aws
diff --git a/‎packages/aws-cdk-lib/.eslintrc.js
Lines changed: 0 additions & 1 deletion b/‎packages/aws-cdk-lib/.eslintrc.js
Lines changed: 0 additions & 1 deletion
diff --git a/‎packages/aws-cdk-lib/aws-iam/lib/grant.ts
Lines changed: 2 additions & 3 deletions b/‎packages/aws-cdk-lib/aws-iam/lib/grant.ts
Lines changed: 2 additions & 3 deletions
diff --git a/‎packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts
Lines changed: 2 additions & 2 deletions b/‎packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/aws-cdk-lib/aws-iam/lib/policy-document.ts
Lines changed: 1 addition & 1 deletion b/‎packages/aws-cdk-lib/aws-iam/lib/policy-document.ts
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts
Lines changed: 16 additions & 15 deletions b/‎packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts
Lines changed: 16 additions & 15 deletions
diff --git a/‎packages/aws-cdk-lib/aws-iam/lib/policy.ts
Lines changed: 2 additions & 2 deletions b/‎packages/aws-cdk-lib/aws-iam/lib/policy.ts
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/aws-cdk-lib/aws-iam/lib/principals.ts
Lines changed: 7 additions & 6 deletions b/‎packages/aws-cdk-lib/aws-iam/lib/principals.ts
Lines changed: 7 additions & 6 deletions
diff --git a/‎packages/aws-cdk-lib/aws-iam/lib/private/util.ts
Lines changed: 3 additions & 3 deletions b/‎packages/aws-cdk-lib/aws-iam/lib/private/util.ts
Lines changed: 3 additions & 3 deletions
@@ -17,7 +17,6 @@ baseConfig.rules['import/no-extraneous-dependencies'] = [
 baseConfig.rules['@cdklabs/no-throw-default-error'] = ['error'];
 // not yet supported
 const noThrowDefaultErrorNotYetSupported = [
-  'aws-iam',
   'aws-secretsmanager',
   'core',
   'custom-resources',
 
@@ -251,7 +251,7 @@ export class Grant implements IDependable {
     }
 
     if (!addedToPrincipal.policyDependable) {
-      throw new Error('Contract violation: when Principal returns statementAdded=true, it should return a dependable');
+      throw new cdk.UnscopedValidationError('Contract violation: when Principal returns statementAdded=true, it should return a dependable');
     }
 
     return new Grant({ principalStatement: statement, options, policyDependable: addedToPrincipal.policyDependable });
@@ -372,8 +372,7 @@ export class Grant implements IDependable {
    */
   public assertSuccess(): void {
     if (!this.success) {
-      // eslint-disable-next-line max-len
-      throw new Error(`${describeGrant(this.options)} could not be added on either identity or resource policy.`);
+      throw new cdk.UnscopedValidationError(`${describeGrant(this.options)} could not be added on either identity or resource policy.`);
     }
   }
 
 
@@ -7,7 +7,7 @@ import { AddToPrincipalPolicyResult, IGrantable, IPrincipal, PrincipalPolicyFrag
 import { undefinedIfEmpty } from './private/util';
 import { IRole } from './role';
 import { IUser } from './user';
-import { ArnFormat, Resource, Stack, Arn, Aws } from '../../core';
+import { ArnFormat, Resource, Stack, Arn, Aws, UnscopedValidationError } from '../../core';
 import { getCustomizeRolesConfig, PolicySynthesizer } from '../../core/lib/helpers-internal';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
@@ -348,7 +348,7 @@ class ManagedPolicyGrantPrincipal implements IPrincipal {
     // This property is referenced to add policy statements as a resource-based policy.
     // We should fail because a managed policy cannot be used as a principal of a policy document.
     // cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying
-    throw new Error(`Cannot use a ManagedPolicy '${this._managedPolicy.node.path}' as the 'Principal' or 'NotPrincipal' in an IAM Policy`);
+    throw new UnscopedValidationError(`Cannot use a ManagedPolicy '${this._managedPolicy.node.path}' as the 'Principal' or 'NotPrincipal' in an IAM Policy`);
   }
 
   public addToPolicy(statement: PolicyStatement): boolean {
 
@@ -55,7 +55,7 @@ export class PolicyDocument implements cdk.IResolvable {
     const newPolicyDocument = new PolicyDocument();
     const statement = obj.Statement ?? [];
     if (statement && !Array.isArray(statement)) {
-      throw new Error('Statement must be an array');
+      throw new cdk.UnscopedValidationError('Statement must be an array');
     }
     newPolicyDocument.addStatements(...obj.Statement.map((s: any) => PolicyStatement.fromJson(s)));
     return newPolicyDocument;
 
@@ -7,16 +7,17 @@ import {
 import { normalizeStatement } from './private/postprocess-policy-document';
 import { LITERAL_STRING_KEY, mergePrincipal, sum } from './private/util';
 import * as cdk from '../../core';
+import { UnscopedValidationError } from '../../core';
 
 const ensureArrayOrUndefined = (field: any) => {
   if (field === undefined) {
     return undefined;
   }
   if (typeof (field) !== 'string' && !Array.isArray(field)) {
-    throw new Error('Fields must be either a string or an array of strings');
+    throw new UnscopedValidationError('Fields must be either a string or an array of strings');
   }
   if (Array.isArray(field) && !!field.find((f: any) => typeof (f) !== 'string')) {
-    throw new Error('Fields must be either a string or an array of strings');
+    throw new UnscopedValidationError('Fields must be either a string or an array of strings');
   }
   return Array.isArray(field) ? field : [field];
 };
@@ -67,7 +68,7 @@ export class PolicyStatement {
     // validate that the PolicyStatement has the correct shape
     const errors = ret.validateForAnyPolicy();
     if (errors.length > 0) {
-      throw new Error('Incorrect Policy Statement: ' + errors.join('\n'));
+      throw new UnscopedValidationError('Incorrect Policy Statement: ' + errors.join('\n'));
     }
 
     return ret;
@@ -148,7 +149,7 @@ export class PolicyStatement {
   public addActions(...actions: string[]) {
     this.assertNotFrozen('addActions');
     if (actions.length > 0 && this._notAction.length > 0) {
-      throw new Error('Cannot add \'Actions\' to policy statement if \'NotActions\' have been added');
+      throw new UnscopedValidationError('Cannot add \'Actions\' to policy statement if \'NotActions\' have been added');
     }
     this.validatePolicyActions(actions);
     this._action.push(...actions);
@@ -165,7 +166,7 @@ export class PolicyStatement {
   public addNotActions(...notActions: string[]) {
     this.assertNotFrozen('addNotActions');
     if (notActions.length > 0 && this._action.length > 0) {
-      throw new Error('Cannot add \'NotActions\' to policy statement if \'Actions\' have been added');
+      throw new UnscopedValidationError('Cannot add \'NotActions\' to policy statement if \'Actions\' have been added');
     }
     this.validatePolicyActions(notActions);
     this._notAction.push(...notActions);
@@ -192,7 +193,7 @@ export class PolicyStatement {
   public addPrincipals(...principals: IPrincipal[]) {
     this.assertNotFrozen('addPrincipals');
     if (principals.length > 0 && this._notPrincipals.length > 0) {
-      throw new Error('Cannot add \'Principals\' to policy statement if \'NotPrincipals\' have been added');
+      throw new UnscopedValidationError('Cannot add \'Principals\' to policy statement if \'NotPrincipals\' have been added');
     }
     for (const principal of principals) {
       this.validatePolicyPrincipal(principal);
@@ -217,7 +218,7 @@ export class PolicyStatement {
   public addNotPrincipals(...notPrincipals: IPrincipal[]) {
     this.assertNotFrozen('addNotPrincipals');
     if (notPrincipals.length > 0 && this._principals.length > 0) {
-      throw new Error('Cannot add \'NotPrincipals\' to policy statement if \'Principals\' have been added');
+      throw new UnscopedValidationError('Cannot add \'NotPrincipals\' to policy statement if \'Principals\' have been added');
     }
     for (const notPrincipal of notPrincipals) {
       this.validatePolicyPrincipal(notPrincipal);
@@ -236,14 +237,14 @@ export class PolicyStatement {
     if (cdk.Token.isUnresolved(actions)) return;
     for (const action of actions || []) {
       if (!cdk.Token.isUnresolved(action) && !/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action)) {
-        throw new Error(`Action '${action}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
+        throw new UnscopedValidationError(`Action '${action}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
       }
     }
   }
 
   private validatePolicyPrincipal(principal: IPrincipal) {
     if (principal instanceof Group) {
-      throw new Error('Cannot use an IAM Group as the \'Principal\' or \'NotPrincipal\' in an IAM Policy');
+      throw new UnscopedValidationError('Cannot use an IAM Group as the \'Principal\' or \'NotPrincipal\' in an IAM Policy');
     }
   }
 
@@ -323,7 +324,7 @@ export class PolicyStatement {
   public addResources(...arns: string[]) {
     this.assertNotFrozen('addResources');
     if (arns.length > 0 && this._notResource.length > 0) {
-      throw new Error('Cannot add \'Resources\' to policy statement if \'NotResources\' have been added');
+      throw new UnscopedValidationError('Cannot add \'Resources\' to policy statement if \'NotResources\' have been added');
     }
     this._resource.push(...arns);
   }
@@ -339,7 +340,7 @@ export class PolicyStatement {
   public addNotResources(...arns: string[]) {
     this.assertNotFrozen('addNotResources');
     if (arns.length > 0 && this._resource.length > 0) {
-      throw new Error('Cannot add \'NotResources\' to policy statement if \'Resources\' have been added');
+      throw new UnscopedValidationError('Cannot add \'NotResources\' to policy statement if \'Resources\' have been added');
     }
     this._notResource.push(...arns);
   }
@@ -517,7 +518,7 @@ export class PolicyStatement {
       this.principalConditionsJson = theseConditions;
     } else {
       if (this.principalConditionsJson !== theseConditions) {
-        throw new Error(`All principals in a PolicyStatement must have the same Conditions (got '${this.principalConditionsJson}' and '${theseConditions}'). Use multiple statements instead.`);
+        throw new UnscopedValidationError(`All principals in a PolicyStatement must have the same Conditions (got '${this.principalConditionsJson}' and '${theseConditions}'). Use multiple statements instead.`);
       }
     }
     this.addConditions(conditions);
@@ -676,7 +677,7 @@ export class PolicyStatement {
    */
   private assertNotFrozen(method: string) {
     if (this._frozen) {
-      throw new Error(`${method}: freeze() has been called on this PolicyStatement previously, so it can no longer be modified`);
+      throw new UnscopedValidationError(`${method}: freeze() has been called on this PolicyStatement previously, so it can no longer be modified`);
     }
   }
 }
@@ -810,7 +811,7 @@ class JsonPrincipal extends PrincipalBase {
       json = { [LITERAL_STRING_KEY]: [json] };
     }
     if (typeof(json) !== 'object') {
-      throw new Error(`JSON IAM principal should be an object, got ${JSON.stringify(json)}`);
+      throw new UnscopedValidationError(`JSON IAM principal should be an object, got ${JSON.stringify(json)}`);
     }
 
     this.policyFragment = {
@@ -853,7 +854,7 @@ export function deriveEstimateSizeOptions(scope: IConstruct): EstimateSizeOption
   const actionEstimate = 20;
   const arnEstimate = scope.node.tryGetContext(ARN_SIZE_ESTIMATE_CONTEXT_KEY) ?? DEFAULT_ARN_SIZE_ESTIMATE;
   if (typeof arnEstimate !== 'number') {
-    throw new Error(`Context value ${ARN_SIZE_ESTIMATE_CONTEXT_KEY} should be a number, got ${JSON.stringify(arnEstimate)}`);
+    throw new UnscopedValidationError(`Context value ${ARN_SIZE_ESTIMATE_CONTEXT_KEY} should be a number, got ${JSON.stringify(arnEstimate)}`);
   }
 
   return { actionEstimate, arnEstimate };
 
@@ -7,7 +7,7 @@ import { AddToPrincipalPolicyResult, IGrantable, IPrincipal, PrincipalPolicyFrag
 import { generatePolicyName, undefinedIfEmpty } from './private/util';
 import { IRole } from './role';
 import { IUser } from './user';
-import { IResource, Lazy, Resource } from '../../core';
+import { IResource, Lazy, Resource, UnscopedValidationError } from '../../core';
 import { addConstructMetadata, MethodMetadata } from '../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../core/lib/prop-injectable';
 
@@ -294,7 +294,7 @@ class PolicyGrantPrincipal implements IPrincipal {
     // This property is referenced to add policy statements as a resource-based policy.
     // We should fail because a policy cannot be used as a principal of a policy document.
     // cf. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying
-    throw new Error(`Cannot use a Policy '${this._policy.node.path}' as the 'Principal' or 'NotPrincipal' in an IAM Policy`);
+    throw new UnscopedValidationError(`Cannot use a Policy '${this._policy.node.path}' as the 'Principal' or 'NotPrincipal' in an IAM Policy`);
   }
 
   public addToPolicy(statement: PolicyStatement): boolean {
 
@@ -6,6 +6,7 @@ import { defaultAddPrincipalToAssumeRole } from './private/assume-role-policy';
 import { LITERAL_STRING_KEY, mergePrincipal } from './private/util';
 import { ISamlProvider } from './saml-provider';
 import * as cdk from '../../core';
+import { UnscopedValidationError } from '../../core';
 import { RegionInfo } from '../../region-info';
 
 /**
@@ -354,7 +355,7 @@ export class PrincipalWithConditions extends PrincipalAdapter {
       // if either the existing condition or the new one contain unresolved
       // tokens, fail the merge. this is as far as we go at this point.
       if (cdk.Token.isUnresolved(condition) || cdk.Token.isUnresolved(existing)) {
-        throw new Error(`multiple "${operator}" conditions cannot be merged if one of them contains an unresolved token`);
+        throw new UnscopedValidationError(`multiple "${operator}" conditions cannot be merged if one of them contains an unresolved token`);
       }
 
       validateConditionObject(existing);
@@ -479,7 +480,7 @@ export class AccountPrincipal extends ArnPrincipal {
   constructor(public readonly accountId: any) {
     super(new StackDependentToken(stack => `arn:${stack.partition}:iam::${accountId}:root`).toString());
     if (!cdk.Token.isUnresolved(accountId) && typeof accountId !== 'string') {
-      throw new Error('accountId should be of type string');
+      throw new UnscopedValidationError('accountId should be of type string');
     }
     this.principalAccount = accountId;
   }
@@ -617,7 +618,7 @@ export class OrganizationPrincipal extends PrincipalBase {
     // We can only validate if it's a literal string (not a token)
     if (!cdk.Token.isUnresolved(organizationId)) {
       if (!organizationId.match(/^o-[a-z0-9]{10,32}$/)) {
-        throw new Error(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${organizationId}`);
+        throw new UnscopedValidationError(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${organizationId}`);
       }
     }
   }
@@ -874,7 +875,7 @@ export class CompositePrincipal extends PrincipalBase {
   constructor(...principals: IPrincipal[]) {
     super();
     if (principals.length === 0) {
-      throw new Error('CompositePrincipals must be constructed with at least 1 Principal but none were passed.');
+      throw new UnscopedValidationError('CompositePrincipals must be constructed with at least 1 Principal but none were passed.');
     }
     this.assumeRoleAction = principals[0].assumeRoleAction;
     this.addPrincipals(...principals);
@@ -903,7 +904,7 @@ export class CompositePrincipal extends PrincipalBase {
     for (const p of this._principals) {
       const fragment = p.policyFragment;
       if (fragment.conditions && Object.keys(fragment.conditions).length > 0) {
-        throw new Error(
+        throw new UnscopedValidationError(
           'Components of a CompositePrincipal must not have conditions. ' +
           `Tried to add the following fragment: ${JSON.stringify(fragment)}`);
       }
@@ -1022,6 +1023,6 @@ class ServicePrincipalToken implements cdk.IResolvable {
  */
 export function validateConditionObject(x: unknown): asserts x is Record<string, unknown> {
   if (!x || typeof x !== 'object' || Array.isArray(x)) {
-    throw new Error('A Condition should be represented as a map of operator to value');
+    throw new UnscopedValidationError('A Condition should be represented as a map of operator to value');
   }
 }
@@ -1,5 +1,5 @@
 import { IConstruct } from 'constructs';
-import { captureStackTrace, DefaultTokenResolver, IPostProcessor, IResolvable, IResolveContext, Lazy, StringConcat, Token, Tokenization } from '../../../core';
+import { captureStackTrace, DefaultTokenResolver, IPostProcessor, IResolvable, IResolveContext, Lazy, StringConcat, Token, Tokenization, UnscopedValidationError, ValidationError } from '../../../core';
 import { IPolicy } from '../policy';
 
 export const MAX_POLICY_NAME_LEN = 128;
@@ -60,7 +60,7 @@ export class AttachedPolicies {
     }
 
     if (this.policies.find(p => p.policyName === policy.policyName)) {
-      throw new Error(`A policy named "${policy.policyName}" is already attached`);
+      throw new ValidationError(`A policy named "${policy.policyName}" is already attached`, policy);
     }
 
     this.policies.push(policy);
@@ -79,7 +79,7 @@ export function mergePrincipal(target: { [key: string]: string[] }, source: { [k
 
   if ((LITERAL_STRING_KEY in source && targetKeys.some(k => k !== LITERAL_STRING_KEY)) ||
     (LITERAL_STRING_KEY in target && sourceKeys.some(k => k !== LITERAL_STRING_KEY))) {
-    throw new Error(`Cannot merge principals ${JSON.stringify(target)} and ${JSON.stringify(source)}; if one uses a literal principal string the other one must be empty`);
+    throw new UnscopedValidationError(`Cannot merge principals ${JSON.stringify(target)} and ${JSON.stringify(source)}; if one uses a literal principal string the other one must be empty`);
   }
 
   for (const key of sourceKeys) {
Original file line number	Diff line number	Diff line change
`@@ -251,7 +251,7 @@ export class Grant implements IDependable {`
`251`	`251`	`}`
`252`	`252`
`253`	`253`	`if (!addedToPrincipal.policyDependable) {`
`254`		`- throw new Error('Contract violation: when Principal returns statementAdded=true, it should return a dependable');`
	`254`	`+ throw new cdk.UnscopedValidationError('Contract violation: when Principal returns statementAdded=true, it should return a dependable');`
`255`	`255`	`}`
`256`	`256`
`257`	`257`	`return new Grant({ principalStatement: statement, options, policyDependable: addedToPrincipal.policyDependable });`
`@@ -372,8 +372,7 @@ export class Grant implements IDependable {`
`372`	`372`	`*/`
`373`	`373`	`public assertSuccess(): void {`
`374`	`374`	`if (!this.success) {`
`375`		`- // eslint-disable-next-line max-len`
`376`		- throw new Error(`${describeGrant(this.options)} could not be added on either identity or resource policy.`);
	`375`	+ throw new cdk.UnscopedValidationError(`${describeGrant(this.options)} could not be added on either identity or resource policy.`);
`377`	`376`	`}`
`378`	`377`	`}`
`379`	`378`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ export class PolicyDocument implements cdk.IResolvable {`
`55`	`55`	`const newPolicyDocument = new PolicyDocument();`
`56`	`56`	`const statement = obj.Statement ?? [];`
`57`	`57`	`if (statement && !Array.isArray(statement)) {`
`58`		`- throw new Error('Statement must be an array');`
	`58`	`+ throw new cdk.UnscopedValidationError('Statement must be an array');`
`59`	`59`	`}`
`60`	`60`	`newPolicyDocument.addStatements(...obj.Statement.map((s: any) => PolicyStatement.fromJson(s)));`
`61`	`61`	`return newPolicyDocument;`
Original file line number	Diff line number	Diff line change
`@@ -7,16 +7,17 @@ import {`
`7`	`7`	`import { normalizeStatement } from './private/postprocess-policy-document';`
`8`	`8`	`import { LITERAL_STRING_KEY, mergePrincipal, sum } from './private/util';`
`9`	`9`	`import * as cdk from '../../core';`
	`10`	`+import { UnscopedValidationError } from '../../core';`
`10`	`11`
`11`	`12`	`const ensureArrayOrUndefined = (field: any) => {`
`12`	`13`	`if (field === undefined) {`
`13`	`14`	`return undefined;`
`14`	`15`	`}`
`15`	`16`	`if (typeof (field) !== 'string' && !Array.isArray(field)) {`
`16`		`- throw new Error('Fields must be either a string or an array of strings');`
	`17`	`+ throw new UnscopedValidationError('Fields must be either a string or an array of strings');`
`17`	`18`	`}`
`18`	`19`	`if (Array.isArray(field) && !!field.find((f: any) => typeof (f) !== 'string')) {`
`19`		`- throw new Error('Fields must be either a string or an array of strings');`
	`20`	`+ throw new UnscopedValidationError('Fields must be either a string or an array of strings');`
`20`	`21`	`}`
`21`	`22`	`return Array.isArray(field) ? field : [field];`
`22`	`23`	`};`
`@@ -67,7 +68,7 @@ export class PolicyStatement {`
`67`	`68`	`// validate that the PolicyStatement has the correct shape`
`68`	`69`	`const errors = ret.validateForAnyPolicy();`
`69`	`70`	`if (errors.length > 0) {`
`70`		`- throw new Error('Incorrect Policy Statement: ' + errors.join('\n'));`
	`71`	`+ throw new UnscopedValidationError('Incorrect Policy Statement: ' + errors.join('\n'));`
`71`	`72`	`}`
`72`	`73`
`73`	`74`	`return ret;`
`@@ -148,7 +149,7 @@ export class PolicyStatement {`
`148`	`149`	`public addActions(...actions: string[]) {`
`149`	`150`	`this.assertNotFrozen('addActions');`
`150`	`151`	`if (actions.length > 0 && this._notAction.length > 0) {`
`151`		`- throw new Error('Cannot add \'Actions\' to policy statement if \'NotActions\' have been added');`
	`152`	`+ throw new UnscopedValidationError('Cannot add \'Actions\' to policy statement if \'NotActions\' have been added');`
`152`	`153`	`}`
`153`	`154`	`this.validatePolicyActions(actions);`
`154`	`155`	`this._action.push(...actions);`
`@@ -165,7 +166,7 @@ export class PolicyStatement {`
`165`	`166`	`public addNotActions(...notActions: string[]) {`
`166`	`167`	`this.assertNotFrozen('addNotActions');`
`167`	`168`	`if (notActions.length > 0 && this._action.length > 0) {`
`168`		`- throw new Error('Cannot add \'NotActions\' to policy statement if \'Actions\' have been added');`
	`169`	`+ throw new UnscopedValidationError('Cannot add \'NotActions\' to policy statement if \'Actions\' have been added');`
`169`	`170`	`}`
`170`	`171`	`this.validatePolicyActions(notActions);`
`171`	`172`	`this._notAction.push(...notActions);`
`@@ -192,7 +193,7 @@ export class PolicyStatement {`
`192`	`193`	`public addPrincipals(...principals: IPrincipal[]) {`
`193`	`194`	`this.assertNotFrozen('addPrincipals');`
`194`	`195`	`if (principals.length > 0 && this._notPrincipals.length > 0) {`
`195`		`- throw new Error('Cannot add \'Principals\' to policy statement if \'NotPrincipals\' have been added');`
	`196`	`+ throw new UnscopedValidationError('Cannot add \'Principals\' to policy statement if \'NotPrincipals\' have been added');`
`196`	`197`	`}`
`197`	`198`	`for (const principal of principals) {`
`198`	`199`	`this.validatePolicyPrincipal(principal);`
`@@ -217,7 +218,7 @@ export class PolicyStatement {`
`217`	`218`	`public addNotPrincipals(...notPrincipals: IPrincipal[]) {`
`218`	`219`	`this.assertNotFrozen('addNotPrincipals');`
`219`	`220`	`if (notPrincipals.length > 0 && this._principals.length > 0) {`
`220`		`- throw new Error('Cannot add \'NotPrincipals\' to policy statement if \'Principals\' have been added');`
	`221`	`+ throw new UnscopedValidationError('Cannot add \'NotPrincipals\' to policy statement if \'Principals\' have been added');`
`221`	`222`	`}`
`222`	`223`	`for (const notPrincipal of notPrincipals) {`
`223`	`224`	`this.validatePolicyPrincipal(notPrincipal);`
`@@ -236,14 +237,14 @@ export class PolicyStatement {`
`236`	`237`	`if (cdk.Token.isUnresolved(actions)) return;`
`237`	`238`	`for (const action of actions \|\| []) {`
`238`	`239`	`if (!cdk.Token.isUnresolved(action) && !/^(\\|[a-zA-Z0-9-]+:[a-zA-Z0-9]+)$/.test(action)) {`
`239`		- throw new Error(`Action '${action}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
	`240`	+ throw new UnscopedValidationError(`Action '${action}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
`240`	`241`	`}`
`241`	`242`	`}`
`242`	`243`	`}`
`243`	`244`
`244`	`245`	`private validatePolicyPrincipal(principal: IPrincipal) {`
`245`	`246`	`if (principal instanceof Group) {`
`246`		`- throw new Error('Cannot use an IAM Group as the \'Principal\' or \'NotPrincipal\' in an IAM Policy');`
	`247`	`+ throw new UnscopedValidationError('Cannot use an IAM Group as the \'Principal\' or \'NotPrincipal\' in an IAM Policy');`
`247`	`248`	`}`
`248`	`249`	`}`
`249`	`250`
`@@ -323,7 +324,7 @@ export class PolicyStatement {`
`323`	`324`	`public addResources(...arns: string[]) {`
`324`	`325`	`this.assertNotFrozen('addResources');`
`325`	`326`	`if (arns.length > 0 && this._notResource.length > 0) {`
`326`		`- throw new Error('Cannot add \'Resources\' to policy statement if \'NotResources\' have been added');`
	`327`	`+ throw new UnscopedValidationError('Cannot add \'Resources\' to policy statement if \'NotResources\' have been added');`
`327`	`328`	`}`
`328`	`329`	`this._resource.push(...arns);`
`329`	`330`	`}`
`@@ -339,7 +340,7 @@ export class PolicyStatement {`
`339`	`340`	`public addNotResources(...arns: string[]) {`
`340`	`341`	`this.assertNotFrozen('addNotResources');`
`341`	`342`	`if (arns.length > 0 && this._resource.length > 0) {`
`342`		`- throw new Error('Cannot add \'NotResources\' to policy statement if \'Resources\' have been added');`
	`343`	`+ throw new UnscopedValidationError('Cannot add \'NotResources\' to policy statement if \'Resources\' have been added');`
`343`	`344`	`}`
`344`	`345`	`this._notResource.push(...arns);`
`345`	`346`	`}`
`@@ -517,7 +518,7 @@ export class PolicyStatement {`
`517`	`518`	`this.principalConditionsJson = theseConditions;`
`518`	`519`	`} else {`
`519`	`520`	`if (this.principalConditionsJson !== theseConditions) {`
`520`		- throw new Error(`All principals in a PolicyStatement must have the same Conditions (got '${this.principalConditionsJson}' and '${theseConditions}'). Use multiple statements instead.`);
	`521`	+ throw new UnscopedValidationError(`All principals in a PolicyStatement must have the same Conditions (got '${this.principalConditionsJson}' and '${theseConditions}'). Use multiple statements instead.`);
`521`	`522`	`}`
`522`	`523`	`}`
`523`	`524`	`this.addConditions(conditions);`
`@@ -676,7 +677,7 @@ export class PolicyStatement {`
`676`	`677`	`*/`
`677`	`678`	`private assertNotFrozen(method: string) {`
`678`	`679`	`if (this._frozen) {`
`679`		- throw new Error(`${method}: freeze() has been called on this PolicyStatement previously, so it can no longer be modified`);
	`680`	+ throw new UnscopedValidationError(`${method}: freeze() has been called on this PolicyStatement previously, so it can no longer be modified`);
`680`	`681`	`}`
`681`	`682`	`}`
`682`	`683`	`}`
`@@ -810,7 +811,7 @@ class JsonPrincipal extends PrincipalBase {`
`810`	`811`	`json = { [LITERAL_STRING_KEY]: [json] };`
`811`	`812`	`}`
`812`	`813`	`if (typeof(json) !== 'object') {`
`813`		- throw new Error(`JSON IAM principal should be an object, got ${JSON.stringify(json)}`);
	`814`	+ throw new UnscopedValidationError(`JSON IAM principal should be an object, got ${JSON.stringify(json)}`);
`814`	`815`	`}`
`815`	`816`
`816`	`817`	`this.policyFragment = {`
`@@ -853,7 +854,7 @@ export function deriveEstimateSizeOptions(scope: IConstruct): EstimateSizeOption`
`853`	`854`	`const actionEstimate = 20;`
`854`	`855`	`const arnEstimate = scope.node.tryGetContext(ARN_SIZE_ESTIMATE_CONTEXT_KEY) ?? DEFAULT_ARN_SIZE_ESTIMATE;`
`855`	`856`	`if (typeof arnEstimate !== 'number') {`
`856`		- throw new Error(`Context value ${ARN_SIZE_ESTIMATE_CONTEXT_KEY} should be a number, got ${JSON.stringify(arnEstimate)}`);
	`857`	+ throw new UnscopedValidationError(`Context value ${ARN_SIZE_ESTIMATE_CONTEXT_KEY} should be a number, got ${JSON.stringify(arnEstimate)}`);
`857`	`858`	`}`
`858`	`859`
`859`	`860`	`return { actionEstimate, arnEstimate };`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import { defaultAddPrincipalToAssumeRole } from './private/assume-role-policy';`
`6`	`6`	`import { LITERAL_STRING_KEY, mergePrincipal } from './private/util';`
`7`	`7`	`import { ISamlProvider } from './saml-provider';`
`8`	`8`	`import * as cdk from '../../core';`
	`9`	`+import { UnscopedValidationError } from '../../core';`
`9`	`10`	`import { RegionInfo } from '../../region-info';`
`10`	`11`
`11`	`12`	`/**`
`@@ -354,7 +355,7 @@ export class PrincipalWithConditions extends PrincipalAdapter {`
`354`	`355`	`// if either the existing condition or the new one contain unresolved`
`355`	`356`	`// tokens, fail the merge. this is as far as we go at this point.`
`356`	`357`	`if (cdk.Token.isUnresolved(condition) \|\| cdk.Token.isUnresolved(existing)) {`
`357`		- throw new Error(`multiple "${operator}" conditions cannot be merged if one of them contains an unresolved token`);
	`358`	+ throw new UnscopedValidationError(`multiple "${operator}" conditions cannot be merged if one of them contains an unresolved token`);
`358`	`359`	`}`
`359`	`360`
`360`	`361`	`validateConditionObject(existing);`
`@@ -479,7 +480,7 @@ export class AccountPrincipal extends ArnPrincipal {`
`479`	`480`	`constructor(public readonly accountId: any) {`
`480`	`481`	super(new StackDependentToken(stack => `arn:${stack.partition}:iam::${accountId}:root`).toString());
`481`	`482`	`if (!cdk.Token.isUnresolved(accountId) && typeof accountId !== 'string') {`
`482`		`- throw new Error('accountId should be of type string');`
	`483`	`+ throw new UnscopedValidationError('accountId should be of type string');`
`483`	`484`	`}`
`484`	`485`	`this.principalAccount = accountId;`
`485`	`486`	`}`
`@@ -617,7 +618,7 @@ export class OrganizationPrincipal extends PrincipalBase {`
`617`	`618`	`// We can only validate if it's a literal string (not a token)`
`618`	`619`	`if (!cdk.Token.isUnresolved(organizationId)) {`
`619`	`620`	`if (!organizationId.match(/^o-[a-z0-9]{10,32}$/)) {`
`620`		- throw new Error(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${organizationId}`);
	`621`	+ throw new UnscopedValidationError(`Expected Organization ID must match regex pattern ^o-[a-z0-9]{10,32}$, received ${organizationId}`);
`621`	`622`	`}`
`622`	`623`	`}`
`623`	`624`	`}`
`@@ -874,7 +875,7 @@ export class CompositePrincipal extends PrincipalBase {`
`874`	`875`	`constructor(...principals: IPrincipal[]) {`
`875`	`876`	`super();`
`876`	`877`	`if (principals.length === 0) {`
`877`		`- throw new Error('CompositePrincipals must be constructed with at least 1 Principal but none were passed.');`
	`878`	`+ throw new UnscopedValidationError('CompositePrincipals must be constructed with at least 1 Principal but none were passed.');`
`878`	`879`	`}`
`879`	`880`	`this.assumeRoleAction = principals[0].assumeRoleAction;`
`880`	`881`	`this.addPrincipals(...principals);`
`@@ -903,7 +904,7 @@ export class CompositePrincipal extends PrincipalBase {`
`903`	`904`	`for (const p of this._principals) {`
`904`	`905`	`const fragment = p.policyFragment;`
`905`	`906`	`if (fragment.conditions && Object.keys(fragment.conditions).length > 0) {`
`906`		`- throw new Error(`
	`907`	`+ throw new UnscopedValidationError(`
`907`	`908`	`'Components of a CompositePrincipal must not have conditions. ' +`
`908`	`909`	`Tried to add the following fragment: ${JSON.stringify(fragment)}`);
`909`	`910`	`}`
`@@ -1022,6 +1023,6 @@ class ServicePrincipalToken implements cdk.IResolvable {`
`1022`	`1023`	`*/`
`1023`	`1024`	`export function validateConditionObject(x: unknown): asserts x is Record<string, unknown> {`
`1024`	`1025`	`if (!x \|\| typeof x !== 'object' \|\| Array.isArray(x)) {`
`1025`		`- throw new Error('A Condition should be represented as a map of operator to value');`
	`1026`	`+ throw new UnscopedValidationError('A Condition should be represented as a map of operator to value');`
`1026`	`1027`	`}`
`1027`	`1028`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`import { IConstruct } from 'constructs';`
`2`		`-import { captureStackTrace, DefaultTokenResolver, IPostProcessor, IResolvable, IResolveContext, Lazy, StringConcat, Token, Tokenization } from '../../../core';`
	`2`	`+import { captureStackTrace, DefaultTokenResolver, IPostProcessor, IResolvable, IResolveContext, Lazy, StringConcat, Token, Tokenization, UnscopedValidationError, ValidationError } from '../../../core';`
`3`	`3`	`import { IPolicy } from '../policy';`
`4`	`4`
`5`	`5`	`export const MAX_POLICY_NAME_LEN = 128;`
`@@ -60,7 +60,7 @@ export class AttachedPolicies {`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`if (this.policies.find(p => p.policyName === policy.policyName)) {`
`63`		- throw new Error(`A policy named "${policy.policyName}" is already attached`);
	`63`	+ throw new ValidationError(`A policy named "${policy.policyName}" is already attached`, policy);
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`this.policies.push(policy);`
`@@ -79,7 +79,7 @@ export function mergePrincipal(target: { [key: string]: string[] }, source: { [k`
`79`	`79`
`80`	`80`	`if ((LITERAL_STRING_KEY in source && targetKeys.some(k => k !== LITERAL_STRING_KEY)) \|\|`
`81`	`81`	`(LITERAL_STRING_KEY in target && sourceKeys.some(k => k !== LITERAL_STRING_KEY))) {`
`82`		- throw new Error(`Cannot merge principals ${JSON.stringify(target)} and ${JSON.stringify(source)}; if one uses a literal principal string the other one must be empty`);
	`82`	+ throw new UnscopedValidationError(`Cannot merge principals ${JSON.stringify(target)} and ${JSON.stringify(source)}; if one uses a literal principal string the other one must be empty`);
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`for (const key of sourceKeys) {`