Skip to content

Data Source: awsElbServiceAccount

Use this data source to get the Account ID of the AWS Elastic Load Balancing Service Account in a given region for the purpose of permitting in S3 bucket policy.

\~> Note: For AWS Regions opened since Jakarta (apSoutheast3) in December 2021, AWS documents that a service principal name should be used instead of an AWS account ID in any relevant IAM policy.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketElbLogs = new aws.s3Bucket.S3Bucket(this, "elb_logs", {
  bucket: "my-elb-tf-test-bucket",
});
new aws.s3BucketAcl.S3BucketAcl(this, "elb_logs_acl", {
  acl: "private",
  bucket: awsS3BucketElbLogs.id,
});
const dataAwsElbServiceAccountMain =
  new aws.dataAwsElbServiceAccount.DataAwsElbServiceAccount(this, "main", {});
const dataAwsIamPolicyDocumentAllowElbLogging =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "allow_elb_logging",
    {
      statement: [
        {
          actions: ["s3:PutObject"],
          effect: "Allow",
          principals: [
            {
              identifiers: [dataAwsElbServiceAccountMain.arn],
              type: "AWS",
            },
          ],
          resources: [`\${${awsS3BucketElbLogs.arn}}/AWSLogs/*`],
        },
      ],
    }
  );
new aws.elb.Elb(this, "bar", {
  accessLogs: {
    bucket: awsS3BucketElbLogs.id,
    interval: 5,
  },
  availabilityZones: ["us-west-2a"],
  listener: [
    {
      instancePort: 8000,
      instanceProtocol: "http",
      lbPort: 80,
      lbProtocol: "http",
    },
  ],
  name: "my-foobar-terraform-elb",
});
const awsS3BucketPolicyAllowElbLogging = new aws.s3BucketPolicy.S3BucketPolicy(
  this,
  "allow_elb_logging_5",
  {
    bucket: awsS3BucketElbLogs.id,
    policy: dataAwsIamPolicyDocumentAllowElbLogging.json,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketPolicyAllowElbLogging.overrideLogicalId("allow_elb_logging");

Argument Reference

  • region - (Optional) Name of the region whose AWS ELB account ID is desired. Defaults to the region from the AWS provider configuration.

Attributes Reference

  • id - ID of the AWS ELB service account in the selected region.
  • arn - ARN of the AWS ELB service account in the selected region.