!.slice(i + 1).forEach((network2, j) => {
           const [overlap, remotePodCidr1, remotePodCidr2] = validateCidrBlocksOverlap(network1.cidrs, network2.cidrs);
           if (overlap) {
-            throw new Error(`CIDR block ${remotePodCidr1} in remote pod network #${i + 1} should not overlap with CIDR block ${remotePodCidr2} in remote pod network #${i + j + 2}`);
+            throw new ValidationError(`CIDR block ${remotePodCidr1} in remote pod network #${i + 1} should not overlap with CIDR block ${remotePodCidr2} in remote pod network #${i + j + 2}`, this);
           }
         });
       });
@@ -2308,7 +2308,7 @@ export class Cluster extends ClusterBase {
         for (const podNetwork of props.remotePodNetworks) {
           const [overlap, remoteNodeCidr, remotePodCidr] = validateCidrBlocksOverlap(nodeNetwork.cidrs, podNetwork.cidrs);
           if (overlap) {
-            throw new Error(`Remote node network CIDR block ${remoteNodeCidr} should not overlap with remote pod network CIDR block ${remotePodCidr}`);
+            throw new ValidationError(`Remote node network CIDR block ${remoteNodeCidr} should not overlap with remote pod network CIDR block ${remotePodCidr}`, this);
           }
         }
       }
@@ -2563,55 +2563,55 @@ class ImportedCluster extends ClusterBase {
 
   public get vpc() {
     if (!this.props.vpc) {
-      throw new Error('"vpc" is not defined for this imported cluster');
+      throw new ValidationError('"vpc" is not defined for this imported cluster', this);
     }
     return this.props.vpc;
   }
 
   public get clusterSecurityGroup(): ec2.ISecurityGroup {
     if (!this._clusterSecurityGroup) {
-      throw new Error('"clusterSecurityGroup" is not defined for this imported cluster');
+      throw new ValidationError('"clusterSecurityGroup" is not defined for this imported cluster', this);
     }
     return this._clusterSecurityGroup;
   }
 
   public get clusterSecurityGroupId(): string {
     if (!this.props.clusterSecurityGroupId) {
-      throw new Error('"clusterSecurityGroupId" is not defined for this imported cluster');
+      throw new ValidationError('"clusterSecurityGroupId" is not defined for this imported cluster', this);
     }
     return this.props.clusterSecurityGroupId;
   }
 
   public get clusterEndpoint(): string {
     if (!this.props.clusterEndpoint) {
-      throw new Error('"clusterEndpoint" is not defined for this imported cluster');
+      throw new ValidationError('"clusterEndpoint" is not defined for this imported cluster', this);
     }
     return this.props.clusterEndpoint;
   }
 
   public get clusterCertificateAuthorityData(): string {
     if (!this.props.clusterCertificateAuthorityData) {
-      throw new Error('"clusterCertificateAuthorityData" is not defined for this imported cluster');
+      throw new ValidationError('"clusterCertificateAuthorityData" is not defined for this imported cluster', this);
     }
     return this.props.clusterCertificateAuthorityData;
   }
 
   public get clusterEncryptionConfigKeyArn(): string {
     if (!this.props.clusterEncryptionConfigKeyArn) {
-      throw new Error('"clusterEncryptionConfigKeyArn" is not defined for this imported cluster');
+      throw new ValidationError('"clusterEncryptionConfigKeyArn" is not defined for this imported cluster', this);
     }
     return this.props.clusterEncryptionConfigKeyArn;
   }
 
   public get openIdConnectProvider(): iam.IOpenIdConnectProvider {
     if (!this.props.openIdConnectProvider) {
-      throw new Error('"openIdConnectProvider" is not defined for this imported cluster');
+      throw new ValidationError('"openIdConnectProvider" is not defined for this imported cluster', this);
     }
     return this.props.openIdConnectProvider;
   }
 
   public get awsAuth(): AwsAuth {
-    throw new Error('"awsAuth" is not supported on imported clusters');
+    throw new ValidationError('"awsAuth" is not supported on imported clusters', this);
   }
 }
 
diff --git a/packages/aws-cdk-lib/aws-eks/lib/fargate-profile.ts b/packages/aws-cdk-lib/aws-eks/lib/fargate-profile.ts
@@ -4,7 +4,7 @@ import { FARGATE_PROFILE_RESOURCE_TYPE } from './cluster-resource-handler/consts
 import { ClusterResourceProvider } from './cluster-resource-provider';
 import * as ec2 from '../../aws-ec2';
 import * as iam from '../../aws-iam';
-import { Annotations, CustomResource, ITaggable, Lazy, TagManager, TagType } from '../../core';
+import { Annotations, CustomResource, ITaggable, Lazy, TagManager, TagType, ValidationError } from '../../core';
 
 /**
  * Options for defining EKS Fargate Profiles.
@@ -164,11 +164,11 @@ export class FargateProfile extends Construct implements ITaggable {
     }
 
     if (props.selectors.length < 1) {
-      throw new Error('Fargate profile requires at least one selector');
+      throw new ValidationError('Fargate profile requires at least one selector', this);
     }
 
     if (props.selectors.length > 5) {
-      throw new Error('Fargate profile supports up to five selectors');
+      throw new ValidationError('Fargate profile supports up to five selectors', this);
     }
 
     this.tags = new TagManager(TagType.MAP, 'AWS::EKS::FargateProfile');
diff --git a/packages/aws-cdk-lib/aws-eks/lib/helm-chart.ts b/packages/aws-cdk-lib/aws-eks/lib/helm-chart.ts
@@ -2,7 +2,7 @@ import { Construct } from 'constructs';
 import { ICluster } from './cluster';
 import { KubectlProvider } from './kubectl-provider';
 import { Asset } from '../../aws-s3-assets';
-import { CustomResource, Duration, Names, Stack } from '../../core';
+import { CustomResource, Duration, Names, Stack, ValidationError } from '../../core';
 
 /**
  * Helm Chart options.
@@ -137,16 +137,16 @@ export class HelmChart extends Construct {
 
     const timeout = props.timeout?.toSeconds();
     if (timeout && timeout > 900) {
-      throw new Error('Helm chart timeout cannot be higher than 15 minutes.');
+      throw new ValidationError('Helm chart timeout cannot be higher than 15 minutes.', this);
     }
 
     if (!this.chart && !this.chartAsset) {
-      throw new Error("Either 'chart' or 'chartAsset' must be specified to install a helm chart");
+      throw new ValidationError("Either 'chart' or 'chartAsset' must be specified to install a helm chart", this);
     }
 
     if (this.chartAsset && (this.repository || this.version)) {
-      throw new Error(
-        "Neither 'repository' nor 'version' can be used when configuring 'chartAsset'",
+      throw new ValidationError(
+        "Neither 'repository' nor 'version' can be used when configuring 'chartAsset'", this,
       );
     }
 
diff --git a/packages/aws-cdk-lib/aws-eks/lib/kubectl-provider.ts b/packages/aws-cdk-lib/aws-eks/lib/kubectl-provider.ts
@@ -1,7 +1,7 @@
 import { Construct, IConstruct } from 'constructs';
 import { ICluster, Cluster } from './cluster';
 import * as iam from '../../aws-iam';
-import { Duration, Stack, NestedStack, Names, CfnCondition, Fn, Aws } from '../../core';
+import { Duration, Stack, NestedStack, Names, CfnCondition, Fn, Aws, ValidationError } from '../../core';
 import { KubectlFunction } from '../../custom-resource-handlers/dist/aws-eks/kubectl-provider.generated';
 import * as cr from '../../custom-resources';
 import { AwsCliLayer } from '../../lambda-layer-awscli';
@@ -121,11 +121,11 @@ export class KubectlProvider extends NestedStack implements IKubectlProvider {
     const cluster = props.cluster;
 
     if (!cluster.kubectlRole) {
-      throw new Error('"kubectlRole" is not defined, cannot issue kubectl commands against this cluster');
+      throw new ValidationError('"kubectlRole" is not defined, cannot issue kubectl commands against this cluster', this);
     }
 
     if (cluster.kubectlPrivateSubnets && !cluster.kubectlSecurityGroup) {
-      throw new Error('"kubectlSecurityGroup" is required if "kubectlSubnets" is specified');
+      throw new ValidationError('"kubectlSecurityGroup" is required if "kubectlSubnets" is specified', this);
     }
 
     const memorySize = cluster.kubectlMemory ? cluster.kubectlMemory.toMebibytes() : 1024;
diff --git a/packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts b/packages/aws-cdk-lib/aws-eks/lib/managed-nodegroup.ts

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ import * as iam from '../../aws-iam';`
`26`	`26`	`import * as kms from '../../aws-kms';`
`27`	`27`	`import * as lambda from '../../aws-lambda';`
`28`	`28`	`import * as ssm from '../../aws-ssm';`
`29`		`-import { Annotations, CfnOutput, CfnResource, IResource, Resource, Stack, Tags, Token, Duration, Size } from '../../core';`
	`29`	`+import { Annotations, CfnOutput, CfnResource, IResource, Resource, Stack, Tags, Token, Duration, Size, ValidationError, UnscopedValidationError } from '../../core';`
`30`	`30`	`import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';`
`31`	`31`
`32`	`32`	`// defaults are based on https://eksctl.io`
`@@ -782,7 +782,7 @@ export class EndpointAccess {`
`782`	`782`	`*/`
`783`	`783`	`public readonly _config: EndpointAccessConfig) {`
`784`	`784`	`if (!_config.publicAccess && _config.publicCidrs && _config.publicCidrs.length > 0) {`
`785`		`- throw new Error('CIDR blocks can only be configured when public access is enabled');`
	`785`	`+ throw new UnscopedValidationError('CIDR blocks can only be configured when public access is enabled');`
`786`	`786`	`}`
`787`	`787`	`}`
`788`	`788`
`@@ -796,7 +796,7 @@ export class EndpointAccess {`
`796`	`796`	`if (!this._config.privateAccess) {`
`797`	`797`	`// when private access is disabled, we can't restric public`
`798`	`798`	`// access since it will render the kubectl provider unusable.`
`799`		`- throw new Error('Cannot restric public access to endpoint when private access is disabled. Use PUBLIC_AND_PRIVATE.onlyFrom() instead.');`
	`799`	`+ throw new UnscopedValidationError('Cannot restric public access to endpoint when private access is disabled. Use PUBLIC_AND_PRIVATE.onlyFrom() instead.');`
`800`	`800`	`}`
`801`	`801`	`return new EndpointAccess({`
`802`	`802`	`...this._config,`
`@@ -1156,7 +1156,7 @@ abstract class ClusterBase extends Resource implements ICluster {`
`1156`	`1156`
`1157`	`1157`	`// see https://github.com/awslabs/cdk8s/blob/master/packages/cdk8s/src/chart.ts#L84`
`1158`	`1158`	`if (typeof cdk8sChart.toJson !== 'function') {`
`1159`		- throw new Error(`Invalid cdk8s chart. Must contain a 'toJson' method, but found ${typeof cdk8sChart.toJson}`);
	`1159`	+ throw new ValidationError(`Invalid cdk8s chart. Must contain a 'toJson' method, but found ${typeof cdk8sChart.toJson}`, this);
`1160`	`1160`	`}`
`1161`	`1161`
`1162`	`1162`	`const manifest = new KubernetesManifest(this, id, {`
`@@ -1238,7 +1238,7 @@ abstract class ClusterBase extends Resource implements ICluster {`
`1238`	`1238`
`1239`	`1239`	`const bootstrapEnabled = options.bootstrapEnabled ?? true;`
`1240`	`1240`	`if (options.bootstrapOptions && !bootstrapEnabled) {`
`1241`		`- throw new Error('Cannot specify "bootstrapOptions" if "bootstrapEnabled" is false');`
	`1241`	`+ throw new ValidationError('Cannot specify "bootstrapOptions" if "bootstrapEnabled" is false', this);`
`1242`	`1242`	`}`
`1243`	`1243`
`1244`	`1244`	`if (bootstrapEnabled) {`
`@@ -1626,7 +1626,7 @@ export class Cluster extends ClusterBase {`
`1626`	`1626`
`1627`	`1627`	`const selectedSubnetIdsPerGroup = this.vpcSubnets.map(s => this.vpc.selectSubnets(s).subnetIds);`
`1628`	`1628`	`if (selectedSubnetIdsPerGroup.some(Token.isUnresolved) && selectedSubnetIdsPerGroup.length > 1) {`
`1629`		`- throw new Error('eks.Cluster: cannot select multiple subnet groups from a VPC imported from list tokens with unknown length. Select only one subnet group, pass a length to Fn.split, or switch to Vpc.fromLookup.');`
	`1629`	`+ throw new ValidationError('eks.Cluster: cannot select multiple subnet groups from a VPC imported from list tokens with unknown length. Select only one subnet group, pass a length to Fn.split, or switch to Vpc.fromLookup.', this);`
`1630`	`1630`	`}`
`1631`	`1631`
`1632`	`1632`	`// Get subnetIds for all selected subnets`
`@@ -1665,29 +1665,29 @@ export class Cluster extends ClusterBase {`
`1665`	`1665`	`if (!hasPendingLookup) {`
`1666`	`1666`	`if (privateSubnets.length === 0 && publicAccessDisabled) {`
`1667`	`1667`	`// no private subnets and no public access at all, no good.`
`1668`		`- throw new Error('Vpc must contain private subnets when public endpoint access is disabled');`
	`1668`	`+ throw new ValidationError('Vpc must contain private subnets when public endpoint access is disabled', this);`
`1669`	`1669`	`}`
`1670`	`1670`
`1671`	`1671`	`if (privateSubnets.length === 0 && publicAccessRestricted) {`
`1672`	`1672`	`// no private subnets and public access is restricted, no good.`
`1673`		`- throw new Error('Vpc must contain private subnets when public endpoint access is restricted');`
	`1673`	`+ throw new ValidationError('Vpc must contain private subnets when public endpoint access is restricted', this);`
`1674`	`1674`	`}`
`1675`	`1675`	`}`
`1676`	`1676`
`1677`	`1677`	`const placeClusterHandlerInVpc = props.placeClusterHandlerInVpc ?? false;`
`1678`	`1678`
`1679`	`1679`	`if (!hasPendingLookup) {`
`1680`	`1680`	`if (placeClusterHandlerInVpc && privateSubnets.length === 0) {`
`1681`		`- throw new Error('Cannot place cluster handler in the VPC since no private subnets could be selected');`
	`1681`	`+ throw new ValidationError('Cannot place cluster handler in the VPC since no private subnets could be selected', this);`
`1682`	`1682`	`}`
`1683`	`1683`	`}`
`1684`	`1684`
`1685`	`1685`	`if (props.clusterHandlerSecurityGroup && !placeClusterHandlerInVpc) {`
`1686`		`- throw new Error('Cannot specify clusterHandlerSecurityGroup without placeClusterHandlerInVpc set to true');`
	`1686`	`+ throw new ValidationError('Cannot specify clusterHandlerSecurityGroup without placeClusterHandlerInVpc set to true', this);`
`1687`	`1687`	`}`
`1688`	`1688`
`1689`	`1689`	`if (props.serviceIpv4Cidr && props.ipFamily == IpFamily.IP_V6) {`
`1690`		`- throw new Error('Cannot specify serviceIpv4Cidr with ipFamily equal to IpFamily.IP_V6');`
	`1690`	`+ throw new ValidationError('Cannot specify serviceIpv4Cidr with ipFamily equal to IpFamily.IP_V6', this);`
`1691`	`1691`	`}`
`1692`	`1692`
`1693`	`1693`	`this.validateRemoteNetworkConfig(props);`
`@@ -1745,7 +1745,7 @@ export class Cluster extends ClusterBase {`
`1745`	`1745`
`1746`	`1746`	`// validate VPC properties according to: https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html`
`1747`	`1747`	`if (this.vpc instanceof ec2.Vpc && !(this.vpc.dnsHostnamesEnabled && this.vpc.dnsSupportEnabled)) {`
`1748`		- throw new Error('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.');
	`1748`	+ throw new ValidationError('Private endpoint access requires the VPC to have DNS support and DNS hostnames enabled. Use `enableDnsHostnames: true` and `enableDnsSupport: true` when creating the VPC.', this);
`1749`	`1749`	`}`
`1750`	`1750`
`1751`	`1751`	`this.kubectlPrivateSubnets = privateSubnets;`
`@@ -1934,7 +1934,7 @@ export class Cluster extends ClusterBase {`
`1934`	`1934`	`@MethodMetadata()`
`1935`	`1935`	`public addAutoScalingGroupCapacity(id: string, options: AutoScalingGroupCapacityOptions): autoscaling.AutoScalingGroup {`
`1936`	`1936`	`if (options.machineImageType === MachineImageType.BOTTLEROCKET && options.bootstrapOptions !== undefined) {`
`1937`		`- throw new Error('bootstrapOptions is not supported for Bottlerocket');`
	`1937`	`+ throw new ValidationError('bootstrapOptions is not supported for Bottlerocket', this);`
`1938`	`1938`	`}`
`1939`	`1939`	`const asg = new autoscaling.AutoScalingGroup(this, id, {`
`1940`	`1940`	`...options,`
`@@ -2143,7 +2143,7 @@ export class Cluster extends ClusterBase {`
`2143`	`2143`	`// wanted to avoid resource tear down, we decided for now that we will only`
`2144`	`2144`	`// support a single EKS cluster per CFN stack.`
`2145`	`2145`	`if (this.stack.node.tryFindChild(uid)) {`
`2146`		`- throw new Error('Only a single EKS cluster can be defined within a CloudFormation stack');`
	`2146`	`+ throw new ValidationError('Only a single EKS cluster can be defined within a CloudFormation stack', this);`
`2147`	`2147`	`}`
`2148`	`2148`
`2149`	`2149`	`return new KubectlProvider(this.stack, uid, { cluster: this });`
`@@ -2264,7 +2264,7 @@ export class Cluster extends ClusterBase {`
`2264`	`2264`	`if (cidrs.length > 1) {`
`2265`	`2265`	`cidrs.forEach((cidr1, j) => {`
`2266`	`2266`	`if (cidrs.slice(j + 1).some(cidr2 => validateCidrPairOverlap(cidr1, cidr2))) {`
`2267`		- throw new Error(`CIDR ${cidr1} should not overlap with another CIDR in remote node network #${index + 1}`);
	`2267`	+ throw new ValidationError(`CIDR ${cidr1} should not overlap with another CIDR in remote node network #${index + 1}`, this);
`2268`	`2268`	`}`
`2269`	`2269`	`});`
`2270`	`2270`	`}`
`@@ -2275,7 +2275,7 @@ export class Cluster extends ClusterBase {`
`2275`	`2275`	`props.remoteNodeNetworks!.slice(i + 1).forEach((network2, j) => {`
`2276`	`2276`	`const [overlap, remoteNodeCidr1, remoteNodeCidr2] = validateCidrBlocksOverlap(network1.cidrs, network2.cidrs);`
`2277`	`2277`	`if (overlap) {`
`2278`		- throw new Error(`CIDR block ${remoteNodeCidr1} in remote node network #${i + 1} should not overlap with CIDR block ${remoteNodeCidr2} in remote node network #${i + j + 2}`);
	`2278`	+ throw new ValidationError(`CIDR block ${remoteNodeCidr1} in remote node network #${i + 1} should not overlap with CIDR block ${remoteNodeCidr2} in remote node network #${i + j + 2}`, this);
`2279`	`2279`	`}`
`2280`	`2280`	`});`
`2281`	`2281`	`});`
`@@ -2287,7 +2287,7 @@ export class Cluster extends ClusterBase {`
`2287`	`2287`	`if (cidrs.length > 1) {`
`2288`	`2288`	`cidrs.forEach((cidr1, j) => {`
`2289`	`2289`	`if (cidrs.slice(j + 1).some(cidr2 => validateCidrPairOverlap(cidr1, cidr2))) {`
`2290`		- throw new Error(`CIDR ${cidr1} should not overlap with another CIDR in remote pod network #${index + 1}`);
	`2290`	+ throw new ValidationError(`CIDR ${cidr1} should not overlap with another CIDR in remote pod network #${index + 1}`, this);
`2291`	`2291`	`}`
`2292`	`2292`	`});`
`2293`	`2293`	`}`
`@@ -2298,7 +2298,7 @@ export class Cluster extends ClusterBase {`
`2298`	`2298`	`props.remotePodNetworks!.slice(i + 1).forEach((network2, j) => {`
`2299`	`2299`	`const [overlap, remotePodCidr1, remotePodCidr2] = validateCidrBlocksOverlap(network1.cidrs, network2.cidrs);`
`2300`	`2300`	`if (overlap) {`
`2301`		- throw new Error(`CIDR block ${remotePodCidr1} in remote pod network #${i + 1} should not overlap with CIDR block ${remotePodCidr2} in remote pod network #${i + j + 2}`);
	`2301`	+ throw new ValidationError(`CIDR block ${remotePodCidr1} in remote pod network #${i + 1} should not overlap with CIDR block ${remotePodCidr2} in remote pod network #${i + j + 2}`, this);
`2302`	`2302`	`}`
`2303`	`2303`	`});`
`2304`	`2304`	`});`
`@@ -2308,7 +2308,7 @@ export class Cluster extends ClusterBase {`
`2308`	`2308`	`for (const podNetwork of props.remotePodNetworks) {`
`2309`	`2309`	`const [overlap, remoteNodeCidr, remotePodCidr] = validateCidrBlocksOverlap(nodeNetwork.cidrs, podNetwork.cidrs);`
`2310`	`2310`	`if (overlap) {`
`2311`		- throw new Error(`Remote node network CIDR block ${remoteNodeCidr} should not overlap with remote pod network CIDR block ${remotePodCidr}`);
	`2311`	+ throw new ValidationError(`Remote node network CIDR block ${remoteNodeCidr} should not overlap with remote pod network CIDR block ${remotePodCidr}`, this);
`2312`	`2312`	`}`
`2313`	`2313`	`}`
`2314`	`2314`	`}`
`@@ -2563,55 +2563,55 @@ class ImportedCluster extends ClusterBase {`
`2563`	`2563`
`2564`	`2564`	`public get vpc() {`
`2565`	`2565`	`if (!this.props.vpc) {`
`2566`		`- throw new Error('"vpc" is not defined for this imported cluster');`
	`2566`	`+ throw new ValidationError('"vpc" is not defined for this imported cluster', this);`
`2567`	`2567`	`}`
`2568`	`2568`	`return this.props.vpc;`
`2569`	`2569`	`}`
`2570`	`2570`
`2571`	`2571`	`public get clusterSecurityGroup(): ec2.ISecurityGroup {`
`2572`	`2572`	`if (!this._clusterSecurityGroup) {`
`2573`		`- throw new Error('"clusterSecurityGroup" is not defined for this imported cluster');`
	`2573`	`+ throw new ValidationError('"clusterSecurityGroup" is not defined for this imported cluster', this);`
`2574`	`2574`	`}`
`2575`	`2575`	`return this._clusterSecurityGroup;`
`2576`	`2576`	`}`
`2577`	`2577`
`2578`	`2578`	`public get clusterSecurityGroupId(): string {`
`2579`	`2579`	`if (!this.props.clusterSecurityGroupId) {`
`2580`		`- throw new Error('"clusterSecurityGroupId" is not defined for this imported cluster');`
	`2580`	`+ throw new ValidationError('"clusterSecurityGroupId" is not defined for this imported cluster', this);`
`2581`	`2581`	`}`
`2582`	`2582`	`return this.props.clusterSecurityGroupId;`
`2583`	`2583`	`}`
`2584`	`2584`
`2585`	`2585`	`public get clusterEndpoint(): string {`
`2586`	`2586`	`if (!this.props.clusterEndpoint) {`
`2587`		`- throw new Error('"clusterEndpoint" is not defined for this imported cluster');`
	`2587`	`+ throw new ValidationError('"clusterEndpoint" is not defined for this imported cluster', this);`
`2588`	`2588`	`}`
`2589`	`2589`	`return this.props.clusterEndpoint;`
`2590`	`2590`	`}`
`2591`	`2591`
`2592`	`2592`	`public get clusterCertificateAuthorityData(): string {`
`2593`	`2593`	`if (!this.props.clusterCertificateAuthorityData) {`
`2594`		`- throw new Error('"clusterCertificateAuthorityData" is not defined for this imported cluster');`
	`2594`	`+ throw new ValidationError('"clusterCertificateAuthorityData" is not defined for this imported cluster', this);`
`2595`	`2595`	`}`
`2596`	`2596`	`return this.props.clusterCertificateAuthorityData;`
`2597`	`2597`	`}`
`2598`	`2598`
`2599`	`2599`	`public get clusterEncryptionConfigKeyArn(): string {`
`2600`	`2600`	`if (!this.props.clusterEncryptionConfigKeyArn) {`
`2601`		`- throw new Error('"clusterEncryptionConfigKeyArn" is not defined for this imported cluster');`
	`2601`	`+ throw new ValidationError('"clusterEncryptionConfigKeyArn" is not defined for this imported cluster', this);`
`2602`	`2602`	`}`
`2603`	`2603`	`return this.props.clusterEncryptionConfigKeyArn;`
`2604`	`2604`	`}`
`2605`	`2605`
`2606`	`2606`	`public get openIdConnectProvider(): iam.IOpenIdConnectProvider {`
`2607`	`2607`	`if (!this.props.openIdConnectProvider) {`
`2608`		`- throw new Error('"openIdConnectProvider" is not defined for this imported cluster');`
	`2608`	`+ throw new ValidationError('"openIdConnectProvider" is not defined for this imported cluster', this);`
`2609`	`2609`	`}`
`2610`	`2610`	`return this.props.openIdConnectProvider;`
`2611`	`2611`	`}`
`2612`	`2612`
`2613`	`2613`	`public get awsAuth(): AwsAuth {`
`2614`		`- throw new Error('"awsAuth" is not supported on imported clusters');`
	`2614`	`+ throw new ValidationError('"awsAuth" is not supported on imported clusters', this);`
`2615`	`2615`	`}`
`2616`	`2616`	`}`
`2617`	`2617`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ import { FARGATE_PROFILE_RESOURCE_TYPE } from './cluster-resource-handler/consts`
`4`	`4`	`import { ClusterResourceProvider } from './cluster-resource-provider';`
`5`	`5`	`import * as ec2 from '../../aws-ec2';`
`6`	`6`	`import * as iam from '../../aws-iam';`
`7`		`-import { Annotations, CustomResource, ITaggable, Lazy, TagManager, TagType } from '../../core';`
	`7`	`+import { Annotations, CustomResource, ITaggable, Lazy, TagManager, TagType, ValidationError } from '../../core';`
`8`	`8`
`9`	`9`	`/**`
`10`	`10`	`* Options for defining EKS Fargate Profiles.`
`@@ -164,11 +164,11 @@ export class FargateProfile extends Construct implements ITaggable {`
`164`	`164`	`}`
`165`	`165`
`166`	`166`	`if (props.selectors.length < 1) {`
`167`		`- throw new Error('Fargate profile requires at least one selector');`
	`167`	`+ throw new ValidationError('Fargate profile requires at least one selector', this);`
`168`	`168`	`}`
`169`	`169`
`170`	`170`	`if (props.selectors.length > 5) {`
`171`		`- throw new Error('Fargate profile supports up to five selectors');`
	`171`	`+ throw new ValidationError('Fargate profile supports up to five selectors', this);`
`172`	`172`	`}`
`173`	`173`
`174`	`174`	`this.tags = new TagManager(TagType.MAP, 'AWS::EKS::FargateProfile');`