fix(acm): DnsValidatedCertificate in non-aws partitions (aws#5771)

The policies in `DnsValidatedCertificate` had the `:aws:` partition hardcoded into them, and so wouldn't work in non-commercial partititions (for example Chinese regions). Use the right partition from the `Stack`. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
melgenek · Jan 13, 2020 · e3305d8 · e3305d8
1 parent a54630d
commit e3305d8
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
@@ -75,7 +75,7 @@ export class DnsValidatedCertificate extends cdk.Resource implements ICertificat
         }));
         requestorFunction.addToRolePolicy(new iam.PolicyStatement({
             actions: ['route53:changeResourceRecordSets'],
-            resources: [`arn:aws:route53:::hostedzone/${this.hostedZoneId}`],
+            resources: [`arn:${cdk.Stack.of(requestorFunction).partition}:route53:::hostedzone/${this.hostedZoneId}`],
         }));
 
         const certificate = new cfn.CustomResource(this, 'CertificateRequestorResource', {

diff --git a/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts b/packages/@aws-cdk/aws-certificatemanager/test/test.dns-validated-certificate.ts
@@ -66,10 +66,10 @@ export = {
               'Fn::Join': [
                 '',
                 [
-                  'arn:aws:route53:::hostedzone/',
-                  {
-                    Ref: 'ExampleDotCom4D1B83AA'
-                  }
+                  'arn:',
+                  { Ref: 'AWS::Partition' },
+                  ':route53:::hostedzone/',
+                  { Ref: 'ExampleDotCom4D1B83AA' }
                 ]
               ]
             }