fix(secretsmanager): fix cross-region policy arn for imported secrets (#26813)

Pre 2.89.0 we could import a secret from a complete secret arn in one stack and reference this secret from another stack in a different region to include it in a policy/role through grantRead on the secret construct.

Since 2.89.0 the arn in the policy it treats the compledSecretArn as a partial arn adding -?????? which makes the policy invalid and not allowing access to the secret as intended.

This PR fixes that by overriding arnForPolicies for imported secrets to either return provided complete arn or partial arn with suffix.

Fixes #26811.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rv2673

packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts

@@ -601,6 +601,8 @@ export class Secret extends SecretBase {
       public readonly secretName = parseSecretName(scope, secretArn);
       protected readonly autoCreatePolicy = false;
       public get secretFullArn() { return secretArnIsPartial ? undefined : secretArn; }
+      protected get arnForPolicies() { return secretArnIsPartial ? `${secretArn}-??????` : secretArn; }
+
     }(scope, id, { environmentFromArn: secretArn });
   }
 

packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts

@@ -1390,3 +1390,59 @@ test('cross-environment grant with direct object reference', () => {
   });
 
 });
+
+test('cross-environment grant with imported from completeArn', () => {
+  // GIVEN
+  const secretCompleteArn = 'arn:aws:secretsmanager:foobar:1111111111:secret:secret-name-suffix';
+  const producerStack = new cdk.Stack(app, 'ProducerStack', { env: { region: 'foo', account: '1111111111' } });
+  const consumerStack = new cdk.Stack(app, 'ConsumerStack', { env: { region: 'bar', account: '1111111111' } });
+  const secret = secretsmanager.Secret.fromSecretCompleteArn(producerStack, 'Secret', secretCompleteArn);
+  const role = new iam.Role(consumerStack, 'Role', { assumedBy: new iam.AccountRootPrincipal() });
+
+  // WHEN
+  secret.grantRead(role);
+
+  // THEN
+  Template.fromStack(consumerStack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Version: '2012-10-17',
+      Statement: [{
+        Action: [
+          'secretsmanager:GetSecretValue',
+          'secretsmanager:DescribeSecret',
+        ],
+        Effect: 'Allow',
+        Resource: secretCompleteArn,
+      }],
+    },
+  });
+
+});
+
+test('cross-environment grant with imported from partialArn', () => {
+  // GIVEN
+  const secretPartialArn = 'arn:aws:secretsmanager:foobar:1111111111:secret:secret-name';
+  const producerStack = new cdk.Stack(app, 'ProducerStack', { env: { region: 'foo', account: '1111111111' } });
+  const consumerStack = new cdk.Stack(app, 'ConsumerStack', { env: { region: 'bar', account: '1111111111' } });
+  const secret = secretsmanager.Secret.fromSecretPartialArn(producerStack, 'Secret', secretPartialArn);
+  const role = new iam.Role(consumerStack, 'Role', { assumedBy: new iam.AccountRootPrincipal() });
+
+  // WHEN
+  secret.grantRead(role);
+
+  // THEN
+  Template.fromStack(consumerStack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Version: '2012-10-17',
+      Statement: [{
+        Action: [
+          'secretsmanager:GetSecretValue',
+          'secretsmanager:DescribeSecret',
+        ],
+        Effect: 'Allow',
+        Resource: `${secretPartialArn}-??????`,
+      }],
+    },
+  });
+
+});