fix(cloudtrail): fix use of imported bucket with CloudTrail (#4270)

Stop the CloudTaril construct from reaching into the S3 Bucket construct
and touching its implementation detail, go through the public interface
instead.

Fixes #4256.

Author: rix0rrr

packages/@aws-cdk/aws-cloudtrail/lib/index.ts

@@ -206,8 +206,10 @@ export class Trail extends Resource {
     });
     this.trailSnsTopicArn = trail.attrSnsTopicArn;
 
-    const s3BucketPolicy = this.s3bucket.node.findChild("Policy").node.findChild("Resource") as s3.CfnBucketPolicy;
-    trail.node.addDependency(s3BucketPolicy);
+    // Add a dependency on the bucket policy being updated, CloudTrail will test this upon creation.
+    if (this.s3bucket.policy) {
+      trail.node.addDependency(this.s3bucket.policy);
+    }
 
     // If props.sendToCloudWatchLogs is set to true then the trail needs to depend on the created logsRole
     // so that it can create the log stream for the log group. This ensures the logsRole is created and propagated

packages/@aws-cdk/aws-cloudtrail/test/test.cloudtrail.ts

@@ -96,6 +96,22 @@ export = {
       expect(stack).to(not(haveResource("AWS::Logs::LogGroup")));
       test.done();
     },
+
+    'with imported s3 bucket'(test: Test) {
+      // GIVEN
+      const stack = getTestStack();
+      const bucket = s3.Bucket.fromBucketName(stack, 'S3', 'SomeBucket');
+
+      // WHEN
+      new Trail(stack, 'Trail', { bucket });
+
+      expect(stack).to(haveResource('AWS::CloudTrail::Trail', {
+        S3BucketName: 'SomeBucket'
+      }));
+
+      test.done();
+    },
+
     'with cloud watch logs': {
       'enabled'(test: Test) {
         const stack = getTestStack();