fix(cloudtrail): Invalid arn partition for GovCloud (#8248)

Use partition ref for lambda and s3 data events Closes #8247 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jun 14, 2020 · 5189170 · 5189170
1 parent 86d84e6
commit 5189170
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 5 deletions.
diff --git a/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts b/packages/@aws-cdk/aws-cloudtrail/lib/cloudtrail.ts
@@ -345,7 +345,7 @@ export class Trail extends Resource {
    * @default false
    */
   public logAllLambdaDataEvents(options: AddEventSelectorOptions = {}) {
-    return this.addEventSelector(DataResourceType.LAMBDA_FUNCTION, [ 'arn:aws:lambda' ], options);
+    return this.addEventSelector(DataResourceType.LAMBDA_FUNCTION, [ `arn:${this.stack.partition}:lambda` ], options);
   }
 
   /**
@@ -372,7 +372,7 @@ export class Trail extends Resource {
    * @default false
    */
   public logAllS3DataEvents(options: AddEventSelectorOptions = {}) {
-    return this.addEventSelector(DataResourceType.S3_OBJECT, [ 'arn:aws:s3:::' ], options);
+    return this.addEventSelector(DataResourceType.S3_OBJECT, [ `arn:${this.stack.partition}:s3:::` ], options);
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.test.ts b/packages/@aws-cdk/aws-cloudtrail/test/cloudtrail.test.ts
@@ -257,7 +257,20 @@ describe('cloudtrail', () => {
             {
               DataResources: [{
                 Type: 'AWS::S3::Object',
-                Values: [ 'arn:aws:s3:::' ],
+                Values: [
+                  {
+                    'Fn::Join': [
+                      '',
+                      [
+                        'arn:',
+                        {
+                          Ref: 'AWS::Partition',
+                        },
+                        ':s3:::',
+                      ],
+                    ],
+                  },
+                ],
               }],
               IncludeManagementEvents: ABSENT,
               ReadWriteType: ABSENT,
@@ -331,7 +344,20 @@ describe('cloudtrail', () => {
             {
               DataResources: [{
                 Type: 'AWS::S3::Object',
-                Values: [ 'arn:aws:s3:::' ],
+                Values: [
+                  {
+                    'Fn::Join': [
+                      '',
+                      [
+                        'arn:',
+                        {
+                          Ref: 'AWS::Partition',
+                        },
+                        ':s3:::',
+                      ],
+                    ],
+                  },
+                ],
               }],
               IncludeManagementEvents: false,
               ReadWriteType: 'ReadOnly',
@@ -391,7 +417,20 @@ describe('cloudtrail', () => {
             {
               DataResources: [{
                 Type: 'AWS::Lambda::Function',
-                Values: [ 'arn:aws:lambda' ],
+                Values: [
+                  {
+                    'Fn::Join': [
+                      '',
+                      [
+                        'arn:',
+                        {
+                          Ref: 'AWS::Partition',
+                        },
+                        ':lambda',
+                      ],
+                    ],
+                  },
+                ],
               }],
             },
           ],