fix(secretsmanager/ssm): verify presence of parameter name (#2066)

Throw an error if Secrets or SSM Parameter are referenced with an empty
name. This adds clear messaging around an otherwise obscure
CloudFormation error.

Author: rix0rrr

packages/@aws-cdk/aws-secretsmanager/lib/secret-string.ts

@@ -39,6 +39,12 @@ export class SecretString extends cdk.DynamicReference {
       service: cdk.DynamicReferenceService.SecretsManager,
       referenceKey: '',
     });
+
+    // If we don't validate this here it will lead to a very unclear
+    // error message in CloudFormation, so better do it.
+    if (!props.secretId) {
+      throw new Error('SecretString: secretId cannot be empty');
+    }
   }
 
   /**

packages/@aws-cdk/aws-secretsmanager/test/test.secret-string.ts

@@ -32,4 +32,18 @@ export = {
 
     test.done();
   },
+
+  'empty secretId will throw'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    test.throws(() => {
+      new secretsmanager.SecretString(stack, 'Ref', {
+        secretId: '',
+      });
+    }, /secretId cannot be empty/);
+
+    test.done();
+  },
 };

packages/@aws-cdk/aws-ssm/lib/parameter-store-string.ts

@@ -28,6 +28,12 @@ export class ParameterStoreString extends cdk.Construct {
   constructor(scope: cdk.Construct, id: string, props: ParameterStoreStringProps) {
     super(scope, id);
 
+    // If we don't validate this here it will lead to a very unclear
+    // error message in CloudFormation, so better do it.
+    if (!props.parameterName) {
+      throw new Error('ParameterStoreString: parameterName cannot be empty');
+    }
+
     // We use a different inner construct depend on whether we want the latest
     // or a specific version.
     //
@@ -80,5 +86,11 @@ export class ParameterStoreSecureString extends cdk.DynamicReference {
       service: cdk.DynamicReferenceService.SsmSecure,
       referenceKey: `${props.parameterName}:${props.version}`,
     });
+
+    // If we don't validate this here it will lead to a very unclear
+    // error message in CloudFormation, so better do it.
+    if (!props.parameterName) {
+      throw new Error('ParameterStoreSecureString: parameterName cannot be empty');
+    }
   }
 }

packages/@aws-cdk/aws-ssm/test/test.parameter-store-string.ts

@@ -59,4 +59,18 @@ export = {
 
     test.done();
   },
+
+  'empty parameterName will throw'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    // WHEN
+    test.throws(() => {
+      new ssm.ParameterStoreString(stack, 'Ref', {
+        parameterName: '',
+      });
+    }, /parameterName cannot be empty/);
+
+    test.done();
+  },
 };