Allow external/existing Bucket to be supplied (aws#3651)

packages/@aws-cdk/aws-cloudtrail/lib/index.ts

@@ -93,6 +93,12 @@ export interface TrailProps {
    * @default - No prefix.
    */
   readonly s3KeyPrefix?: string;
+
+  /** The Amazon S3 bucket
+   *
+   * @default - if not supplied a bucket will be created with all the correct permisions
+   */
+  readonly s3Bucket?: s3.Bucket
 }
 
 export enum ReadWriteType {
@@ -129,23 +135,27 @@ export class Trail extends Resource {
       physicalName: props.trailName,
     });
 
-    const s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.UNENCRYPTED});
-    const cloudTrailPrincipal = new iam.ServicePrincipal("cloudtrail.amazonaws.com");
-
-    s3bucket.addToResourcePolicy(new iam.PolicyStatement({
-      resources: [s3bucket.bucketArn],
-      actions: ['s3:GetBucketAcl'],
-      principals: [cloudTrailPrincipal],
-    }));
-
-    s3bucket.addToResourcePolicy(new iam.PolicyStatement({
-      resources: [s3bucket.arnForObjects(`AWSLogs/${Stack.of(this).account}/*`)],
-      actions: ["s3:PutObject"],
-      principals: [cloudTrailPrincipal],
-      conditions:  {
-        StringEquals: {'s3:x-amz-acl': "bucket-owner-full-control"}
-      }
-    }));
+    let s3bucket = props.s3Bucket;
+    if (props.s3Bucket === undefined) {
+
+      s3bucket = new s3.Bucket(this, 'S3', {encryption: s3.BucketEncryption.UNENCRYPTED});
+      const cloudTrailPrincipal = new iam.ServicePrincipal("cloudtrail.amazonaws.com");
+
+      s3bucket.addToResourcePolicy(new iam.PolicyStatement({
+        resources: [s3bucket.bucketArn],
+        actions: ['s3:GetBucketAcl'],
+        principals: [cloudTrailPrincipal],
+      }));
+
+      s3bucket.addToResourcePolicy(new iam.PolicyStatement({
+        resources: [s3bucket.arnForObjects(`AWSLogs/${Stack.of(this).account}/*`)],
+        actions: ["s3:PutObject"],
+        principals: [cloudTrailPrincipal],
+        conditions:  {
+          StringEquals: {'s3:x-amz-acl': "bucket-owner-full-control"}
+        }
+      }));
+    }
 
     let logGroup: logs.CfnLogGroup | undefined;
     let logsRole: iam.IRole | undefined;