Data Source: aws_cloudtrail_service_account

Use this data source to get the Account ID of the AWS CloudTrail Service Account in a given region for the purpose of allowing CloudTrail to store trail data in S3.

Example Usage

data "aws_cloudtrail_service_account" "main" {}

resource "aws_s3_bucket" "bucket" {
  bucket        = "tf-cloudtrail-logging-test-bucket"
  force_destroy = true
}

data "aws_iam_policy_document" "allow_cloudtrail_logging" {
  statement {
    sid    = "Put bucket policy needed for trails"
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = [data.aws_cloudtrail_service_account.main.arn]
    }

    actions   = ["s3:PutObject"]
    resources = ["${aws_s3_bucket.bucket.arn}/*"]
  }

  statement {
    sid    = "Get bucket policy needed for trails"
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = [data.aws_cloudtrail_service_account.main.arn]
    }

    actions   = ["s3:GetBucketAcl"]
    resources = [aws_s3_bucket.bucket.arn]
  }
}

resource "aws_s3_bucket_policy" "allow_cloudtrail_logging" {
  bucket = aws_s3_bucket.bucket.id
  policy = data.aws_iam_policy_document.allow_cloudtrail_logging.json
}

Argument Reference

Attribute Reference

This data source exports the following attributes in addition to the arguments above: