Use this data source to get the Account ID of the AWS CloudTrail Service Account in a given region for the purpose of allowing CloudTrail to store trail data in S3.
data "aws_cloudtrail_service_account" "main" {}
resource "aws_s3_bucket" "bucket" {
bucket = "tf-cloudtrail-logging-test-bucket"
force_destroy = true
}
data "aws_iam_policy_document" "allow_cloudtrail_logging" {
statement {
sid = "Put bucket policy needed for trails"
effect = "Allow"
principals {
type = "AWS"
identifiers = [data.aws_cloudtrail_service_account.main.arn]
}
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.bucket.arn}/*"]
}
statement {
sid = "Get bucket policy needed for trails"
effect = "Allow"
principals {
type = "AWS"
identifiers = [data.aws_cloudtrail_service_account.main.arn]
}
actions = ["s3:GetBucketAcl"]
resources = [aws_s3_bucket.bucket.arn]
}
}
resource "aws_s3_bucket_policy" "allow_cloudtrail_logging" {
bucket = aws_s3_bucket.bucket.id
policy = data.aws_iam_policy_document.allow_cloudtrail_logging.json
}
region
- (Optional) Name of the region whose AWS CloudTrail account ID is desired.
Defaults to the region from the AWS provider configuration.This data source exports the following attributes in addition to the arguments above:
id
- ID of the AWS CloudTrail service account in the selected region.arn
- ARN of the AWS CloudTrail service account in the selected region.