Data Source: aws_cloudtrail_service_account
Use this data source to get the Account ID of the AWS CloudTrail Service Account in a given region for the purpose of allowing CloudTrail to store trail data in S3.
Example Usage
data "aws_cloudtrail_service_account" "main" {}
resource "aws_s3_bucket" "bucket" {
bucket = "tf-cloudtrail-logging-test-bucket"
force_destroy = true
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Put bucket policy needed for trails",
"Effect": "Allow",
"Principal": {
"AWS": "${data.aws_cloudtrail_service_account.main.arn}"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket/*"
},
{
"Sid": "Get bucket policy needed for trails",
"Effect": "Allow",
"Principal": {
"AWS": "${data.aws_cloudtrail_service_account.main.arn}"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket"
}
]
}
EOF
}
Argument Reference
-
region- (Optional) Name of the region whose AWS CloudTrail account ID is desired. Defaults to the region from the AWS provider configuration.
Attributes Reference
-
id- The ID of the AWS CloudTrail service account in the selected region. -
arn- The ARN of the AWS CloudTrail service account in the selected region.
© 2018 HashiCorpLicensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/aws/d/cloudtrail_service_account.html