feat(s3): throw ValidationError instead of untyped errors (#33031)

mrgrain · web-flow · commit 61e876bd3ed6 · 2025-01-21T16:46:47.000Z
### Issue `aws-s3` for #32569 ### Description of changes Added an `UnscopedValidationError` for situations where now scope is available. This is to be used sparsely as it's less useful for users. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Existing tests. Exemptions granted as this is basically a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/.eslintrc.js b/packages/aws-cdk-lib/.eslintrc.js
@@ -13,4 +13,13 @@ baseConfig.rules['import/no-extraneous-dependencies'] = [
   }
 ];
 
+
+// no-throw-default-error
+const modules = ['aws-s3'];
+baseConfig.overrides.push({
+  files: modules.map(m => `./${m}/lib/**`),
+  rules: { "@cdklabs/no-throw-default-error": ['error'] },
+});
+
+
 module.exports = baseConfig;
diff --git a/packages/aws-cdk-lib/aws-s3/lib/bucket.ts b/packages/aws-cdk-lib/aws-s3/lib/bucket.ts
@@ -26,6 +26,7 @@ import {
   Tokenization,
   Annotations,
 } from '../../core';
+import { UnscopedValidationError, ValidationError } from '../../core/lib/errors';
 import { CfnReference } from '../../core/lib/private/cfn-reference';
 import { AutoDeleteObjectsProvider } from '../../custom-resource-handlers/dist/aws-s3/auto-delete-objects-provider.generated';
 import * as cxapi from '../../cx-api';
@@ -869,7 +870,7 @@ export abstract class BucketBase extends Resource implements IBucket {
    */
   public grantPublicAccess(keyPrefix = '*', ...allowedActions: string[]) {
     if (this.disallowPublicAccess) {
-      throw new Error("Cannot grant public access when 'blockPublicPolicy' is enabled");
+      throw new ValidationError("Cannot grant public access when 'blockPublicPolicy' is enabled", this);
     }
 
     allowedActions = allowedActions.length > 0 ? allowedActions : ['s3:GetObject'];
@@ -982,7 +983,7 @@ export abstract class BucketBase extends Resource implements IBucket {
     })).statementAdded);
     if (accessControlTransition) {
       if (!account) {
-        throw new Error('account must be specified to override ownership access control transition');
+        throw new ValidationError('account must be specified to override ownership access control transition', this);
       }
       results.push(this.addToResourcePolicy(new iam.PolicyStatement({
         actions: ['s3:ObjectOwnerOverrideToBucketOwner'],
@@ -1987,7 +1988,7 @@ export class Bucket extends BucketBase {
 
     const bucketName = parseBucketName(scope, attrs);
     if (!bucketName) {
-      throw new Error('Bucket name is required');
+      throw new ValidationError('Bucket name is required', scope);
     }
     Bucket.validateBucketName(bucketName, true);
 
@@ -2151,7 +2152,7 @@ export class Bucket extends BucketBase {
     }
 
     if (errors.length > 0) {
-      throw new Error(`Invalid S3 bucket name (value: ${bucketName})${EOL}${errors.join(EOL)}`);
+      throw new UnscopedValidationError(`Invalid S3 bucket name (value: ${bucketName})${EOL}${errors.join(EOL)}`);
     }
   }
 
@@ -2247,7 +2248,7 @@ export class Bucket extends BucketBase {
       this.enforceSSLStatement();
       this.minimumTLSVersionStatement(props.minimumTLSVersion);
     } else if (props.minimumTLSVersion) {
-      throw new Error('\'enforceSSL\' must be enabled for \'minimumTLSVersion\' to be applied');
+      throw new ValidationError('\'enforceSSL\' must be enabled for \'minimumTLSVersion\' to be applied', this);
     }
 
     if (props.serverAccessLogsBucket instanceof Bucket) {
@@ -2281,15 +2282,15 @@ export class Bucket extends BucketBase {
 
     if (props.publicReadAccess) {
       if (props.blockPublicAccess === undefined) {
-        throw new Error('Cannot use \'publicReadAccess\' property on a bucket without allowing bucket-level public access through \'blockPublicAccess\' property.');
+        throw new ValidationError('Cannot use \'publicReadAccess\' property on a bucket without allowing bucket-level public access through \'blockPublicAccess\' property.', this);
       }
 
       this.grantPublicAccess();
     }
 
     if (props.autoDeleteObjects) {
       if (props.removalPolicy !== RemovalPolicy.DESTROY) {
-        throw new Error('Cannot use \'autoDeleteObjects\' property on a bucket without setting removal policy to \'DESTROY\'.');
+        throw new ValidationError('Cannot use \'autoDeleteObjects\' property on a bucket without setting removal policy to \'DESTROY\'.', this);
       }
 
       this.enableAutoDeleteObjects();
@@ -2409,12 +2410,12 @@ export class Bucket extends BucketBase {
 
     // if encryption key is set, encryption must be set to KMS or DSSE.
     if (encryptionType !== BucketEncryption.DSSE && encryptionType !== BucketEncryption.KMS && props.encryptionKey) {
-      throw new Error(`encryptionKey is specified, so 'encryption' must be set to KMS or DSSE (value: ${encryptionType})`);
+      throw new ValidationError(`encryptionKey is specified, so 'encryption' must be set to KMS or DSSE (value: ${encryptionType})`, this);
     }
 
     // if bucketKeyEnabled is set, encryption can not be BucketEncryption.UNENCRYPTED
     if (props.bucketKeyEnabled && encryptionType === BucketEncryption.UNENCRYPTED) {
-      throw new Error(`bucketKeyEnabled is specified, so 'encryption' must be set to KMS, DSSE or S3 (value: ${encryptionType})`);
+      throw new ValidationError(`bucketKeyEnabled is specified, so 'encryption' must be set to KMS, DSSE or S3 (value: ${encryptionType})`, this);
     }
 
     if (encryptionType === BucketEncryption.UNENCRYPTED) {
@@ -2497,7 +2498,7 @@ export class Bucket extends BucketBase {
       return { bucketEncryption };
     }
 
-    throw new Error(`Unexpected 'encryptionType': ${encryptionType}`);
+    throw new ValidationError(`Unexpected 'encryptionType': ${encryptionType}`, this);
   }
 
   /**
@@ -2521,7 +2522,7 @@ export class Bucket extends BucketBase {
       if ((rule.expiredObjectDeleteMarker)
       && (rule.expiration || rule.expirationDate || self.parseTagFilters(rule.tagFilters))) {
         // ExpiredObjectDeleteMarker cannot be specified with ExpirationInDays, ExpirationDate, or TagFilters.
-        throw new Error('ExpiredObjectDeleteMarker cannot be specified with expiration, ExpirationDate, or TagFilters.');
+        throw new ValidationError('ExpiredObjectDeleteMarker cannot be specified with expiration, ExpirationDate, or TagFilters.', self);
       }
 
       if (
@@ -2534,7 +2535,7 @@ export class Bucket extends BucketBase {
         rule.noncurrentVersionTransitions === undefined &&
         rule.transitions === undefined
       ) {
-        throw new Error('All rules for `lifecycleRules` must have at least one of the following properties: `abortIncompleteMultipartUploadAfter`, `expiration`, `expirationDate`, `expiredObjectDeleteMarker`, `noncurrentVersionExpiration`, `noncurrentVersionsToRetain`, `noncurrentVersionTransitions`, or `transitions`');
+        throw new ValidationError('All rules for `lifecycleRules` must have at least one of the following properties: `abortIncompleteMultipartUploadAfter`, `expiration`, `expirationDate`, `expiredObjectDeleteMarker`, `noncurrentVersionExpiration`, `noncurrentVersionsToRetain`, `noncurrentVersionTransitions`, or `transitions`', self);
       }
 
       const x: CfnBucket.RuleProperty = {
@@ -2580,7 +2581,7 @@ export class Bucket extends BucketBase {
       props.encryption &&
       [BucketEncryption.KMS_MANAGED, BucketEncryption.DSSE_MANAGED].includes(props.encryption)
     ) {
-      throw new Error('Default bucket encryption with KMS managed or DSSE managed key is not supported for Server Access Logging target buckets');
+      throw new ValidationError('Default bucket encryption with KMS managed or DSSE managed key is not supported for Server Access Logging target buckets', this);
     }
 
     // When there is an encryption key exists for the server access logs bucket, grant permission to the S3 logging SP.
@@ -2657,7 +2658,7 @@ export class Bucket extends BucketBase {
     }
 
     if (accessControlRequiresObjectOwnership && this.objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) {
-      throw new Error (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`);
+      throw new ValidationError (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`, this);
     }
 
     return {
@@ -2703,7 +2704,7 @@ export class Bucket extends BucketBase {
       return undefined;
     }
     if (objectLockEnabled === false && objectLockDefaultRetention) {
-      throw new Error('Object Lock must be enabled to configure default retention settings');
+      throw new ValidationError('Object Lock must be enabled to configure default retention settings', this);
     }
 
     return {
@@ -2723,16 +2724,16 @@ export class Bucket extends BucketBase {
     }
 
     if (props.websiteErrorDocument && !props.websiteIndexDocument) {
-      throw new Error('"websiteIndexDocument" is required if "websiteErrorDocument" is set');
+      throw new ValidationError('"websiteIndexDocument" is required if "websiteErrorDocument" is set', this);
     }
 
     if (props.websiteRedirect && (props.websiteErrorDocument || props.websiteIndexDocument || props.websiteRoutingRules)) {
-      throw new Error('"websiteIndexDocument", "websiteErrorDocument" and, "websiteRoutingRules" cannot be set if "websiteRedirect" is used');
+      throw new ValidationError('"websiteIndexDocument", "websiteErrorDocument" and, "websiteRoutingRules" cannot be set if "websiteRedirect" is used', this);
     }
 
     const routingRules = props.websiteRoutingRules ? props.websiteRoutingRules.map<CfnBucket.RoutingRuleProperty>((rule) => {
       if (rule.condition && rule.condition.httpErrorCodeReturnedEquals == null && rule.condition.keyPrefixEquals == null) {
-        throw new Error('The condition property cannot be an empty object');
+        throw new ValidationError('The condition property cannot be an empty object', this);
       }
 
       return {
@@ -2762,17 +2763,17 @@ export class Bucket extends BucketBase {
     }
 
     if (!props.versioned) {
-      throw new Error('Replication rules require versioning to be enabled on the bucket');
+      throw new ValidationError('Replication rules require versioning to be enabled on the bucket', this);
     }
     if (props.replicationRules.length > 1 && props.replicationRules.some(rule => rule.priority === undefined)) {
-      throw new Error('\'priority\' must be specified for all replication rules when there are multiple rules');
+      throw new ValidationError('\'priority\' must be specified for all replication rules when there are multiple rules', this);
     }
     props.replicationRules.forEach(rule => {
       if (rule.replicationTimeControl && !rule.metrics) {
-        throw new Error('\'replicationTimeControlMetrics\' must be enabled when \'replicationTimeControl\' is enabled.');
+        throw new ValidationError('\'replicationTimeControlMetrics\' must be enabled when \'replicationTimeControl\' is enabled.', this);
       }
       if (rule.deleteMarkerReplication && rule.filter?.tags) {
-        throw new Error('tag filter cannot be specified when \'deleteMarkerReplication\' is enabled.');
+        throw new ValidationError('tag filter cannot be specified when \'deleteMarkerReplication\' is enabled.', this);
       }
     });
 
@@ -2846,7 +2847,7 @@ export class Bucket extends BucketBase {
         if (isCrossAccount) {
           Annotations.of(this).addInfo('For Cross-account S3 replication, ensure to set up permissions on source bucket using method addReplicationPolicy() ');
         } else if (rule.accessControlTransition) {
-          throw new Error('accessControlTranslation is only supported for cross-account replication');
+          throw new ValidationError('accessControlTranslation is only supported for cross-account replication', this);
         }
 
         return {
@@ -2921,7 +2922,7 @@ export class Bucket extends BucketBase {
         conditions: conditions,
       }));
     } else if (this.accessControl && this.accessControl !== BucketAccessControl.LOG_DELIVERY_WRITE) {
-      throw new Error("Cannot enable log delivery to this bucket because the bucket's ACL has been set and can't be changed");
+      throw new ValidationError("Cannot enable log delivery to this bucket because the bucket's ACL has been set and can't be changed", this);
     } else {
       this.accessControl = BucketAccessControl.LOG_DELIVERY_WRITE;
     }
@@ -2937,7 +2938,7 @@ export class Bucket extends BucketBase {
       const format = inventory.format ?? InventoryFormat.CSV;
       const frequency = inventory.frequency ?? InventoryFrequency.WEEKLY;
       if (inventory.inventoryId !== undefined && (inventory.inventoryId.length > 64 || inventoryIdValidationRegex.test(inventory.inventoryId))) {
-        throw new Error(`inventoryId should not exceed 64 characters and should not contain special characters except . and -, got ${inventory.inventoryId}`);
+        throw new ValidationError(`inventoryId should not exceed 64 characters and should not contain special characters except . and -, got ${inventory.inventoryId}`, this);
       }
       const id = inventory.inventoryId ?? `${this.node.id}Inventory${index}`.replace(inventoryIdValidationRegex, '').slice(-64);
 
@@ -3523,10 +3524,10 @@ export class ObjectLockRetention {
   private constructor(mode: ObjectLockMode, duration: Duration) {
     // https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-managing-retention-limits
     if (duration.toDays() > 365 * 100) {
-      throw new Error('Object Lock retention duration must be less than 100 years');
+      throw new UnscopedValidationError('Object Lock retention duration must be less than 100 years');
     }
     if (duration.toDays() < 1) {
-      throw new Error('Object Lock retention duration must be at least 1 day');
+      throw new UnscopedValidationError('Object Lock retention duration must be at least 1 day');
     }
 
     this.mode = mode;
diff --git a/packages/aws-cdk-lib/aws-s3/lib/notifications-resource/notifications-resource.ts b/packages/aws-cdk-lib/aws-s3/lib/notifications-resource/notifications-resource.ts
@@ -2,6 +2,7 @@ import { Construct, IConstruct } from 'constructs';
 import { NotificationsResourceHandler } from './notifications-resource-handler';
 import * as iam from '../../../aws-iam';
 import * as cdk from '../../../core';
+import { ValidationError } from '../../../core/lib/errors';
 import * as cxapi from '../../../cx-api';
 import { Bucket, IBucket, EventType, NotificationKeyFilter } from '../bucket';
 import { BucketNotificationDestinationType, IBucketNotificationDestination } from '../destination';
@@ -71,7 +72,7 @@ export class BucketNotifications extends Construct {
     const targetProps = target.bind(this, this.bucket);
     const commonConfig: CommonConfiguration = {
       Events: [event],
-      Filter: renderFilters(filters),
+      Filter: renderFilters(filters, this),
     };
 
     // if the target specifies any dependencies, add them to the custom resource.
@@ -96,7 +97,7 @@ export class BucketNotifications extends Construct {
         break;
 
       default:
-        throw new Error('Unsupported notification target type:' + BucketNotificationDestinationType[targetProps.type]);
+        throw new ValidationError('Unsupported notification target type:' + BucketNotificationDestinationType[targetProps.type], this);
     }
   }
 
@@ -171,7 +172,7 @@ export class BucketNotifications extends Construct {
   }
 }
 
-function renderFilters(filters?: NotificationKeyFilter[]): Filter | undefined {
+function renderFilters(filters: NotificationKeyFilter[], scope: BucketNotifications): Filter | undefined {
   if (!filters || filters.length === 0) {
     return undefined;
   }
@@ -182,20 +183,20 @@ function renderFilters(filters?: NotificationKeyFilter[]): Filter | undefined {
 
   for (const rule of filters) {
     if (!rule.suffix && !rule.prefix) {
-      throw new Error('NotificationKeyFilter must specify `prefix` and/or `suffix`');
+      throw new ValidationError('NotificationKeyFilter must specify `prefix` and/or `suffix`', scope);
     }
 
     if (rule.suffix) {
       if (hasSuffix) {
-        throw new Error('Cannot specify more than one suffix rule in a filter.');
+        throw new ValidationError('Cannot specify more than one suffix rule in a filter.', scope);
       }
       renderedRules.push({ Name: 'suffix', Value: rule.suffix });
       hasSuffix = true;
     }
 
     if (rule.prefix) {
       if (hasPrefix) {
-        throw new Error('Cannot specify more than one prefix rule in a filter.');
+        throw new ValidationError('Cannot specify more than one prefix rule in a filter.', scope);
       }
       renderedRules.push({ Name: 'prefix', Value: rule.prefix });
       hasPrefix = true;
diff --git a/packages/aws-cdk-lib/aws-s3/lib/util.ts b/packages/aws-cdk-lib/aws-s3/lib/util.ts
@@ -1,6 +1,7 @@
 import { IConstruct } from 'constructs';
 import { BucketAttributes } from './bucket';
 import * as cdk from '../../core';
+import { ValidationError } from '../../core/lib/errors';
 
 export function parseBucketArn(construct: IConstruct, props: BucketAttributes): string {
 
@@ -20,7 +21,7 @@ export function parseBucketArn(construct: IConstruct, props: BucketAttributes):
     });
   }
 
-  throw new Error('Cannot determine bucket ARN. At least `bucketArn` or `bucketName` is needed');
+  throw new ValidationError('Cannot determine bucket ARN. At least `bucketArn` or `bucketName` is needed', construct);
 }
 
 export function parseBucketName(construct: IConstruct, props: BucketAttributes): string | undefined {
diff --git a/packages/aws-cdk-lib/core/lib/errors.ts b/packages/aws-cdk-lib/core/lib/errors.ts
diff --git a/packages/aws-cdk-lib/core/test/errors.test.ts b/packages/aws-cdk-lib/core/test/errors.test.ts

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ import {`
`26`	`26`	`Tokenization,`
`27`	`27`	`Annotations,`
`28`	`28`	`} from '../../core';`
	`29`	`+import { UnscopedValidationError, ValidationError } from '../../core/lib/errors';`
`29`	`30`	`import { CfnReference } from '../../core/lib/private/cfn-reference';`
`30`	`31`	`import { AutoDeleteObjectsProvider } from '../../custom-resource-handlers/dist/aws-s3/auto-delete-objects-provider.generated';`
`31`	`32`	`import * as cxapi from '../../cx-api';`
`@@ -869,7 +870,7 @@ export abstract class BucketBase extends Resource implements IBucket {`
`869`	`870`	`*/`
`870`	`871`	`public grantPublicAccess(keyPrefix = '*', ...allowedActions: string[]) {`
`871`	`872`	`if (this.disallowPublicAccess) {`
`872`		`- throw new Error("Cannot grant public access when 'blockPublicPolicy' is enabled");`
	`873`	`+ throw new ValidationError("Cannot grant public access when 'blockPublicPolicy' is enabled", this);`
`873`	`874`	`}`
`874`	`875`
`875`	`876`	`allowedActions = allowedActions.length > 0 ? allowedActions : ['s3:GetObject'];`
`@@ -982,7 +983,7 @@ export abstract class BucketBase extends Resource implements IBucket {`
`982`	`983`	`})).statementAdded);`
`983`	`984`	`if (accessControlTransition) {`
`984`	`985`	`if (!account) {`
`985`		`- throw new Error('account must be specified to override ownership access control transition');`
	`986`	`+ throw new ValidationError('account must be specified to override ownership access control transition', this);`
`986`	`987`	`}`
`987`	`988`	`results.push(this.addToResourcePolicy(new iam.PolicyStatement({`
`988`	`989`	`actions: ['s3:ObjectOwnerOverrideToBucketOwner'],`
`@@ -1987,7 +1988,7 @@ export class Bucket extends BucketBase {`
`1987`	`1988`
`1988`	`1989`	`const bucketName = parseBucketName(scope, attrs);`
`1989`	`1990`	`if (!bucketName) {`
`1990`		`- throw new Error('Bucket name is required');`
	`1991`	`+ throw new ValidationError('Bucket name is required', scope);`
`1991`	`1992`	`}`
`1992`	`1993`	`Bucket.validateBucketName(bucketName, true);`
`1993`	`1994`
`@@ -2151,7 +2152,7 @@ export class Bucket extends BucketBase {`
`2151`	`2152`	`}`
`2152`	`2153`
`2153`	`2154`	`if (errors.length > 0) {`
`2154`		- throw new Error(`Invalid S3 bucket name (value: ${bucketName})${EOL}${errors.join(EOL)}`);
	`2155`	+ throw new UnscopedValidationError(`Invalid S3 bucket name (value: ${bucketName})${EOL}${errors.join(EOL)}`);
`2155`	`2156`	`}`
`2156`	`2157`	`}`
`2157`	`2158`
`@@ -2247,7 +2248,7 @@ export class Bucket extends BucketBase {`
`2247`	`2248`	`this.enforceSSLStatement();`
`2248`	`2249`	`this.minimumTLSVersionStatement(props.minimumTLSVersion);`
`2249`	`2250`	`} else if (props.minimumTLSVersion) {`
`2250`		`- throw new Error('\'enforceSSL\' must be enabled for \'minimumTLSVersion\' to be applied');`
	`2251`	`+ throw new ValidationError('\'enforceSSL\' must be enabled for \'minimumTLSVersion\' to be applied', this);`
`2251`	`2252`	`}`
`2252`	`2253`
`2253`	`2254`	`if (props.serverAccessLogsBucket instanceof Bucket) {`
`@@ -2281,15 +2282,15 @@ export class Bucket extends BucketBase {`
`2281`	`2282`
`2282`	`2283`	`if (props.publicReadAccess) {`
`2283`	`2284`	`if (props.blockPublicAccess === undefined) {`
`2284`		`- throw new Error('Cannot use \'publicReadAccess\' property on a bucket without allowing bucket-level public access through \'blockPublicAccess\' property.');`
	`2285`	`+ throw new ValidationError('Cannot use \'publicReadAccess\' property on a bucket without allowing bucket-level public access through \'blockPublicAccess\' property.', this);`
`2285`	`2286`	`}`
`2286`	`2287`
`2287`	`2288`	`this.grantPublicAccess();`
`2288`	`2289`	`}`
`2289`	`2290`
`2290`	`2291`	`if (props.autoDeleteObjects) {`
`2291`	`2292`	`if (props.removalPolicy !== RemovalPolicy.DESTROY) {`
`2292`		`- throw new Error('Cannot use \'autoDeleteObjects\' property on a bucket without setting removal policy to \'DESTROY\'.');`
	`2293`	`+ throw new ValidationError('Cannot use \'autoDeleteObjects\' property on a bucket without setting removal policy to \'DESTROY\'.', this);`
`2293`	`2294`	`}`
`2294`	`2295`
`2295`	`2296`	`this.enableAutoDeleteObjects();`
`@@ -2409,12 +2410,12 @@ export class Bucket extends BucketBase {`
`2409`	`2410`
`2410`	`2411`	`// if encryption key is set, encryption must be set to KMS or DSSE.`
`2411`	`2412`	`if (encryptionType !== BucketEncryption.DSSE && encryptionType !== BucketEncryption.KMS && props.encryptionKey) {`
`2412`		- throw new Error(`encryptionKey is specified, so 'encryption' must be set to KMS or DSSE (value: ${encryptionType})`);
	`2413`	+ throw new ValidationError(`encryptionKey is specified, so 'encryption' must be set to KMS or DSSE (value: ${encryptionType})`, this);
`2413`	`2414`	`}`
`2414`	`2415`
`2415`	`2416`	`// if bucketKeyEnabled is set, encryption can not be BucketEncryption.UNENCRYPTED`
`2416`	`2417`	`if (props.bucketKeyEnabled && encryptionType === BucketEncryption.UNENCRYPTED) {`
`2417`		- throw new Error(`bucketKeyEnabled is specified, so 'encryption' must be set to KMS, DSSE or S3 (value: ${encryptionType})`);
	`2418`	+ throw new ValidationError(`bucketKeyEnabled is specified, so 'encryption' must be set to KMS, DSSE or S3 (value: ${encryptionType})`, this);
`2418`	`2419`	`}`
`2419`	`2420`
`2420`	`2421`	`if (encryptionType === BucketEncryption.UNENCRYPTED) {`
`@@ -2497,7 +2498,7 @@ export class Bucket extends BucketBase {`
`2497`	`2498`	`return { bucketEncryption };`
`2498`	`2499`	`}`
`2499`	`2500`
`2500`		- throw new Error(`Unexpected 'encryptionType': ${encryptionType}`);
	`2501`	+ throw new ValidationError(`Unexpected 'encryptionType': ${encryptionType}`, this);
`2501`	`2502`	`}`
`2502`	`2503`
`2503`	`2504`	`/**`
`@@ -2521,7 +2522,7 @@ export class Bucket extends BucketBase {`
`2521`	`2522`	`if ((rule.expiredObjectDeleteMarker)`
`2522`	`2523`	`&& (rule.expiration \|\| rule.expirationDate \|\| self.parseTagFilters(rule.tagFilters))) {`
`2523`	`2524`	`// ExpiredObjectDeleteMarker cannot be specified with ExpirationInDays, ExpirationDate, or TagFilters.`
`2524`		`- throw new Error('ExpiredObjectDeleteMarker cannot be specified with expiration, ExpirationDate, or TagFilters.');`
	`2525`	`+ throw new ValidationError('ExpiredObjectDeleteMarker cannot be specified with expiration, ExpirationDate, or TagFilters.', self);`
`2525`	`2526`	`}`
`2526`	`2527`
`2527`	`2528`	`if (`
`@@ -2534,7 +2535,7 @@ export class Bucket extends BucketBase {`
`2534`	`2535`	`rule.noncurrentVersionTransitions === undefined &&`
`2535`	`2536`	`rule.transitions === undefined`
`2536`	`2537`	`) {`
`2537`		- throw new Error('All rules for `lifecycleRules` must have at least one of the following properties: `abortIncompleteMultipartUploadAfter`, `expiration`, `expirationDate`, `expiredObjectDeleteMarker`, `noncurrentVersionExpiration`, `noncurrentVersionsToRetain`, `noncurrentVersionTransitions`, or `transitions`');
	`2538`	+ throw new ValidationError('All rules for `lifecycleRules` must have at least one of the following properties: `abortIncompleteMultipartUploadAfter`, `expiration`, `expirationDate`, `expiredObjectDeleteMarker`, `noncurrentVersionExpiration`, `noncurrentVersionsToRetain`, `noncurrentVersionTransitions`, or `transitions`', self);
`2538`	`2539`	`}`
`2539`	`2540`
`2540`	`2541`	`const x: CfnBucket.RuleProperty = {`
`@@ -2580,7 +2581,7 @@ export class Bucket extends BucketBase {`
`2580`	`2581`	`props.encryption &&`
`2581`	`2582`	`[BucketEncryption.KMS_MANAGED, BucketEncryption.DSSE_MANAGED].includes(props.encryption)`
`2582`	`2583`	`) {`
`2583`		`- throw new Error('Default bucket encryption with KMS managed or DSSE managed key is not supported for Server Access Logging target buckets');`
	`2584`	`+ throw new ValidationError('Default bucket encryption with KMS managed or DSSE managed key is not supported for Server Access Logging target buckets', this);`
`2584`	`2585`	`}`
`2585`	`2586`
`2586`	`2587`	`// When there is an encryption key exists for the server access logs bucket, grant permission to the S3 logging SP.`
`@@ -2657,7 +2658,7 @@ export class Bucket extends BucketBase {`
`2657`	`2658`	`}`
`2658`	`2659`
`2659`	`2660`	`if (accessControlRequiresObjectOwnership && this.objectOwnership === ObjectOwnership.BUCKET_OWNER_ENFORCED) {`
`2660`		- throw new Error (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`);
	`2661`	+ throw new ValidationError (`objectOwnership must be set to "${ObjectOwnership.OBJECT_WRITER}" when accessControl is "${this.accessControl}"`, this);
`2661`	`2662`	`}`
`2662`	`2663`
`2663`	`2664`	`return {`
`@@ -2703,7 +2704,7 @@ export class Bucket extends BucketBase {`
`2703`	`2704`	`return undefined;`
`2704`	`2705`	`}`
`2705`	`2706`	`if (objectLockEnabled === false && objectLockDefaultRetention) {`
`2706`		`- throw new Error('Object Lock must be enabled to configure default retention settings');`
	`2707`	`+ throw new ValidationError('Object Lock must be enabled to configure default retention settings', this);`
`2707`	`2708`	`}`
`2708`	`2709`
`2709`	`2710`	`return {`
`@@ -2723,16 +2724,16 @@ export class Bucket extends BucketBase {`
`2723`	`2724`	`}`
`2724`	`2725`
`2725`	`2726`	`if (props.websiteErrorDocument && !props.websiteIndexDocument) {`
`2726`		`- throw new Error('"websiteIndexDocument" is required if "websiteErrorDocument" is set');`
	`2727`	`+ throw new ValidationError('"websiteIndexDocument" is required if "websiteErrorDocument" is set', this);`
`2727`	`2728`	`}`
`2728`	`2729`
`2729`	`2730`	`if (props.websiteRedirect && (props.websiteErrorDocument \|\| props.websiteIndexDocument \|\| props.websiteRoutingRules)) {`
`2730`		`- throw new Error('"websiteIndexDocument", "websiteErrorDocument" and, "websiteRoutingRules" cannot be set if "websiteRedirect" is used');`
	`2731`	`+ throw new ValidationError('"websiteIndexDocument", "websiteErrorDocument" and, "websiteRoutingRules" cannot be set if "websiteRedirect" is used', this);`
`2731`	`2732`	`}`
`2732`	`2733`
`2733`	`2734`	`const routingRules = props.websiteRoutingRules ? props.websiteRoutingRules.map<CfnBucket.RoutingRuleProperty>((rule) => {`
`2734`	`2735`	`if (rule.condition && rule.condition.httpErrorCodeReturnedEquals == null && rule.condition.keyPrefixEquals == null) {`
`2735`		`- throw new Error('The condition property cannot be an empty object');`
	`2736`	`+ throw new ValidationError('The condition property cannot be an empty object', this);`
`2736`	`2737`	`}`
`2737`	`2738`
`2738`	`2739`	`return {`
`@@ -2762,17 +2763,17 @@ export class Bucket extends BucketBase {`
`2762`	`2763`	`}`
`2763`	`2764`
`2764`	`2765`	`if (!props.versioned) {`
`2765`		`- throw new Error('Replication rules require versioning to be enabled on the bucket');`
	`2766`	`+ throw new ValidationError('Replication rules require versioning to be enabled on the bucket', this);`
`2766`	`2767`	`}`
`2767`	`2768`	`if (props.replicationRules.length > 1 && props.replicationRules.some(rule => rule.priority === undefined)) {`
`2768`		`- throw new Error('\'priority\' must be specified for all replication rules when there are multiple rules');`
	`2769`	`+ throw new ValidationError('\'priority\' must be specified for all replication rules when there are multiple rules', this);`
`2769`	`2770`	`}`
`2770`	`2771`	`props.replicationRules.forEach(rule => {`
`2771`	`2772`	`if (rule.replicationTimeControl && !rule.metrics) {`
`2772`		`- throw new Error('\'replicationTimeControlMetrics\' must be enabled when \'replicationTimeControl\' is enabled.');`
	`2773`	`+ throw new ValidationError('\'replicationTimeControlMetrics\' must be enabled when \'replicationTimeControl\' is enabled.', this);`
`2773`	`2774`	`}`
`2774`	`2775`	`if (rule.deleteMarkerReplication && rule.filter?.tags) {`
`2775`		`- throw new Error('tag filter cannot be specified when \'deleteMarkerReplication\' is enabled.');`
	`2776`	`+ throw new ValidationError('tag filter cannot be specified when \'deleteMarkerReplication\' is enabled.', this);`
`2776`	`2777`	`}`
`2777`	`2778`	`});`
`2778`	`2779`
`@@ -2846,7 +2847,7 @@ export class Bucket extends BucketBase {`
`2846`	`2847`	`if (isCrossAccount) {`
`2847`	`2848`	`Annotations.of(this).addInfo('For Cross-account S3 replication, ensure to set up permissions on source bucket using method addReplicationPolicy() ');`
`2848`	`2849`	`} else if (rule.accessControlTransition) {`
`2849`		`- throw new Error('accessControlTranslation is only supported for cross-account replication');`
	`2850`	`+ throw new ValidationError('accessControlTranslation is only supported for cross-account replication', this);`
`2850`	`2851`	`}`
`2851`	`2852`
`2852`	`2853`	`return {`
`@@ -2921,7 +2922,7 @@ export class Bucket extends BucketBase {`
`2921`	`2922`	`conditions: conditions,`
`2922`	`2923`	`}));`
`2923`	`2924`	`} else if (this.accessControl && this.accessControl !== BucketAccessControl.LOG_DELIVERY_WRITE) {`
`2924`		`- throw new Error("Cannot enable log delivery to this bucket because the bucket's ACL has been set and can't be changed");`
	`2925`	`+ throw new ValidationError("Cannot enable log delivery to this bucket because the bucket's ACL has been set and can't be changed", this);`
`2925`	`2926`	`} else {`
`2926`	`2927`	`this.accessControl = BucketAccessControl.LOG_DELIVERY_WRITE;`
`2927`	`2928`	`}`
`@@ -2937,7 +2938,7 @@ export class Bucket extends BucketBase {`
`2937`	`2938`	`const format = inventory.format ?? InventoryFormat.CSV;`
`2938`	`2939`	`const frequency = inventory.frequency ?? InventoryFrequency.WEEKLY;`
`2939`	`2940`	`if (inventory.inventoryId !== undefined && (inventory.inventoryId.length > 64 \|\| inventoryIdValidationRegex.test(inventory.inventoryId))) {`
`2940`		- throw new Error(`inventoryId should not exceed 64 characters and should not contain special characters except . and -, got ${inventory.inventoryId}`);
	`2941`	+ throw new ValidationError(`inventoryId should not exceed 64 characters and should not contain special characters except . and -, got ${inventory.inventoryId}`, this);
`2941`	`2942`	`}`
`2942`	`2943`	const id = inventory.inventoryId ?? `${this.node.id}Inventory${index}`.replace(inventoryIdValidationRegex, '').slice(-64);
`2943`	`2944`
`@@ -3523,10 +3524,10 @@ export class ObjectLockRetention {`
`3523`	`3524`	`private constructor(mode: ObjectLockMode, duration: Duration) {`
`3524`	`3525`	`// https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-managing-retention-limits`
`3525`	`3526`	`if (duration.toDays() > 365 * 100) {`
`3526`		`- throw new Error('Object Lock retention duration must be less than 100 years');`
	`3527`	`+ throw new UnscopedValidationError('Object Lock retention duration must be less than 100 years');`
`3527`	`3528`	`}`
`3528`	`3529`	`if (duration.toDays() < 1) {`
`3529`		`- throw new Error('Object Lock retention duration must be at least 1 day');`
	`3530`	`+ throw new UnscopedValidationError('Object Lock retention duration must be at least 1 day');`
`3530`	`3531`	`}`
`3531`	`3532`
`3532`	`3533`	`this.mode = mode;`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ import { Construct, IConstruct } from 'constructs';`
`2`	`2`	`import { NotificationsResourceHandler } from './notifications-resource-handler';`
`3`	`3`	`import * as iam from '../../../aws-iam';`
`4`	`4`	`import * as cdk from '../../../core';`
	`5`	`+import { ValidationError } from '../../../core/lib/errors';`
`5`	`6`	`import * as cxapi from '../../../cx-api';`
`6`	`7`	`import { Bucket, IBucket, EventType, NotificationKeyFilter } from '../bucket';`
`7`	`8`	`import { BucketNotificationDestinationType, IBucketNotificationDestination } from '../destination';`
`@@ -71,7 +72,7 @@ export class BucketNotifications extends Construct {`
`71`	`72`	`const targetProps = target.bind(this, this.bucket);`
`72`	`73`	`const commonConfig: CommonConfiguration = {`
`73`	`74`	`Events: [event],`
`74`		`- Filter: renderFilters(filters),`
	`75`	`+ Filter: renderFilters(filters, this),`
`75`	`76`	`};`
`76`	`77`
`77`	`78`	`// if the target specifies any dependencies, add them to the custom resource.`
`@@ -96,7 +97,7 @@ export class BucketNotifications extends Construct {`
`96`	`97`	`break;`
`97`	`98`
`98`	`99`	`default:`
`99`		`- throw new Error('Unsupported notification target type:' + BucketNotificationDestinationType[targetProps.type]);`
	`100`	`+ throw new ValidationError('Unsupported notification target type:' + BucketNotificationDestinationType[targetProps.type], this);`
`100`	`101`	`}`
`101`	`102`	`}`
`102`	`103`
`@@ -171,7 +172,7 @@ export class BucketNotifications extends Construct {`
`171`	`172`	`}`
`172`	`173`	`}`
`173`	`174`
`174`		`-function renderFilters(filters?: NotificationKeyFilter[]): Filter \| undefined {`
	`175`	`+function renderFilters(filters: NotificationKeyFilter[], scope: BucketNotifications): Filter \| undefined {`
`175`	`176`	`if (!filters \|\| filters.length === 0) {`
`176`	`177`	`return undefined;`
`177`	`178`	`}`
`@@ -182,20 +183,20 @@ function renderFilters(filters?: NotificationKeyFilter[]): Filter \| undefined {`
`182`	`183`
`183`	`184`	`for (const rule of filters) {`
`184`	`185`	`if (!rule.suffix && !rule.prefix) {`
`185`		- throw new Error('NotificationKeyFilter must specify `prefix` and/or `suffix`');
	`186`	+ throw new ValidationError('NotificationKeyFilter must specify `prefix` and/or `suffix`', scope);
`186`	`187`	`}`
`187`	`188`
`188`	`189`	`if (rule.suffix) {`
`189`	`190`	`if (hasSuffix) {`
`190`		`- throw new Error('Cannot specify more than one suffix rule in a filter.');`
	`191`	`+ throw new ValidationError('Cannot specify more than one suffix rule in a filter.', scope);`
`191`	`192`	`}`
`192`	`193`	`renderedRules.push({ Name: 'suffix', Value: rule.suffix });`
`193`	`194`	`hasSuffix = true;`
`194`	`195`	`}`
`195`	`196`
`196`	`197`	`if (rule.prefix) {`
`197`	`198`	`if (hasPrefix) {`
`198`		`- throw new Error('Cannot specify more than one prefix rule in a filter.');`
	`199`	`+ throw new ValidationError('Cannot specify more than one prefix rule in a filter.', scope);`
`199`	`200`	`}`
`200`	`201`	`renderedRules.push({ Name: 'prefix', Value: rule.prefix });`
`201`	`202`	`hasPrefix = true;`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`import { IConstruct } from 'constructs';`
`2`	`2`	`import { BucketAttributes } from './bucket';`
`3`	`3`	`import * as cdk from '../../core';`
	`4`	`+import { ValidationError } from '../../core/lib/errors';`
`4`	`5`
`5`	`6`	`export function parseBucketArn(construct: IConstruct, props: BucketAttributes): string {`
`6`	`7`
`@@ -20,7 +21,7 @@ export function parseBucketArn(construct: IConstruct, props: BucketAttributes):`
`20`	`21`	`});`
`21`	`22`	`}`
`22`	`23`
`23`		- throw new Error('Cannot determine bucket ARN. At least `bucketArn` or `bucketName` is needed');
	`24`	+ throw new ValidationError('Cannot determine bucket ARN. At least `bucketArn` or `bucketName` is needed', construct);
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`export function parseBucketName(construct: IConstruct, props: BucketAttributes): string \| undefined {`