Issue w/ Ref & Join's when building ARNs in Cloudformation/troposphere

This is per Chris Shenton on the cloudtools-dev group:

Been using tropo for a few weeks and started using AWACS so I can more easily create IAM Roles and Policy documents. Liking it a lot, thanks, guys.

But I'm stuck trying to reference a resource in an AWACS policy, I can't figure how to build the ARN. The docs show hard-wired names, e.g.:

S3:  Resource=[s3.S3_ARN("myBucket")],
SQS: Resource=[sqs.SQS_ARN(region, account, "queue1"), ],

For things that need Region and Account, is there a way to get those without hard-wiring them in my tropo script?  I was hoping to use Ref("AWS::Region") and Ref("AWS::AccountID") but those generate resources like:

"Resource": [
   "arn:aws:dynamodb:<troposphere.Ref object at 0x10978c128>:<troposphere.Ref object at 0x10978c1d0>:table/JobStateDB"
],

I'd also like to avoid hard-wiring my resource name; for example, I have a DynamoDB defined like:

r_jobstate_db = t.add_resource(
    dynamodb.Table(
        "JobStateDB",
        AttributeDefinitions=[dynamodb.AttributeDefinition("job", "S")],
        KeySchema=[dynamodb.Key("job", "HASH")],
        ProvisionedThroughput=dynamodb.ProvisionedThroughput(
            Ref(p_jobstate_readunits),
            Ref(p_jobstate_writeunits),
        )
    ))

And I want to reference it in AWACS. Below, I know the Ref()s fail as above; I think I'm relying on knowing the implementation when I access the ".title" attribute:

                    Statement(
                        Action=[awacs.dynamodb.PutItem, ],
                        Effect=Allow,
                        Resource=[
                            awacs.dynamodb.ARN(
                                Ref("AWS::Region"),
                                Ref("AWS::AccountID"),
                                r_jobstate_db.title,
                                ),
                            ],

Any guidance on how I can:
* Get AWS "Region" and "AccountID" to build the ARN without hard-wiring
* Get the resources name to build the ARN without peeking at code

Or is there a totally smarter way to do this, like:

  Resource=[awacs.dyamodb.MagickARN(r_jobstate_db)]

Thanks!

This seems like something we should investigate. Not sure if this is:

1. Possible in regular cloudformation iam policies.
2. A problem with awacs
3. A problem with troposphere

Anyway, I think it’s curious enough that we should have a bug for it just to make sure it doesn’t get lost.