fix(ec2): interface endpoints do not work with Vpc.fromLookup() (#18554)

The validation was too eager, causing a validation error before
the actual lookup happened.

Add a property to `SelectedSubnets` to make it clear in consuming
code that validation shouldn't happen yet.

Fixes #17600.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts

@@ -574,7 +574,7 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn
     const subnets = subnetSelection.subnets;
 
     // Sanity check the subnet count
-    if (subnetSelection.subnets.length == 0) {
+    if (!subnetSelection.isPendingLookup && subnetSelection.subnets.length == 0) {
       throw new Error('Cannot create a VPC Endpoint with no subnets');
     }
 

packages/@aws-cdk/aws-ec2/lib/vpc.ts

@@ -351,6 +351,17 @@ export interface SelectedSubnets {
    * Whether any of the given subnets are from the VPC's public subnets.
    */
   readonly hasPublic: boolean;
+
+  /**
+   * The subnet selection is not actually real yet
+   *
+   * If this value is true, don't validate anything about the subnets. The count
+   * or identities are not known yet, and the validation will most likely fail
+   * which will prevent a successful lookup.
+   *
+   * @default false
+   */
+  readonly isPendingLookup?: boolean;
 }
 
 /**
@@ -430,6 +441,7 @@ abstract class VpcBase extends Resource implements IVpc {
       internetConnectivityEstablished: tap(new CompositeDependable(), d => subnets.forEach(s => d.add(s.internetConnectivityEstablished))),
       subnets,
       hasPublic: subnets.some(s => pubs.has(s)),
+      isPendingLookup: this.incompleteSubnetDefinition,
     };
   }
 

packages/@aws-cdk/aws-ec2/test/vpc-endpoint.test.ts

@@ -3,7 +3,7 @@ import { AnyPrincipal, PolicyStatement } from '@aws-cdk/aws-iam';
 import * as cxschema from '@aws-cdk/cloud-assembly-schema';
 import { ContextProvider, Fn, Stack } from '@aws-cdk/core';
 // eslint-disable-next-line max-len
-import { GatewayVpcEndpoint, GatewayVpcEndpointAwsService, InterfaceVpcEndpoint, InterfaceVpcEndpointAwsService, InterfaceVpcEndpointService, SecurityGroup, SubnetType, Vpc } from '../lib';
+import { GatewayVpcEndpoint, GatewayVpcEndpointAwsService, InterfaceVpcEndpoint, InterfaceVpcEndpointAwsService, InterfaceVpcEndpointService, SecurityGroup, SubnetFilter, SubnetType, Vpc } from '../lib';
 
 describe('vpc endpoint', () => {
   describe('gateway endpoint', () => {
@@ -268,6 +268,25 @@ describe('vpc endpoint', () => {
 
     });
 
+    describe('add interface endpoint to looked-up VPC', () => {
+      test('initial run', () => {
+        // GIVEN
+        const stack = new Stack(undefined, undefined, { env: { account: '1234', region: 'us-east-1' } });
+        const vpc = Vpc.fromLookup(stack, 'Vpc', {
+          vpcId: 'doesnt-matter',
+        });
+
+        // THEN: doesn't throw
+        vpc.addInterfaceEndpoint('SecretsManagerEndpoint', {
+          service: InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
+          subnets: {
+            subnetFilters: [SubnetFilter.byIds(['1234'])],
+          },
+        });
+      });
+    });
+
+
     test('import/export', () => {
       // GIVEN
       const stack2 = new Stack();