route53: HostedZone should have a `hostedZoneArn` property

❓ General Issue

The Question

I’m trying to create a IAM group with a policy attached to change DNS records for a Route53 hosted zone.

This is my code:

const group = new iam.Group(this, 'group', {
      groupName: 'ci-ui-iam-group'
    })

const zone = route53.HostedZone.fromLookup(this, 'zone', {
      domainName: 'mydomain.com'
    })

group.addManagedPolicy(
      new iam.ManagedPolicy(this, 'AllowChangeRecordSets', {
        managedPolicyName: 'allow-change-record-sets',
        statements: [
          new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            resources: [`arn:aws:route53:::${zone.hostedZoneId}`],
            actions: ['route53:ChangeResourceRecordSets']
          })
        ]
      })
    )

It creates the group as well as the policy, whose JSON looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "route53:ChangeResourceRecordSets",
      "Resource": "arn:aws:route53:::/hostedzone/<SomeHostedZoneId>",
      "Effect": "Allow"
    }
  ]
}

When opening the new Policy in AWS Console, I get this warning:

When changing the Resource entry like this (removing the / before hostedzone):

"Resource": "arn:aws:route53:::hostedzone/<SomeHostedZoneId>",

the policy is fixed.

So my question is: can I get hostedzone/<SomeHostedZoneId> using AWS CDK instead of /hostedzone/<SomeHostedZoneId> so I don’t have to remove the leading / myself?

Or even better: is there a function in the CDK which allows me to get the full ARN for this zone?

Environment

• CDK CLI Version: 1.15.0
• Module Version: 1.15.0
• OS: Darwin mbp.local 19.0.0 Darwin Kernel Version 19.0.0: Wed Sep 25 20:18:50 PDT 2019; root:xnu-6153.11.26~2/RELEASE_X86_64 x86_64
• Language: TypeScript

Other information