Data Source: awsCloudtrailServiceAccount
Use this data source to get the Account ID of the AWS CloudTrail Service Account in a given region for the purpose of allowing CloudTrail to store trail data in S3.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketBucket = new aws.s3Bucket.S3Bucket(this, "bucket", {
bucket: "tf-cloudtrail-logging-test-bucket",
forceDestroy: true,
});
const dataAwsCloudtrailServiceAccountMain =
new aws.dataAwsCloudtrailServiceAccount.DataAwsCloudtrailServiceAccount(
this,
"main",
{}
);
const dataAwsIamPolicyDocumentAllowCloudtrailLogging =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"allow_cloudtrail_logging",
{
statement: [
{
actions: ["s3:PutObject"],
effect: "Allow",
principals: [
{
identifiers: [dataAwsCloudtrailServiceAccountMain.arn],
type: "AWS",
},
],
resources: [`\${${awsS3BucketBucket.arn}}/*`],
sid: "Put bucket policy needed for trails",
},
{
actions: ["s3:GetBucketAcl"],
effect: "Allow",
principals: [
{
identifiers: [dataAwsCloudtrailServiceAccountMain.arn],
type: "AWS",
},
],
resources: [awsS3BucketBucket.arn],
sid: "Get bucket policy needed for trails",
},
],
}
);
const awsS3BucketPolicyAllowCloudtrailLogging =
new aws.s3BucketPolicy.S3BucketPolicy(this, "allow_cloudtrail_logging_3", {
bucket: awsS3BucketBucket.id,
policy: dataAwsIamPolicyDocumentAllowCloudtrailLogging.json,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketPolicyAllowCloudtrailLogging.overrideLogicalId(
"allow_cloudtrail_logging"
);
Argument Reference
region- (Optional) Name of the region whose AWS CloudTrail account ID is desired. Defaults to the region from the AWS provider configuration.
Attributes Reference
id- ID of the AWS CloudTrail service account in the selected region.arn- ARN of the AWS CloudTrail service account in the selected region.