feat(kms): throw ValidationErrors instead of untyped errors (#34431)

mrgrain · web-flow · commit 10756c148634 · 2025-05-12T21:07:22.000Z
### Issue Relates to #32569 ### Reason for this change untyped Errors are not recommended ### Description of changes `ValidationError`s everywhere ### Describe any new or updated permissions being added None ### Description of how you validated changes Existing tests. Exemptions granted as this is a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/.eslintrc.js b/packages/aws-cdk-lib/.eslintrc.js
@@ -24,7 +24,6 @@ const noThrowDefaultErrorNotYetSupported = [
   'aws-globalaccelerator',
   'aws-globalaccelerator-endpoints',
   'aws-iam',
-  'aws-kms',
   'aws-lambda-destinations',
   'aws-lambda-event-sources',
   'aws-lambda-nodejs',
diff --git a/packages/aws-cdk-lib/aws-kms/lib/alias.ts b/packages/aws-cdk-lib/aws-kms/lib/alias.ts
@@ -2,7 +2,7 @@ import { Construct } from 'constructs';
 import { IKey } from './key';
 import { CfnAlias } from './kms.generated';
 import * as iam from '../../aws-iam';
-import { FeatureFlags, RemovalPolicy, Resource, Stack, Token, Tokenization } from '../../core';
+import { FeatureFlags, RemovalPolicy, Resource, Stack, Token, Tokenization, ValidationError } from '../../core';
 import { addConstructMetadata } from '../../core/lib/metadata-resource';
 import { KMS_ALIAS_NAME_REF } from '../../cx-api';
 
@@ -192,8 +192,8 @@ export class Alias extends AliasBase {
       public readonly keyArn = Stack.of(this).formatArn({ service: 'kms', resource: aliasName });
       public readonly keyId = aliasName;
       public readonly aliasName = aliasName;
-      public get aliasTargetKey(): IKey { throw new Error('Cannot access aliasTargetKey on an Alias imported by Alias.fromAliasName().'); }
-      public addAlias(_alias: string): Alias { throw new Error('Cannot call addAlias on an Alias imported by Alias.fromAliasName().'); }
+      public get aliasTargetKey(): IKey { throw new ValidationError('Cannot access aliasTargetKey on an Alias imported by Alias.fromAliasName().', this); }
+      public addAlias(_alias: string): Alias { throw new ValidationError('Cannot call addAlias on an Alias imported by Alias.fromAliasName().', this); }
       public addToResourcePolicy(_statement: iam.PolicyStatement, _allowNoOp?: boolean): iam.AddToResourcePolicyResult {
         return { statementAdded: false };
       }
@@ -223,15 +223,15 @@ export class Alias extends AliasBase {
       }
 
       if (aliasName === REQUIRED_ALIAS_PREFIX) {
-        throw new Error(`Alias must include a value after "${REQUIRED_ALIAS_PREFIX}": ${aliasName}`);
+        throw new ValidationError(`Alias must include a value after "${REQUIRED_ALIAS_PREFIX}": ${aliasName}`, scope);
       }
 
       if (aliasName.toLocaleLowerCase().startsWith(DISALLOWED_PREFIX)) {
-        throw new Error(`Alias cannot start with ${DISALLOWED_PREFIX}: ${aliasName}`);
+        throw new ValidationError(`Alias cannot start with ${DISALLOWED_PREFIX}: ${aliasName}`, scope);
       }
 
       if (!aliasName.match(/^[a-zA-Z0-9:/_-]{1,256}$/)) {
-        throw new Error('Alias name must be between 1 and 256 characters in a-zA-Z0-9:/_-');
+        throw new ValidationError('Alias name must be between 1 and 256 characters in a-zA-Z0-9:/_-', scope);
       }
     } else if (Tokenization.reverseString(aliasName).firstValue && Tokenization.reverseString(aliasName).firstToken === undefined) {
       const valueInToken = Tokenization.reverseString(aliasName).firstValue;
@@ -241,11 +241,11 @@ export class Alias extends AliasBase {
       }
 
       if (valueInToken.toLocaleLowerCase().startsWith(DISALLOWED_PREFIX)) {
-        throw new Error(`Alias cannot start with ${DISALLOWED_PREFIX}: ${aliasName}`);
+        throw new ValidationError(`Alias cannot start with ${DISALLOWED_PREFIX}: ${aliasName}`, scope);
       }
 
       if (!valueInToken.match(/^[a-zA-Z0-9:/_-]{1,256}$/)) {
-        throw new Error('Alias name must be between 1 and 256 characters in a-zA-Z0-9:/_-');
+        throw new ValidationError('Alias name must be between 1 and 256 characters in a-zA-Z0-9:/_-', scope);
       }
     }
 
diff --git a/packages/aws-cdk-lib/aws-kms/lib/key.ts b/packages/aws-cdk-lib/aws-kms/lib/key.ts
@@ -18,6 +18,7 @@ import {
   ResourceProps,
   Stack,
   Token,
+  ValidationError,
 } from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import * as cxapi from '../../cx-api';
@@ -163,7 +164,7 @@ abstract class KeyBase extends Resource implements IKey {
 
     if (!this.policy) {
       if (allowNoOp) { return { statementAdded: false }; }
-      throw new Error(`Unable to add statement to IAM resource policy for KMS key: ${JSON.stringify(stack.resolve(this.keyArn))}`);
+      throw new ValidationError(`Unable to add statement to IAM resource policy for KMS key: ${JSON.stringify(stack.resolve(this.keyArn))}`, this);
     }
 
     this.policy.addStatements(statement);
@@ -630,7 +631,7 @@ export class Key extends KeyBase {
 
     const keyResourceName = Stack.of(scope).splitArn(keyArn, ArnFormat.SLASH_RESOURCE_NAME).resourceName;
     if (!keyResourceName) {
-      throw new Error(`KMS key ARN must be in the format 'arn:<partition>:kms:<region>:<account>:key/<keyId>', got: '${keyArn}'`);
+      throw new ValidationError(`KMS key ARN must be in the format 'arn:<partition>:kms:<region>:<account>:key/<keyId>', got: '${keyArn}'`, scope);
     }
 
     return new Import(keyResourceName, {
@@ -671,9 +672,9 @@ export class Key extends KeyBase {
       // throw an exception suggesting to use the other importing methods instead.
       // We might make this parsing logic smarter later,
       // but let's start by erroring out.
-      throw new Error('Could not parse the PolicyDocument of the passed AWS::KMS::Key resource because it contains CloudFormation functions. ' +
+      throw new ValidationError('Could not parse the PolicyDocument of the passed AWS::KMS::Key resource because it contains CloudFormation functions. ' +
         'This makes it impossible to create a mutable IKey from that Policy. ' +
-        'You have to use fromKeyArn instead, passing it the ARN attribute property of the low-level CfnKey');
+        'You have to use fromKeyArn instead, passing it the ARN attribute property of the low-level CfnKey', cfnKey);
     }
 
     // change the key policy of the L1, so that all changes done in the L2 are reflected in the resulting template
@@ -730,7 +731,7 @@ export class Key extends KeyBase {
       }
     }
     if (Token.isUnresolved(options.aliasName)) {
-      throw new Error('All arguments to Key.fromLookup() must be concrete (no Tokens)');
+      throw new ValidationError('All arguments to Key.fromLookup() must be concrete (no Tokens)', scope);
     }
 
     const attributes: cxapi.KeyContextResponse = ContextProvider.getValue(scope, {
@@ -814,25 +815,25 @@ export class Key extends KeyBase {
     const keySpec = props.keySpec ?? KeySpec.SYMMETRIC_DEFAULT;
     const keyUsage = props.keyUsage ?? KeyUsage.ENCRYPT_DECRYPT;
     if (denyLists[keyUsage].includes(keySpec)) {
-      throw new Error(`key spec '${keySpec}' is not valid with usage '${keyUsage}'`);
+      throw new ValidationError(`key spec '${keySpec}' is not valid with usage '${keyUsage}'`, this);
     }
 
     if (keySpec.startsWith('HMAC') && props.enableKeyRotation) {
-      throw new Error('key rotation cannot be enabled on HMAC keys');
+      throw new ValidationError('key rotation cannot be enabled on HMAC keys', this);
     }
 
     if (keySpec !== KeySpec.SYMMETRIC_DEFAULT && props.enableKeyRotation) {
-      throw new Error('key rotation cannot be enabled on asymmetric keys');
+      throw new ValidationError('key rotation cannot be enabled on asymmetric keys', this);
     }
 
     this.enableKeyRotation = props.enableKeyRotation;
 
     if (props.rotationPeriod) {
       if (props.enableKeyRotation === false) {
-        throw new Error('\'rotationPeriod\' cannot be specified when \'enableKeyRotation\' is disabled');
+        throw new ValidationError('\'rotationPeriod\' cannot be specified when \'enableKeyRotation\' is disabled', this);
       }
       if (props.rotationPeriod.toDays() < 90 || props.rotationPeriod.toDays() > 2560) {
-        throw new Error(`'rotationPeriod' value must between 90 and 2650 days. Received: ${props.rotationPeriod.toDays()}`);
+        throw new ValidationError(`'rotationPeriod' value must between 90 and 2650 days. Received: ${props.rotationPeriod.toDays()}`, this);
       }
       // If rotationPeriod is specified, enableKeyRotation is set to true by default
       if (props.enableKeyRotation === undefined) {
@@ -845,7 +846,7 @@ export class Key extends KeyBase {
     this.policy = props.policy ?? new iam.PolicyDocument();
     if (defaultKeyPoliciesFeatureEnabled) {
       if (props.trustAccountIdentities === false) {
-        throw new Error('`trustAccountIdentities` cannot be false if the @aws-cdk/aws-kms:defaultKeyPolicies feature flag is set');
+        throw new ValidationError('`trustAccountIdentities` cannot be false if the @aws-cdk/aws-kms:defaultKeyPolicies feature flag is set', this);
       }
 
       this.trustAccountIdentities = true;
@@ -866,7 +867,7 @@ export class Key extends KeyBase {
     if (props.pendingWindow) {
       pendingWindowInDays = props.pendingWindow.toDays();
       if (pendingWindowInDays < 7 || pendingWindowInDays > 30) {
-        throw new Error(`'pendingWindow' value must between 7 and 30 days. Received: ${pendingWindowInDays}`);
+        throw new ValidationError(`'pendingWindow' value must between 7 and 30 days. Received: ${pendingWindowInDays}`, this);
       }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ import { Construct } from 'constructs';`
`2`	`2`	`import { IKey } from './key';`
`3`	`3`	`import { CfnAlias } from './kms.generated';`
`4`	`4`	`import * as iam from '../../aws-iam';`
`5`		`-import { FeatureFlags, RemovalPolicy, Resource, Stack, Token, Tokenization } from '../../core';`
	`5`	`+import { FeatureFlags, RemovalPolicy, Resource, Stack, Token, Tokenization, ValidationError } from '../../core';`
`6`	`6`	`import { addConstructMetadata } from '../../core/lib/metadata-resource';`
`7`	`7`	`import { KMS_ALIAS_NAME_REF } from '../../cx-api';`
`8`	`8`
`@@ -192,8 +192,8 @@ export class Alias extends AliasBase {`
`192`	`192`	`public readonly keyArn = Stack.of(this).formatArn({ service: 'kms', resource: aliasName });`
`193`	`193`	`public readonly keyId = aliasName;`
`194`	`194`	`public readonly aliasName = aliasName;`
`195`		`- public get aliasTargetKey(): IKey { throw new Error('Cannot access aliasTargetKey on an Alias imported by Alias.fromAliasName().'); }`
`196`		`- public addAlias(_alias: string): Alias { throw new Error('Cannot call addAlias on an Alias imported by Alias.fromAliasName().'); }`
	`195`	`+ public get aliasTargetKey(): IKey { throw new ValidationError('Cannot access aliasTargetKey on an Alias imported by Alias.fromAliasName().', this); }`
	`196`	`+ public addAlias(_alias: string): Alias { throw new ValidationError('Cannot call addAlias on an Alias imported by Alias.fromAliasName().', this); }`
`197`	`197`	`public addToResourcePolicy(_statement: iam.PolicyStatement, _allowNoOp?: boolean): iam.AddToResourcePolicyResult {`
`198`	`198`	`return { statementAdded: false };`
`199`	`199`	`}`
`@@ -223,15 +223,15 @@ export class Alias extends AliasBase {`
`223`	`223`	`}`
`224`	`224`
`225`	`225`	`if (aliasName === REQUIRED_ALIAS_PREFIX) {`
`226`		- throw new Error(`Alias must include a value after "${REQUIRED_ALIAS_PREFIX}": ${aliasName}`);
	`226`	+ throw new ValidationError(`Alias must include a value after "${REQUIRED_ALIAS_PREFIX}": ${aliasName}`, scope);
`227`	`227`	`}`
`228`	`228`
`229`	`229`	`if (aliasName.toLocaleLowerCase().startsWith(DISALLOWED_PREFIX)) {`
`230`		- throw new Error(`Alias cannot start with ${DISALLOWED_PREFIX}: ${aliasName}`);
	`230`	+ throw new ValidationError(`Alias cannot start with ${DISALLOWED_PREFIX}: ${aliasName}`, scope);
`231`	`231`	`}`
`232`	`232`
`233`	`233`	`if (!aliasName.match(/^[a-zA-Z0-9:/_-]{1,256}$/)) {`
`234`		`- throw new Error('Alias name must be between 1 and 256 characters in a-zA-Z0-9:/_-');`
	`234`	`+ throw new ValidationError('Alias name must be between 1 and 256 characters in a-zA-Z0-9:/_-', scope);`
`235`	`235`	`}`
`236`	`236`	`} else if (Tokenization.reverseString(aliasName).firstValue && Tokenization.reverseString(aliasName).firstToken === undefined) {`
`237`	`237`	`const valueInToken = Tokenization.reverseString(aliasName).firstValue;`
`@@ -241,11 +241,11 @@ export class Alias extends AliasBase {`
`241`	`241`	`}`
`242`	`242`
`243`	`243`	`if (valueInToken.toLocaleLowerCase().startsWith(DISALLOWED_PREFIX)) {`
`244`		- throw new Error(`Alias cannot start with ${DISALLOWED_PREFIX}: ${aliasName}`);
	`244`	+ throw new ValidationError(`Alias cannot start with ${DISALLOWED_PREFIX}: ${aliasName}`, scope);
`245`	`245`	`}`
`246`	`246`
`247`	`247`	`if (!valueInToken.match(/^[a-zA-Z0-9:/_-]{1,256}$/)) {`
`248`		`- throw new Error('Alias name must be between 1 and 256 characters in a-zA-Z0-9:/_-');`
	`248`	`+ throw new ValidationError('Alias name must be between 1 and 256 characters in a-zA-Z0-9:/_-', scope);`
`249`	`249`	`}`
`250`	`250`	`}`
`251`	`251`