diff --git a/aws/arn.go b/aws/arn.go new file mode 100644 index 00000000000..de72a23eb70 --- /dev/null +++ b/aws/arn.go @@ -0,0 +1,26 @@ +package aws + +import ( + "github.com/aws/aws-sdk-go/aws/arn" + "github.com/aws/aws-sdk-go/service/iam" +) + +func arnString(partition, region, service, accountId, resource string) string { + return arn.ARN{ + Partition: partition, + Region: region, + Service: service, + AccountID: accountId, + Resource: resource, + }.String() +} + +// See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam +func iamArnString(partition, accountId, resource string) string { + return arnString( + partition, + "", + iam.ServiceName, + accountId, + resource) +} diff --git a/aws/arn_test.go b/aws/arn_test.go new file mode 100644 index 00000000000..9d0505f033f --- /dev/null +++ b/aws/arn_test.go @@ -0,0 +1,13 @@ +package aws + +import ( + "testing" +) + +func TestArn_iamRootUser(t *testing.T) { + arn := iamArnString("aws", "1234567890", "root") + expectedArn := "arn:aws:iam::1234567890:root" + if arn != expectedArn { + t.Fatalf("Expected ARN: %s, got: %s", expectedArn, arn) + } +} diff --git a/aws/data_source_aws_redshift_service_account.go b/aws/data_source_aws_redshift_service_account.go index 9e57b7a146d..b7a9a230774 100644 --- a/aws/data_source_aws_redshift_service_account.go +++ b/aws/data_source_aws_redshift_service_account.go @@ -33,6 +33,10 @@ func dataSourceAwsRedshiftServiceAccount() *schema.Resource { Type: schema.TypeString, Optional: true, }, + "arn": { + Type: schema.TypeString, + Computed: true, + }, }, } } @@ -45,6 +49,7 @@ func dataSourceAwsRedshiftServiceAccountRead(d *schema.ResourceData, meta interf if accid, ok := redshiftServiceAccountPerRegionMap[region]; ok { d.SetId(accid) + d.Set("arn", iamArnString(meta.(*AWSClient).partition, accid, "user/logs")) return nil } diff --git a/aws/data_source_aws_redshift_service_account_test.go b/aws/data_source_aws_redshift_service_account_test.go index 47f507be01b..2be8a2fac36 100644 --- a/aws/data_source_aws_redshift_service_account_test.go +++ b/aws/data_source_aws_redshift_service_account_test.go @@ -15,12 +15,14 @@ func TestAccAWSRedshiftServiceAccount_basic(t *testing.T) { Config: testAccCheckAwsRedshiftServiceAccountConfig, Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("data.aws_redshift_service_account.main", "id", "902366379725"), + resource.TestCheckResourceAttr("data.aws_redshift_service_account.main", "arn", "arn:aws:iam::902366379725:user/logs"), ), }, resource.TestStep{ Config: testAccCheckAwsRedshiftServiceAccountExplicitRegionConfig, Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("data.aws_redshift_service_account.regional", "id", "307160386991"), + resource.TestCheckResourceAttr("data.aws_redshift_service_account.regional", "arn", "arn:aws:iam::307160386991:user/logs"), ), }, }, diff --git a/website/docs/d/redshift_service_account.html.markdown b/website/docs/d/redshift_service_account.html.markdown index 40436a40e6a..18d47d9fe1d 100644 --- a/website/docs/d/redshift_service_account.html.markdown +++ b/website/docs/d/redshift_service_account.html.markdown @@ -3,12 +3,12 @@ layout: "aws" page_title: "AWS: aws_redshift_service_account" sidebar_current: "docs-aws-datasource-redshift-service-account" description: |- - Get AWS Redshift Service Account ID for storing audit data in S3. + Get AWS Redshift Service Account for storing audit data in S3. --- # aws\_redshift\_service\_account -Use this data source to get the Service Account ID of the [AWS Redshift Account](http://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-enable-logging) +Use this data source to get the Account ID of the [AWS Redshift Service Account](http://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-enable-logging) in a given region for the purpose of allowing Redshift to store audit data in S3. ## Example Usage @@ -28,7 +28,7 @@ resource "aws_s3_bucket" "bucket" { "Sid": "Put bucket policy needed for audit logging", "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::${data.aws_redshift_service_account.main.id}:user/logs" + "AWS": "${data.aws_redshift_service_account.main.arn}" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::tf-redshift-logging-test-bucket/*" @@ -37,7 +37,7 @@ resource "aws_s3_bucket" "bucket" { "Sid": "Get bucket policy needed for audit logging ", "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::${data.aws_redshift_service_account.main.id}:user/logs" + "AWS": "${data.aws_redshift_service_account.main.arn}" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::tf-redshift-logging-test-bucket" @@ -50,9 +50,10 @@ EOF ## Argument Reference -* `region` - (Optional) Name of the Region whose Redshift account id is desired. If not specified, default's to the region from the AWS provider configuration. - +* `region` - (Optional) Name of the region whose AWS Redshift account ID is desired. +Defaults to the region from the AWS provider configuration. ## Attributes Reference -* `id` - The ID of the Redshift service Account in the selected region. +* `id` - The ID of the AWS Redshift service account in the selected region. +* `arn` - The ARN of the AWS Redshift service account in the selected region.