fix(lambda): add token resolution validation to capacity providers (#36275)

### Issue # (if applicable)
N/a

### Reason for this change
Current validation of fields for recent capacity provider additions in `aws-lambda` does not take into account unresolved tokens.

### Description of changes
Added `Token.isUnresolved()` checks before all new validations. This ensures that validation only occurs when concrete values are provided, while still allowing tokens to pass through for CloudFormation resolution.

### Describe any new or updated permissions being added
N/a

### Description of how you validated changes
Changes should be only internal, validated that unit and integration tests continued to work.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: reedham-aws

packages/aws-cdk-lib/aws-lambda/lib/capacity-provider.ts

@@ -5,7 +5,7 @@ import { CfnCapacityProvider, CfnFunction } from './lambda.generated';
 import * as ec2 from '../../aws-ec2';
 import * as iam from '../../aws-iam';
 import * as kms from '../../aws-kms';
-import { Annotations, Arn, ArnFormat, IResource, Resource, Stack, ValidationError } from '../../core';
+import { Annotations, Arn, ArnFormat, IResource, Resource, Stack, Token, ValidationError } from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 
@@ -444,15 +444,15 @@ export class CapacityProvider extends CapacityProviderBase {
   private validateCapacityProviderProps(props: CapacityProviderProps) {
     const validationErrorCPName = props.capacityProviderName || 'your capacity provider';
 
-    if (props.maxVCpuCount !== undefined && (props.maxVCpuCount < 12 || props.maxVCpuCount > 15000)) {
+    if (props.maxVCpuCount !== undefined && !Token.isUnresolved(props.maxVCpuCount) && (props.maxVCpuCount < 12 || props.maxVCpuCount > 15000)) {
       throw new ValidationError(`maxVCpuCount must be between 12 and 15000, but ${validationErrorCPName} has ${props.maxVCpuCount}.`, this);
     }
 
-    if (props.subnets && (props.subnets.length < 1 || props.subnets.length > 16)) {
+    if (!Token.isUnresolved(props.subnets) && (props.subnets.length < 1 || props.subnets.length > 16)) {
       throw new ValidationError(`subnets must contain between 1 and 16 items but ${validationErrorCPName} has ${props.subnets.length} items.`, this);
     }
 
-    if (props.securityGroups.length < 1 || props.securityGroups.length > 5) {
+    if (!Token.isUnresolved(props.securityGroups) && (props.securityGroups.length < 1 || props.securityGroups.length > 5)) {
       throw new ValidationError(`securityGroups must contain between 1 and 5 items but ${validationErrorCPName} has ${props.securityGroups.length} items.`, this);
     }
 
@@ -470,6 +470,9 @@ export class CapacityProvider extends CapacityProviderBase {
   }
 
   private validateCapacityProviderName(name: string) {
+    if (Token.isUnresolved(name)) {
+      return;
+    }
     if (!/^([a-zA-Z0-9-_]+|arn:aws[a-zA-Z-]*:lambda:capacity-provider:[a-zA-Z0-9-_]+)$/.test(name)) {
       throw new ValidationError(`capacityProviderName must be an arn or have only alphanumeric characters, but did not: ${name}`, this);
     }
@@ -479,12 +482,12 @@ export class CapacityProvider extends CapacityProviderBase {
   }
 
   private validateScalingPolicies(scalingOptions: ScalingOptions, validationErrorCPName: string) {
-    if (scalingOptions?.scalingPolicies) {
-      if (scalingOptions?.scalingPolicies.length < 1) {
+    if (scalingOptions?.scalingPolicies && !Token.isUnresolved(scalingOptions.scalingPolicies)) {
+      if (scalingOptions.scalingPolicies.length < 1) {
         throw new ValidationError(`scalingOptions must have at least one policy when scalingMode is 'Manual', but ${validationErrorCPName} has ${scalingOptions.scalingPolicies.length} items.`, this);
       }
 
-      if (scalingOptions?.scalingPolicies.length > 10) {
+      if (scalingOptions.scalingPolicies.length > 10) {
         throw new ValidationError(`scalingOptions can have at most ten policies when scalingMode is 'Manual', but ${validationErrorCPName} has ${scalingOptions.scalingPolicies.length} items.`, this);
       }
     }
@@ -537,15 +540,18 @@ export class CapacityProvider extends CapacityProviderBase {
   }
 
   private validateFunctionScalingConfig(minExecutionEnvironments?: number, maxExecutionEnvironments?: number) {
-    if (minExecutionEnvironments !== undefined && (minExecutionEnvironments < 0 || minExecutionEnvironments > 15000)) {
+    const minDefined = minExecutionEnvironments !== undefined && !Token.isUnresolved(minExecutionEnvironments);
+    const maxDefined = maxExecutionEnvironments !== undefined && !Token.isUnresolved(maxExecutionEnvironments);
+
+    if (minDefined && (minExecutionEnvironments < 0 || minExecutionEnvironments > 15000)) {
       throw new ValidationError(`minExecutionEnvironments must be between 0 and 15000, but was ${minExecutionEnvironments}.`, this);
     }
 
-    if (maxExecutionEnvironments !== undefined && (maxExecutionEnvironments < 0 || maxExecutionEnvironments > 15000)) {
+    if (maxDefined && (maxExecutionEnvironments < 0 || maxExecutionEnvironments > 15000)) {
       throw new ValidationError(`maxExecutionEnvironments must be between 0 and 15000, but was ${maxExecutionEnvironments}.`, this);
     }
 
-    if (minExecutionEnvironments !== undefined && maxExecutionEnvironments !== undefined && minExecutionEnvironments > maxExecutionEnvironments) {
+    if (minDefined && maxDefined && minExecutionEnvironments > maxExecutionEnvironments) {
       throw new ValidationError('minExecutionEnvironments must be less than or equal to maxExecutionEnvironments.', this);
     }
   }

packages/aws-cdk-lib/aws-lambda/lib/lambda-version.ts

@@ -355,13 +355,16 @@ export class Version extends QualifiedFunctionBase implements IVersion {
       return undefined;
     }
 
-    if (minExecutionEnvironments && minExecutionEnvironments < 0) {
+    const minDefined = minExecutionEnvironments !== undefined && !Token.isUnresolved(minExecutionEnvironments);
+    const maxDefined = maxExecutionEnvironments !== undefined && !Token.isUnresolved(maxExecutionEnvironments);
+
+    if (minDefined && minExecutionEnvironments < 0) {
       throw new ValidationError('minExecutionEnvironments must be a non-negative integer.', this);
     }
-    if (maxExecutionEnvironments && maxExecutionEnvironments < 0) {
+    if (maxDefined && maxExecutionEnvironments < 0) {
       throw new ValidationError('maxExecutionEnvironments must be a non-negative integer.', this);
     }
-    if (minExecutionEnvironments && maxExecutionEnvironments && minExecutionEnvironments > maxExecutionEnvironments) {
+    if (minDefined && maxDefined && minExecutionEnvironments > maxExecutionEnvironments) {
       throw new ValidationError('minExecutionEnvironments must be less than or equal to maxExecutionEnvironments', this);
     }
 

packages/aws-cdk-lib/aws-lambda/test/capacity-provider.test.ts

@@ -387,6 +387,34 @@ describe('capacity provider', () => {
         });
       }).toThrow();
     });
+
+    test('accepts tokens for all validated fields', () => {
+      // GIVEN
+      const tokenName = cdk.Fn.ref('CapacityProviderNameParam');
+      const tokenMaxVCpu = cdk.Fn.ref('MaxVCpuParam');
+      const tokenSubnets = cdk.Fn.split(',', cdk.Fn.ref('SubnetIdsParam'));
+      const tokenSecurityGroups = cdk.Fn.split(',', cdk.Fn.ref('SecurityGroupIdsParam'));
+
+      // WHEN - should not throw
+      new lambda.CapacityProvider(stack, 'MyCapacityProvider', {
+        capacityProviderName: tokenName,
+        maxVCpuCount: cdk.Token.asNumber(tokenMaxVCpu),
+        subnets: tokenSubnets.map((id, i) => ec2.Subnet.fromSubnetId(stack, `TokenSubnet${i}`, id)),
+        securityGroups: tokenSecurityGroups.map((id, i) => ec2.SecurityGroup.fromSecurityGroupId(stack, `TokenSG${i}`, id)),
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Lambda::CapacityProvider', {
+        CapacityProviderName: { Ref: 'CapacityProviderNameParam' },
+        VpcConfig: {
+          SubnetIds: { 'Fn::Split': [',', { Ref: 'SubnetIdsParam' }] },
+          SecurityGroupIds: { 'Fn::Split': [',', { Ref: 'SecurityGroupIdsParam' }] },
+        },
+        CapacityProviderScalingConfig: {
+          MaxVCpuCount: { Ref: 'MaxVCpuParam' },
+        },
+      });
+    });
   });
 
   describe('static methods', () => {

packages/aws-cdk-lib/aws-lambda/test/lambda-version.test.ts

@@ -376,5 +376,31 @@ describe('lambda version', () => {
         });
       }).toThrow(/minExecutionEnvironments must be less than or equal to maxExecutionEnvironments/);
     });
+
+    test('accepts tokens for execution environment scaling config', () => {
+      const stack = new cdk.Stack();
+      const fn = new lambda.Function(stack, 'Fn', {
+        code: new lambda.InlineCode('foo'),
+        handler: 'index.handler',
+        runtime: lambda.Runtime.NODEJS_LATEST,
+      });
+      const tokenMin = cdk.Token.asNumber(cdk.Fn.ref('MinEnvParam'));
+      const tokenMax = cdk.Token.asNumber(cdk.Fn.ref('MaxEnvParam'));
+
+      // WHEN - should not throw
+      new lambda.Version(stack, 'Version', {
+        lambda: fn,
+        minExecutionEnvironments: tokenMin,
+        maxExecutionEnvironments: tokenMax,
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Version', {
+        FunctionScalingConfig: {
+          MinExecutionEnvironments: { Ref: 'MinEnvParam' },
+          MaxExecutionEnvironments: { Ref: 'MaxEnvParam' },
+        },
+      });
+    });
   });
 });