Using the C# CDK library, I'm building various IAM roles that are used to limit permissions for my CI/CD pipelines to deploy Elastic Beanstalk applications. Right now, I set the Resources property of my PolicyStatementProps object to ["*"], but this is far too permissive.
Using the AWSServiceRoleForElasticBeanstalk managed policy as an example to go by, I see they add ARNs like the following:
"arn:aws:cloudformation:*:*:stack/awseb-*"
I imagine I'll want something like this for my custom IAM role, but I'm not sure how to build these resource ARNs using the CDK. I feel like this shouldn't be just a hard-coded string due to the dynamic and variable nature of the infrastructure itself, but I don't have the experience to know for sure.
I do know that I want to limit the ARN to only specific accounts (which is * in the example above, instead of a real account ID). Wildcards are probably appropriate to keep it simple, especially if there's no way to use the EB-specific objects in my CDK code to obtain the resource ARNs to attach to my role's inline policy automatically.
What is the best and most idiomatic method of setting up the resource ARNs in my custom IAM role?