[aws-s3] Bucket.fromBucketArn does not behave as expected

[jpSimkins]

❓ General Issue

The Question

I am working on a construct, I want to allow a bucket ARN to be used if they prefer. I thought simple enough, we have this:

this.bucket = Bucket.fromBucketArn(this, 'S3ReplicationBucket', props.destionationBucketArn);

The issue I am experiencing is that I want to add a policy to the bucket.

    // Add policy to allow replication to be received
    this.bucket.addToResourcePolicy(
      new PolicyStatement({
        actions: [
          's3:GetBucketVersioning',
          's3:PutBucketVersioning',
          's3:ReplicateObject',
          's3:ReplicateDelete',
          's3:ObjectOwnerOverrideToBucketOwner',
        ],
        principals: [new AccountPrincipal(props.sourceAWSAccountID)],
        resources: [this.bucket.bucketArn, this.bucket.bucketArn + '/*'],
      }),
    );

When I create the bucket, this works as expected. When I am using an ARN, I have an empty template.

This leads me to believe that:
a. Bucket.fromBucketArn cannot be used like a bucket, then what's the point of it?
b. This is a bug

Before I attempt to go the policy route and attach to a bucket (if even possible), e.g.:

Type: AWS::S3::BucketPolicy
Properties: 
  Bucket: String
  PolicyDocument: Json

I wanted to see if this is expected behavior. I for one, find this to be very limiting as this severely limits what I can do with existing resources.

Is it not possible to attach bucket policies this way? If not, is there a concern for policies being removed this way? Just trying to understand why this doesn't work and what the correct approach would be.

My only other option would be to remove support for bucketArn but this has me worried about other constructs I plan to write as this is something I can see being necessary.

Environment

• CDK CLI Version: 1.65.0 (build 1c2cba4)
• Module Version: 1.65.0
• Node.js Version: v12.18.3
• OS: Linux Zeus 5.4.0-48-generic Make EncryptionKeyAlias implement EncryptionKeyRef #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
• Language (Version): TypeScript (3.9.7)

[iliapolo]

Hi @jpSimkins - Indeed this is a bug. See #6548 for more details.

Bucket.fromBucketArn cannot be used like a bucket, then what's the point of it?

IBucket has a few additional API's that can take affect on imported buckets (grant* methods). It also has a few utility functions and can be used as a type safe reference for other API's that work with buckets.

[jpSimkins]

Thank you @iliapolo, I will close this ticket and +1 that ticket.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.