improve iam rule arn generation for s3 bucket

DaWyz · DaWyz · commit 7a10a52ba3c9 · 2020-06-02T08:45:27.000-07:00
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
@@ -120,21 +120,18 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
         actions: ['s3:PutObject'],
         principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
         resources: [
-          `arn:aws:s3:::${bucket.bucketName.toString()}/${prefix ? prefix + '/' : ''}AWSLogs/${
-            Stack.of(this).account
-          }/*`,
+          bucket.arnForObjects(`${prefix ? prefix + '/' : ''}AWSLogs/${Stack.of(this).account}/*`),
         ],
         conditions: {
           StringEquals: { 's3:x-amz-acl': 'bucket-owner-full-control' },
         },
       }),
     );
-
     bucket.addToResourcePolicy(
       new PolicyStatement({
         actions: ['s3:GetBucketAcl'],
         principals: [new ServicePrincipal('delivery.logs.amazonaws.com')],
-        resources: [`arn:aws:s3:::${bucket.bucketName.toString()}`],
+        resources: [bucket.bucketArn],
       }),
     );
   }
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/nlb/test.load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/nlb/test.load-balancer.ts
@@ -121,16 +121,16 @@ export = {
             Effect: 'Allow',
             Principal: { Service: 'delivery.logs.amazonaws.com' },
             Resource: {
-              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' },
-                '/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']],
+              'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'] }, '/AWSLogs/',
+                { Ref: 'AWS::AccountId' }, '/*']],
             },
           },
           {
             Action: 's3:GetBucketAcl',
             Effect: 'Allow',
             Principal: { Service: 'delivery.logs.amazonaws.com' },
             Resource: {
-              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' }]],
+              'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'],
             },
           },
         ],
@@ -194,16 +194,16 @@ export = {
             Effect: 'Allow',
             Principal: { Service: 'delivery.logs.amazonaws.com' },
             Resource: {
-              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' },
-                '/prefix-of-access-logs/AWSLogs/', { Ref: 'AWS::AccountId' }, '/*']],
+              'Fn::Join': ['', [{ 'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'] }, '/prefix-of-access-logs/AWSLogs/',
+                { Ref: 'AWS::AccountId' }, '/*']],
             },
           },
           {
             Action: 's3:GetBucketAcl',
             Effect: 'Allow',
             Principal: { Service: 'delivery.logs.amazonaws.com' },
             Resource: {
-              'Fn::Join': ['', ['arn:aws:s3:::', { Ref: 'AccessLoggingBucketA6D88F29' }]],
+              'Fn::GetAtt': ['AccessLoggingBucketA6D88F29', 'Arn'],
             },
           },
         ],
