feat(rds): throw ValidationError instead of untyped errors (#33042)

kaizencc · web-flow · commit 0b2db6285091 · 2025-01-22T10:57:05.000Z
### Issue `aws-rds` for #32569 ### Description of changes ValidationErrors everywhere ### Describe any new or updated permissions being added n/a ### Description of how you validated changes Existing tests. Exemptions granted as this is basically a refactor of existing code. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/.eslintrc.js b/packages/aws-cdk-lib/.eslintrc.js
@@ -15,7 +15,7 @@ baseConfig.rules['import/no-extraneous-dependencies'] = [
 
 
 // no-throw-default-error
-const modules = ['aws-s3', 'aws-lambda'];
+const modules = ['aws-s3', 'aws-lambda', 'aws-rds'];
 baseConfig.overrides.push({
   files: modules.map(m => `./${m}/lib/**`),
   rules: { "@cdklabs/no-throw-default-error": ['error'] },
diff --git a/packages/aws-cdk-lib/aws-rds/lib/aurora-cluster-instance.ts b/packages/aws-cdk-lib/aws-rds/lib/aurora-cluster-instance.ts
@@ -11,6 +11,7 @@ import * as ec2 from '../../aws-ec2';
 import { IRole } from '../../aws-iam';
 import * as kms from '../../aws-kms';
 import { IResource, Resource, Duration, RemovalPolicy, ArnFormat, FeatureFlags } from '../../core';
+import { ValidationError } from '../../core/lib/errors';
 import { AURORA_CLUSTER_CHANGE_SCOPE_OF_INSTANCE_PARAMETER_GROUP_WITH_EACH_PARAMETERS } from '../../cx-api';
 
 /**
@@ -476,7 +477,7 @@ class AuroraClusterInstance extends Resource implements IAuroraClusterInstance {
       });
     this.tier = props.promotionTier ?? 2;
     if (this.tier > 15) {
-      throw new Error('promotionTier must be between 0-15');
+      throw new ValidationError('promotionTier must be between 0-15', this);
     }
 
     const isOwnedResource = Resource.isOwnedResource(props.cluster);
@@ -499,7 +500,7 @@ class AuroraClusterInstance extends Resource implements IAuroraClusterInstance {
     const enablePerformanceInsights = props.enablePerformanceInsights
       || props.performanceInsightRetention !== undefined || props.performanceInsightEncryptionKey !== undefined;
     if (enablePerformanceInsights && props.enablePerformanceInsights === false) {
-      throw new Error('`enablePerformanceInsights` disabled, but `performanceInsightRetention` or `performanceInsightEncryptionKey` was set');
+      throw new ValidationError('`enablePerformanceInsights` disabled, but `performanceInsightRetention` or `performanceInsightEncryptionKey` was set', this);
     }
 
     this.performanceInsightsEnabled = enablePerformanceInsights;
diff --git a/packages/aws-cdk-lib/aws-rds/lib/cluster-engine.ts b/packages/aws-cdk-lib/aws-rds/lib/cluster-engine.ts
@@ -4,6 +4,7 @@ import { EngineVersion } from './engine-version';
 import { IParameterGroup, ParameterGroup } from './parameter-group';
 import * as iam from '../../aws-iam';
 import * as secretsmanager from '../../aws-secretsmanager';
+import { ValidationError } from '../../core/lib/errors';
 
 /**
  * The extra options passed to the `IClusterEngine.bindToCluster` method.
@@ -1179,19 +1180,19 @@ class AuroraPostgresClusterEngine extends ClusterEngineBase {
     // skip validation for unversioned as it might be supported/unsupported. we cannot reliably tell at compile-time
     if (this.engineVersion?.fullVersion) {
       if (options.s3ImportRole && !(config.features?.s3Import)) {
-        throw new Error(`s3Import is not supported for Postgres version: ${this.engineVersion.fullVersion}. Use a version that supports the s3Import feature.`);
+        throw new ValidationError(`s3Import is not supported for Postgres version: ${this.engineVersion.fullVersion}. Use a version that supports the s3Import feature.`, scope);
       }
       if (options.s3ExportRole && !(config.features?.s3Export)) {
-        throw new Error(`s3Export is not supported for Postgres version: ${this.engineVersion.fullVersion}. Use a version that supports the s3Export feature.`);
+        throw new ValidationError(`s3Export is not supported for Postgres version: ${this.engineVersion.fullVersion}. Use a version that supports the s3Export feature.`, scope);
       }
     }
     return config;
   }
 
   protected defaultParameterGroup(scope: Construct): IParameterGroup | undefined {
     if (!this.parameterGroupFamily) {
-      throw new Error('Could not create a new ParameterGroup for an unversioned aurora-postgresql cluster engine. ' +
-        'Please either use a versioned engine, or pass an explicit ParameterGroup when creating the cluster');
+      throw new ValidationError('Could not create a new ParameterGroup for an unversioned aurora-postgresql cluster engine. ' +
+        'Please either use a versioned engine, or pass an explicit ParameterGroup when creating the cluster', scope);
     }
     return ParameterGroup.fromParameterGroupName(scope, 'AuroraPostgreSqlDatabaseClusterEngineDefaultParameterGroup',
       `default.${this.parameterGroupFamily}`);
diff --git a/packages/aws-cdk-lib/aws-rds/lib/cluster.ts b/packages/aws-cdk-lib/aws-rds/lib/cluster.ts
diff --git a/packages/aws-cdk-lib/aws-rds/lib/instance-engine.ts b/packages/aws-cdk-lib/aws-rds/lib/instance-engine.ts
@@ -4,6 +4,7 @@ import { EngineVersion } from './engine-version';
 import { IOptionGroup, OptionGroup } from './option-group';
 import * as iam from '../../aws-iam';
 import * as secretsmanager from '../../aws-secretsmanager';
+import { ValidationError } from '../../core/lib/errors';
 
 /**
  * The options passed to `IInstanceEngine.bind`.
@@ -142,9 +143,9 @@ abstract class InstanceEngineBase implements IInstanceEngine {
     this.engineFamily = props.engineFamily;
   }
 
-  public bindToInstance(_scope: Construct, options: InstanceEngineBindOptions): InstanceEngineConfig {
+  public bindToInstance(scope: Construct, options: InstanceEngineBindOptions): InstanceEngineConfig {
     if (options.timezone && !this.supportsTimezone) {
-      throw new Error(`timezone property can not be configured for ${this.engineType}`);
+      throw new ValidationError(`timezone property can not be configured for ${this.engineType}`, scope);
     }
     return {
       features: this.features,
@@ -621,7 +622,7 @@ class MariaDbInstanceEngine extends InstanceEngineBase {
 
   public bindToInstance(scope: Construct, options: InstanceEngineBindOptions): InstanceEngineConfig {
     if (options.domain) {
-      throw new Error(`domain property cannot be configured for ${this.engineType}`);
+      throw new ValidationError(`domain property cannot be configured for ${this.engineType}`, scope);
     }
     return super.bindToInstance(scope, options);
   }
@@ -2828,7 +2829,7 @@ abstract class SqlServerInstanceEngineBase extends InstanceEngineBase {
     const s3Role = options.s3ImportRole ?? options.s3ExportRole;
     if (s3Role) {
       if (options.s3ImportRole && options.s3ExportRole && options.s3ImportRole !== options.s3ExportRole) {
-        throw new Error('S3 import and export roles must be the same for SQL Server engines');
+        throw new ValidationError('S3 import and export roles must be the same for SQL Server engines', scope);
       }
 
       if (!optionGroup) {
diff --git a/packages/aws-cdk-lib/aws-rds/lib/instance.ts b/packages/aws-cdk-lib/aws-rds/lib/instance.ts
@@ -18,6 +18,7 @@ import * as logs from '../../aws-logs';
 import * as s3 from '../../aws-s3';
 import * as secretsmanager from '../../aws-secretsmanager';
 import { ArnComponents, ArnFormat, Duration, FeatureFlags, IResource, Lazy, RemovalPolicy, Resource, Stack, Token, Tokenization } from '../../core';
+import { ValidationError } from '../../core/lib/errors';
 import * as cxapi from '../../cx-api';
 
 /**
@@ -180,15 +181,15 @@ export abstract class DatabaseInstanceBase extends Resource implements IDatabase
 
   public grantConnect(grantee: iam.IGrantable, dbUser?: string): iam.Grant {
     if (this.enableIamAuthentication === false) {
-      throw new Error('Cannot grant connect when IAM authentication is disabled');
+      throw new ValidationError('Cannot grant connect when IAM authentication is disabled', this);
     }
 
     if (!this.instanceResourceId) {
-      throw new Error('For imported Database Instances, instanceResourceId is required to grantConnect()');
+      throw new ValidationError('For imported Database Instances, instanceResourceId is required to grantConnect()', this);
     }
 
     if (!dbUser) {
-      throw new Error('For imported Database Instances, the dbUser is required to grantConnect()');
+      throw new ValidationError('For imported Database Instances, the dbUser is required to grantConnect()', this);
     }
 
     this.enableIamAuthentication = true;
@@ -784,12 +785,12 @@ abstract class DatabaseInstanceNew extends DatabaseInstanceBase implements IData
 
     this.vpc = props.vpc;
     if (props.vpcSubnets && props.vpcPlacement) {
-      throw new Error('Only one of `vpcSubnets` or `vpcPlacement` can be specified');
+      throw new ValidationError('Only one of `vpcSubnets` or `vpcPlacement` can be specified', this);
     }
     this.vpcPlacement = props.vpcSubnets ?? props.vpcPlacement;
 
     if (props.multiAz === true && props.availabilityZone) {
-      throw new Error('Requesting a specific availability zone is not valid for Multi-AZ instances');
+      throw new ValidationError('Requesting a specific availability zone is not valid for Multi-AZ instances', this);
     }
 
     const subnetGroup = props.subnetGroup ?? new SubnetGroup(this, 'SubnetGroup', {
@@ -820,12 +821,12 @@ abstract class DatabaseInstanceNew extends DatabaseInstanceBase implements IData
     const storageType = props.storageType ?? StorageType.GP2;
     const iops = defaultIops(storageType, props.iops);
     if (props.storageThroughput && storageType !== StorageType.GP3) {
-      throw new Error(`The storage throughput can only be specified with GP3 storage type. Got ${storageType}.`);
+      throw new ValidationError(`The storage throughput can only be specified with GP3 storage type. Got ${storageType}.`, this);
     }
     if (storageType === StorageType.GP3 && props.storageThroughput && iops
         && !Token.isUnresolved(props.storageThroughput) && !Token.isUnresolved(iops)
         && props.storageThroughput/iops > 0.25) {
-      throw new Error(`The maximum ratio of storage throughput to IOPS is 0.25. Got ${props.storageThroughput/iops}.`);
+      throw new ValidationError(`The maximum ratio of storage throughput to IOPS is 0.25. Got ${props.storageThroughput/iops}.`, this);
     }
 
     this.cloudwatchLogGroups = {};
@@ -837,7 +838,7 @@ abstract class DatabaseInstanceNew extends DatabaseInstanceBase implements IData
     const enablePerformanceInsights = props.enablePerformanceInsights
       || props.performanceInsightRetention !== undefined || props.performanceInsightEncryptionKey !== undefined;
     if (enablePerformanceInsights && props.enablePerformanceInsights === false) {
-      throw new Error('`enablePerformanceInsights` disabled, but `performanceInsightRetention` or `performanceInsightEncryptionKey` was set');
+      throw new ValidationError('`enablePerformanceInsights` disabled, but `performanceInsightRetention` or `performanceInsightEncryptionKey` was set', this);
     }
 
     if (props.domain) {
@@ -1019,13 +1020,13 @@ abstract class DatabaseInstanceSource extends DatabaseInstanceNew implements IDa
     const engineFeatures = engineConfig.features;
     if (s3ImportRole) {
       if (!engineFeatures?.s3Import) {
-        throw new Error(`Engine '${engineDescription(props.engine)}' does not support S3 import`);
+        throw new ValidationError(`Engine '${engineDescription(props.engine)}' does not support S3 import`, this);
       }
       instanceAssociatedRoles.push({ roleArn: s3ImportRole.roleArn, featureName: engineFeatures?.s3Import });
     }
     if (s3ExportRole) {
       if (!engineFeatures?.s3Export) {
-        throw new Error(`Engine '${engineDescription(props.engine)}' does not support S3 export`);
+        throw new ValidationError(`Engine '${engineDescription(props.engine)}' does not support S3 export`, this);
       }
       // only add the export feature if it's different from the import feature
       if (engineFeatures.s3Import !== engineFeatures?.s3Export) {
@@ -1036,7 +1037,7 @@ abstract class DatabaseInstanceSource extends DatabaseInstanceNew implements IDa
     this.instanceType = props.instanceType ?? ec2.InstanceType.of(ec2.InstanceClass.M5, ec2.InstanceSize.LARGE);
 
     if (props.parameterGroup && props.parameters) {
-      throw new Error('You cannot specify both parameterGroup and parameters');
+      throw new ValidationError('You cannot specify both parameterGroup and parameters', this);
     }
 
     const dbParameterGroupName = props.parameters
@@ -1069,13 +1070,13 @@ abstract class DatabaseInstanceSource extends DatabaseInstanceNew implements IDa
    */
   public addRotationSingleUser(options: RotationSingleUserOptions = {}): secretsmanager.SecretRotation {
     if (!this.secret) {
-      throw new Error('Cannot add single user rotation for an instance without secret.');
+      throw new ValidationError('Cannot add single user rotation for an instance without secret.', this);
     }
 
     const id = 'RotationSingleUser';
     const existing = this.node.tryFindChild(id);
     if (existing) {
-      throw new Error('A single user rotation was already added to this instance.');
+      throw new ValidationError('A single user rotation was already added to this instance.', this);
     }
 
     return new secretsmanager.SecretRotation(this, id, {
@@ -1092,7 +1093,7 @@ abstract class DatabaseInstanceSource extends DatabaseInstanceNew implements IDa
    */
   public addRotationMultiUser(id: string, options: RotationMultiUserOptions): secretsmanager.SecretRotation {
     if (!this.secret) {
-      throw new Error('Cannot add multi user rotation for an instance without secret.');
+      throw new ValidationError('Cannot add multi user rotation for an instance without secret.', this);
     }
 
     return new secretsmanager.SecretRotation(this, id, {
@@ -1115,7 +1116,7 @@ abstract class DatabaseInstanceSource extends DatabaseInstanceNew implements IDa
   public grantConnect(grantee: iam.IGrantable, dbUser?: string): iam.Grant {
     if (!dbUser) {
       if (!this.secret) {
-        throw new Error('A secret or dbUser is required to grantConnect()');
+        throw new ValidationError('A secret or dbUser is required to grantConnect()', this);
       }
 
       dbUser = this.secret.secretValueFromJson('username').unsafeUnwrap();
@@ -1248,7 +1249,7 @@ export class DatabaseInstanceFromSnapshot extends DatabaseInstanceSource impleme
     let secret = credentials?.secret;
     if (!secret && credentials?.generatePassword) {
       if (!credentials.username) {
-        throw new Error('`credentials` `username` must be specified when `generatePassword` is set to true');
+        throw new ValidationError('`credentials` `username` must be specified when `generatePassword` is set to true', this);
       }
 
       secret = new DatabaseSecret(this, 'Secret', {
@@ -1351,7 +1352,7 @@ export class DatabaseInstanceReadReplica extends DatabaseInstanceNew implements
     if (props.sourceDatabaseInstance.engine
         && !props.sourceDatabaseInstance.engine.supportsReadReplicaBackups
         && props.backupRetention) {
-      throw new Error(`Cannot set 'backupRetention', as engine '${engineDescription(props.sourceDatabaseInstance.engine)}' does not support automatic backups for read replicas`);
+      throw new ValidationError(`Cannot set 'backupRetention', as engine '${engineDescription(props.sourceDatabaseInstance.engine)}' does not support automatic backups for read replicas`, this);
     }
 
     // The read replica instance always uses the same engine as the source instance
diff --git a/packages/aws-cdk-lib/aws-rds/lib/option-group.ts b/packages/aws-cdk-lib/aws-rds/lib/option-group.ts
@@ -3,6 +3,7 @@ import { IInstanceEngine } from './instance-engine';
 import { CfnOptionGroup } from './rds.generated';
 import * as ec2 from '../../aws-ec2';
 import { IResource, Lazy, Resource } from '../../core';
+import { ValidationError } from '../../core/lib/errors';
 
 /**
  * An option group
@@ -126,7 +127,7 @@ export class OptionGroup extends Resource implements IOptionGroup {
 
     const majorEngineVersion = props.engine.engineVersion?.majorVersion;
     if (!majorEngineVersion) {
-      throw new Error("OptionGroup cannot be used with an engine that doesn't specify a version");
+      throw new ValidationError("OptionGroup cannot be used with an engine that doesn't specify a version", this);
     }
 
     props.configurations.forEach(config => this.addConfiguration(config));
@@ -146,7 +147,7 @@ export class OptionGroup extends Resource implements IOptionGroup {
 
     if (configuration.port) {
       if (!configuration.vpc) {
-        throw new Error('`port` and `vpc` must be specified together.');
+        throw new ValidationError('`port` and `vpc` must be specified together.', this);
       }
 
       const securityGroups = configuration.securityGroups && configuration.securityGroups.length > 0
diff --git a/packages/aws-cdk-lib/aws-rds/lib/parameter-group.ts b/packages/aws-cdk-lib/aws-rds/lib/parameter-group.ts
@@ -2,6 +2,7 @@ import { Construct } from 'constructs';
 import { IEngine } from './engine';
 import { CfnDBClusterParameterGroup, CfnDBParameterGroup } from './rds.generated';
 import { IResource, Lazy, RemovalPolicy, Resource } from '../../core';
+import { ValidationError } from '../../core/lib/errors';
 
 /**
  * Options for `IParameterGroup.bindToCluster`.
@@ -143,7 +144,7 @@ export class ParameterGroup extends Resource implements IParameterGroup {
 
     const family = props.engine.parameterGroupFamily;
     if (!family) {
-      throw new Error("ParameterGroup cannot be used with an engine that doesn't specify a version");
+      throw new ValidationError("ParameterGroup cannot be used with an engine that doesn't specify a version", this);
     }
     this.family = family;
     this.description = props.description;
diff --git a/packages/aws-cdk-lib/aws-rds/lib/private/util.ts b/packages/aws-cdk-lib/aws-rds/lib/private/util.ts
@@ -3,6 +3,7 @@ import * as ec2 from '../../../aws-ec2';
 import * as iam from '../../../aws-iam';
 import * as s3 from '../../../aws-s3';
 import { RemovalPolicy } from '../../../core';
+import { ValidationError } from '../../../core/lib/errors';
 import { DatabaseSecret } from '../database-secret';
 import { IEngine } from '../engine';
 import { CommonRotationUserOptions, Credentials, SnapshotCredentials } from '../props';
@@ -43,7 +44,7 @@ export function setupS3ImportExport(
 
   if (props.s3ImportBuckets && props.s3ImportBuckets.length > 0) {
     if (props.s3ImportRole) {
-      throw new Error('Only one of s3ImportRole or s3ImportBuckets must be specified, not both.');
+      throw new ValidationError('Only one of s3ImportRole or s3ImportBuckets must be specified, not both.', scope);
     }
 
     s3ImportRole = (combineRoles && s3ExportRole) ? s3ExportRole : new iam.Role(scope, 'S3ImportRole', {
@@ -56,7 +57,7 @@ export function setupS3ImportExport(
 
   if (props.s3ExportBuckets && props.s3ExportBuckets.length > 0) {
     if (props.s3ExportRole) {
-      throw new Error('Only one of s3ExportRole or s3ExportBuckets must be specified, not both.');
+      throw new ValidationError('Only one of s3ExportRole or s3ExportBuckets must be specified, not both.', scope);
     }
 
     s3ExportRole = (combineRoles && s3ImportRole) ? s3ImportRole : new iam.Role(scope, 'S3ExportRole', {
@@ -117,7 +118,7 @@ export function renderSnapshotCredentials(scope: Construct, credentials?: Snapsh
   let secret = renderedCredentials?.secret;
   if (!secret && renderedCredentials?.generatePassword) {
     if (!renderedCredentials.username) {
-      throw new Error('`snapshotCredentials` `username` must be specified when `generatePassword` is set to true');
+      throw new ValidationError('`snapshotCredentials` `username` must be specified when `generatePassword` is set to true', scope);
     }
 
     renderedCredentials = SnapshotCredentials.fromSecret(
diff --git a/packages/aws-cdk-lib/aws-rds/lib/proxy.ts b/packages/aws-cdk-lib/aws-rds/lib/proxy.ts
diff --git a/packages/aws-cdk-lib/aws-rds/lib/serverless-cluster.ts b/packages/aws-cdk-lib/aws-rds/lib/serverless-cluster.ts

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ import { EngineVersion } from './engine-version';`
`4`	`4`	`import { IParameterGroup, ParameterGroup } from './parameter-group';`
`5`	`5`	`import * as iam from '../../aws-iam';`
`6`	`6`	`import * as secretsmanager from '../../aws-secretsmanager';`
	`7`	`+import { ValidationError } from '../../core/lib/errors';`
`7`	`8`
`8`	`9`	`/**`
`9`	`10`	* The extra options passed to the `IClusterEngine.bindToCluster` method.
`@@ -1179,19 +1180,19 @@ class AuroraPostgresClusterEngine extends ClusterEngineBase {`
`1179`	`1180`	`// skip validation for unversioned as it might be supported/unsupported. we cannot reliably tell at compile-time`
`1180`	`1181`	`if (this.engineVersion?.fullVersion) {`
`1181`	`1182`	`if (options.s3ImportRole && !(config.features?.s3Import)) {`
`1182`		- throw new Error(`s3Import is not supported for Postgres version: ${this.engineVersion.fullVersion}. Use a version that supports the s3Import feature.`);
	`1183`	+ throw new ValidationError(`s3Import is not supported for Postgres version: ${this.engineVersion.fullVersion}. Use a version that supports the s3Import feature.`, scope);
`1183`	`1184`	`}`
`1184`	`1185`	`if (options.s3ExportRole && !(config.features?.s3Export)) {`
`1185`		- throw new Error(`s3Export is not supported for Postgres version: ${this.engineVersion.fullVersion}. Use a version that supports the s3Export feature.`);
	`1186`	+ throw new ValidationError(`s3Export is not supported for Postgres version: ${this.engineVersion.fullVersion}. Use a version that supports the s3Export feature.`, scope);
`1186`	`1187`	`}`
`1187`	`1188`	`}`
`1188`	`1189`	`return config;`
`1189`	`1190`	`}`
`1190`	`1191`
`1191`	`1192`	`protected defaultParameterGroup(scope: Construct): IParameterGroup \| undefined {`
`1192`	`1193`	`if (!this.parameterGroupFamily) {`
`1193`		`- throw new Error('Could not create a new ParameterGroup for an unversioned aurora-postgresql cluster engine. ' +`
`1194`		`- 'Please either use a versioned engine, or pass an explicit ParameterGroup when creating the cluster');`
	`1194`	`+ throw new ValidationError('Could not create a new ParameterGroup for an unversioned aurora-postgresql cluster engine. ' +`
	`1195`	`+ 'Please either use a versioned engine, or pass an explicit ParameterGroup when creating the cluster', scope);`
`1195`	`1196`	`}`
`1196`	`1197`	`return ParameterGroup.fromParameterGroupName(scope, 'AuroraPostgreSqlDatabaseClusterEngineDefaultParameterGroup',`
`1197`	`1198`	`default.${this.parameterGroupFamily}`);
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import * as ec2 from '../../aws-ec2';`
`8`	`8`	`import * as iam from '../../aws-iam';`
`9`	`9`	`import * as secretsmanager from '../../aws-secretsmanager';`
`10`	`10`	`import * as cdk from '../../core';`
	`11`	`+import { ValidationError } from '../../core/lib/errors';`
`11`	`12`	`import * as cxapi from '../../cx-api';`
`12`	`13`
`13`	`14`	`/**`
`@@ -98,14 +99,14 @@ export class ProxyTarget {`
`98`	`99`
`99`	`100`	`if (!engine) {`
`100`	`101`	`const errorResource = this.dbCluster ?? this.dbInstance;`
`101`		- throw new Error(`Could not determine engine for proxy target '${errorResource?.node.path}'. ` +
`102`		`- 'Please provide it explicitly when importing the resource');`
	`102`	+ throw new ValidationError(`Could not determine engine for proxy target '${errorResource?.node.path}'. ` +
	`103`	`+ 'Please provide it explicitly when importing the resource', proxy);`
`103`	`104`	`}`
`104`	`105`
`105`	`106`	`const engineFamily = engine.engineFamily;`
`106`	`107`	`if (!engineFamily) {`
`107`		`- throw new Error('RDS proxies require an engine family to be specified on the database cluster or instance. ' +`
`108`		- `No family specified for engine '${engineDescription(engine)}'`);
	`108`	`+ throw new ValidationError('RDS proxies require an engine family to be specified on the database cluster or instance. ' +`
	`109`	+ `No family specified for engine '${engineDescription(engine)}'`, proxy);
`109`	`110`	`}`
`110`	`111`
`111`	`112`	`// allow connecting to the Cluster/Instance from the Proxy`
`@@ -374,7 +375,7 @@ abstract class DatabaseProxyBase extends cdk.Resource implements IDatabaseProxy`
`374`	`375`
`375`	`376`	`public grantConnect(grantee: iam.IGrantable, dbUser?: string): iam.Grant {`
`376`	`377`	`if (!dbUser) {`
`377`		`- throw new Error('For imported Database Proxies, the dbUser is required in grantConnect()');`
	`378`	`+ throw new ValidationError('For imported Database Proxies, the dbUser is required in grantConnect()', this);`
`378`	`379`	`}`
`379`	`380`	`const scopeStack = cdk.Stack.of(this);`
`380`	`381`	`const proxyGeneratedId = scopeStack.splitArn(this.dbProxyArn, cdk.ArnFormat.COLON_RESOURCE_NAME).resourceName;`
`@@ -474,7 +475,7 @@ export class DatabaseProxy extends DatabaseProxyBase`
`474`	`475`	`const bindResult = props.proxyTarget.bind(this);`
`475`	`476`
`476`	`477`	`if (props.secrets.length < 1) {`
`477`		`- throw new Error('One or more secrets are required.');`
	`478`	`+ throw new ValidationError('One or more secrets are required.', this);`
`478`	`479`	`}`
`479`	`480`	`this.secrets = props.secrets;`
`480`	`481`
`@@ -515,7 +516,7 @@ export class DatabaseProxy extends DatabaseProxyBase`
`515`	`516`	`}`
`516`	`517`
`517`	`518`	`if (!!dbInstanceIdentifiers && !!dbClusterIdentifiers) {`
`518`		`- throw new Error('Cannot specify both dbInstanceIdentifiers and dbClusterIdentifiers');`
	`519`	`+ throw new ValidationError('Cannot specify both dbInstanceIdentifiers and dbClusterIdentifiers', this);`
`519`	`520`	`}`
`520`	`521`
`521`	`522`	`const proxyTargetGroup = new CfnDBProxyTargetGroup(this, 'ProxyTargetGroup', {`
`@@ -565,7 +566,7 @@ export class DatabaseProxy extends DatabaseProxyBase`
`565`	`566`	`public grantConnect(grantee: iam.IGrantable, dbUser?: string): iam.Grant {`
`566`	`567`	`if (!dbUser) {`
`567`	`568`	`if (this.secrets.length > 1) {`
`568`		`- throw new Error('When the Proxy contains multiple Secrets, you must pass a dbUser explicitly to grantConnect()');`
	`569`	`+ throw new ValidationError('When the Proxy contains multiple Secrets, you must pass a dbUser explicitly to grantConnect()', this);`
`569`	`570`	`}`
`570`	`571`	`// 'username' is the field RDS uses here,`
`571`	`572`	`// see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html#rds-proxy-secrets-arns`
`@@ -577,16 +578,16 @@ export class DatabaseProxy extends DatabaseProxyBase`
`577`	`578`	`private validateClientPasswordAuthType(engineFamily: string, clientPasswordAuthType?: ClientPasswordAuthType) {`
`578`	`579`	`if (!clientPasswordAuthType \|\| cdk.Token.isUnresolved(clientPasswordAuthType)) return;`
`579`	`580`	`if (clientPasswordAuthType === ClientPasswordAuthType.MYSQL_NATIVE_PASSWORD && engineFamily !== 'MYSQL') {`
`580`		- throw new Error(`${ClientPasswordAuthType.MYSQL_NATIVE_PASSWORD} client password authentication type requires MYSQL engineFamily, got ${engineFamily}`);
	`581`	+ throw new ValidationError(`${ClientPasswordAuthType.MYSQL_NATIVE_PASSWORD} client password authentication type requires MYSQL engineFamily, got ${engineFamily}`, this);
`581`	`582`	`}`
`582`	`583`	`if (clientPasswordAuthType === ClientPasswordAuthType.POSTGRES_SCRAM_SHA_256 && engineFamily !== 'POSTGRESQL') {`
`583`		- throw new Error(`${ClientPasswordAuthType.POSTGRES_SCRAM_SHA_256} client password authentication type requires POSTGRESQL engineFamily, got ${engineFamily}`);
	`584`	+ throw new ValidationError(`${ClientPasswordAuthType.POSTGRES_SCRAM_SHA_256} client password authentication type requires POSTGRESQL engineFamily, got ${engineFamily}`, this);
`584`	`585`	`}`
`585`	`586`	`if (clientPasswordAuthType === ClientPasswordAuthType.POSTGRES_MD5 && engineFamily !== 'POSTGRESQL') {`
`586`		- throw new Error(`${ClientPasswordAuthType.POSTGRES_MD5} client password authentication type requires POSTGRESQL engineFamily, got ${engineFamily}`);
	`587`	+ throw new ValidationError(`${ClientPasswordAuthType.POSTGRES_MD5} client password authentication type requires POSTGRESQL engineFamily, got ${engineFamily}`, this);
`587`	`588`	`}`
`588`	`589`	`if (clientPasswordAuthType === ClientPasswordAuthType.SQL_SERVER_AUTHENTICATION && engineFamily !== 'SQLSERVER') {`
`589`		- throw new Error(`${ClientPasswordAuthType.SQL_SERVER_AUTHENTICATION} client password authentication type requires SQLSERVER engineFamily, got ${engineFamily}`);
	`590`	+ throw new ValidationError(`${ClientPasswordAuthType.SQL_SERVER_AUTHENTICATION} client password authentication type requires SQLSERVER engineFamily, got ${engineFamily}`, this);
`590`	`591`	`}`
`591`	`592`	`}`
`592`	`593`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ import * as iam from '../../aws-iam';`
`13`	`13`	`import * as kms from '../../aws-kms';`
`14`	`14`	`import * as secretsmanager from '../../aws-secretsmanager';`
`15`	`15`	`import { Resource, Duration, Token, Annotations, RemovalPolicy, IResource, Stack, Lazy, FeatureFlags, ArnFormat } from '../../core';`
	`16`	`+import { ValidationError } from '../../core/lib/errors';`
`16`	`17`	`import * as cxapi from '../../cx-api';`
`17`	`18`
`18`	`19`	`/**`
`@@ -361,7 +362,7 @@ abstract class ServerlessClusterBase extends Resource implements IServerlessClus`
`361`	`362`	`*/`
`362`	`363`	`public grantDataApiAccess(grantee: iam.IGrantable): iam.Grant {`
`363`	`364`	`if (this.enableDataApi === false) {`
`364`		`- throw new Error('Cannot grant Data API access when the Data API is disabled');`
	`365`	`+ throw new ValidationError('Cannot grant Data API access when the Data API is disabled', this);`
`365`	`366`	`}`
`366`	`367`
`367`	`368`	`this.enableDataApi = true;`
`@@ -402,13 +403,13 @@ abstract class ServerlessClusterNew extends ServerlessClusterBase {`
`402`	`403`
`403`	`404`	`if (props.vpc === undefined) {`
`404`	`405`	`if (props.vpcSubnets !== undefined) {`
`405`		`- throw new Error('A VPC is required to use vpcSubnets in ServerlessCluster. Please add a VPC or remove vpcSubnets');`
	`406`	`+ throw new ValidationError('A VPC is required to use vpcSubnets in ServerlessCluster. Please add a VPC or remove vpcSubnets', this);`
`406`	`407`	`}`
`407`	`408`	`if (props.subnetGroup !== undefined) {`
`408`		`- throw new Error('A VPC is required to use subnetGroup in ServerlessCluster. Please add a VPC or remove subnetGroup');`
	`409`	`+ throw new ValidationError('A VPC is required to use subnetGroup in ServerlessCluster. Please add a VPC or remove subnetGroup', this);`
`409`	`410`	`}`
`410`	`411`	`if (props.securityGroups !== undefined) {`
`411`		`- throw new Error('A VPC is required to use securityGroups in ServerlessCluster. Please add a VPC or remove securityGroups');`
	`412`	`+ throw new ValidationError('A VPC is required to use securityGroups in ServerlessCluster. Please add a VPC or remove securityGroups', this);`
`412`	`413`	`}`
`413`	`414`	`}`
`414`	`415`
`@@ -440,7 +441,7 @@ abstract class ServerlessClusterNew extends ServerlessClusterBase {`
`440`	`441`	`if (props.backupRetention) {`
`441`	`442`	`const backupRetentionDays = props.backupRetention.toDays();`
`442`	`443`	`if (backupRetentionDays < 1 \|\| backupRetentionDays > 35) {`
`443`		- throw new Error(`backup retention period must be between 1 and 35 days. received: ${backupRetentionDays}`);
	`444`	+ throw new ValidationError(`backup retention period must be between 1 and 35 days. received: ${backupRetentionDays}`, this);
`444`	`445`	`}`
`445`	`446`	`}`
`446`	`447`
`@@ -484,16 +485,16 @@ abstract class ServerlessClusterNew extends ServerlessClusterBase {`
`484`	`485`	`const timeout = options.timeout?.toSeconds();`
`485`	`486`
`486`	`487`	`if (minCapacity && maxCapacity && minCapacity > maxCapacity) {`
`487`		`- throw new Error('maximum capacity must be greater than or equal to minimum capacity.');`
	`488`	`+ throw new ValidationError('maximum capacity must be greater than or equal to minimum capacity.', this);`
`488`	`489`	`}`
`489`	`490`
`490`	`491`	`const secondsToAutoPause = options.autoPause?.toSeconds();`
`491`	`492`	`if (secondsToAutoPause && (secondsToAutoPause < 300 \|\| secondsToAutoPause > 86400)) {`
`492`		`- throw new Error('auto pause time must be between 5 minutes and 1 day.');`
	`493`	`+ throw new ValidationError('auto pause time must be between 5 minutes and 1 day.', this);`
`493`	`494`	`}`
`494`	`495`
`495`	`496`	`if (timeout && (timeout < 60 \|\| timeout > 600)) {`
`496`		- throw new Error(`timeout must be between 60 and 600 seconds, but got ${timeout} seconds.`);
	`497`	+ throw new ValidationError(`timeout must be between 60 and 600 seconds, but got ${timeout} seconds.`, this);
`497`	`498`	`}`
`498`	`499`
`499`	`500`	`return {`
`@@ -595,17 +596,17 @@ export class ServerlessCluster extends ServerlessClusterNew {`
`595`	`596`	`*/`
`596`	`597`	`public addRotationSingleUser(options: RotationSingleUserOptions = {}): secretsmanager.SecretRotation {`
`597`	`598`	`if (!this.secret) {`
`598`		`- throw new Error('Cannot add single user rotation for a cluster without secret.');`
	`599`	`+ throw new ValidationError('Cannot add single user rotation for a cluster without secret.', this);`
`599`	`600`	`}`
`600`	`601`
`601`	`602`	`if (this.vpc === undefined) {`
`602`		`- throw new Error('Cannot add single user rotation for a cluster without VPC.');`
	`603`	`+ throw new ValidationError('Cannot add single user rotation for a cluster without VPC.', this);`
`603`	`604`	`}`
`604`	`605`
`605`	`606`	`const id = 'RotationSingleUser';`
`606`	`607`	`const existing = this.node.tryFindChild(id);`
`607`	`608`	`if (existing) {`
`608`		`- throw new Error('A single user rotation was already added to this cluster.');`
	`609`	`+ throw new ValidationError('A single user rotation was already added to this cluster.', this);`
`609`	`610`	`}`
`610`	`611`
`611`	`612`	`return new secretsmanager.SecretRotation(this, id, {`
`@@ -622,11 +623,11 @@ export class ServerlessCluster extends ServerlessClusterNew {`
`622`	`623`	`*/`
`623`	`624`	`public addRotationMultiUser(id: string, options: RotationMultiUserOptions): secretsmanager.SecretRotation {`
`624`	`625`	`if (!this.secret) {`
`625`		`- throw new Error('Cannot add multi user rotation for a cluster without secret.');`
	`626`	`+ throw new ValidationError('Cannot add multi user rotation for a cluster without secret.', this);`
`626`	`627`	`}`
`627`	`628`
`628`	`629`	`if (this.vpc === undefined) {`
`629`		`- throw new Error('Cannot add multi user rotation for a cluster without VPC.');`
	`630`	`+ throw new ValidationError('Cannot add multi user rotation for a cluster without VPC.', this);`
`630`	`631`	`}`
`631`	`632`
`632`	`633`	`return new secretsmanager.SecretRotation(this, id, {`
`@@ -673,14 +674,14 @@ class ImportedServerlessCluster extends ServerlessClusterBase implements IServer`
`673`	`674`
`674`	`675`	`public get clusterEndpoint() {`
`675`	`676`	`if (!this._clusterEndpoint) {`
`676`		- throw new Error('Cannot access `clusterEndpoint` of an imported cluster without an endpoint address and port');
	`677`	+ throw new ValidationError('Cannot access `clusterEndpoint` of an imported cluster without an endpoint address and port', this);
`677`	`678`	`}`
`678`	`679`	`return this._clusterEndpoint;`
`679`	`680`	`}`
`680`	`681`
`681`	`682`	`public get clusterReadEndpoint() {`
`682`	`683`	`if (!this._clusterReadEndpoint) {`
`683`		- throw new Error('Cannot access `clusterReadEndpoint` of an imported cluster without a readerEndpointAddress and port');
	`684`	+ throw new ValidationError('Cannot access `clusterReadEndpoint` of an imported cluster without a readerEndpointAddress and port', this);
`684`	`685`	`}`
`685`	`686`	`return this._clusterReadEndpoint;`
`686`	`687`	`}`
`@@ -728,7 +729,7 @@ export class ServerlessClusterFromSnapshot extends ServerlessClusterNew {`
`728`	`729`	`let secret = credentials?.secret;`
`729`	`730`	`if (!secret && credentials?.generatePassword) {`
`730`	`731`	`if (!credentials.username) {`
`731`		- throw new Error('`credentials` `username` must be specified when `generatePassword` is set to true');
	`732`	+ throw new ValidationError('`credentials` `username` must be specified when `generatePassword` is set to true', this);
`732`	`733`	`}`
`733`	`734`
`734`	`735`	`secret = new DatabaseSecret(this, 'Secret', {`