AWSTemplateFormatVersion: "2010-09-09"
Parameters:
  Partition:
    Type: String
  Partitions:
    Type: List<String>
Resources: 
  myVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      InstanceTenancy: dedicated
  RolePolicies: 
    Type: "AWS::IAM::ManagedPolicy"
    Properties: 
      ManagedPolicyName: "root"
      PolicyDocument: 
        Version: "2012-10-17"
        Statement: 
          - 
            Effect: "Allow"
            Action: "*"
            Resource: 
            - Fn::Join:
                - ''
                - - !Sub "${AWS::AccountId}-test"   # Sub returns a string and shoule work here
            - Fn::Join:
                - ''
                - !GetAZs 'us-east-1'  # a GetAZs returns a list which should work here
            - Fn::Join:
                - ''
                - !GetAtt myVPC.CidrBlockAssociations  # a GetAtt to a list should work here
            - Fn::Join:
                - ''
                - - !GetAtt myVPC.CidrBlock  # a GetAtt to a string should work here
            - Fn::Join:
                - ''
                - - 'arn:'
                  - !Ref Partition
                  - ':s3:::elasticbeanstalk-*-'
                  - !Ref 'AWS::AccountId'
            - Fn::Join:
              - ''
              - Ref: Partitions
            - Fn::Join:
              - ''
              - !Ref AWS::NotificationARNs
  CustomResourceFn:
    Type: "AWS::Serverless::Function"
    Properties:
      Handler: index.handler
      Runtime: python3.7
      InlineCode: |
        import cfnresponse
        def handler(event, context):
          outputs = {'ListOutput': ['joe', 'jill', 'jane', 'jim']}
          return cfnresponse.send(event, context, "SUCCESS", outputs)

  CustomResource:
    Type: "Custom::Resource"
    Properties:
      ServiceToken: !GetAtt CustomResourceFn.Arn

  Bucket:
    Type: "AWS::S3::Bucket"
    Properties:
      Tags:
        - Key: BucketUsers
          Value: !Join [":", !GetAtt CustomResource.ListOutput]