Skip to content

Data Source: awsRedshiftServiceAccount

Use this data source to get the Account ID of the AWS Redshift Service Account in a given region for the purpose of allowing Redshift to store audit data in S3.

\~> Note: AWS documentation states that a service principal name should be used instead of an AWS account ID in any relevant IAM policy. The awsRedshiftServiceAccount data source should now be considered deprecated and will be removed in a future version.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketBucket = new aws.s3Bucket.S3Bucket(this, "bucket", {
  bucket: "tf-redshift-logging-test-bucket",
  forceDestroy: true,
});
const dataAwsRedshiftServiceAccountMain =
  new aws.dataAwsRedshiftServiceAccount.DataAwsRedshiftServiceAccount(
    this,
    "main",
    {}
  );
const dataAwsIamPolicyDocumentAllowAuditLogging =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "allow_audit_logging",
    {
      statement: [
        {
          actions: ["s3:PutObject"],
          effect: "Allow",
          principals: [
            {
              identifiers: [dataAwsRedshiftServiceAccountMain.arn],
              type: "AWS",
            },
          ],
          resources: [`\${${awsS3BucketBucket.arn}}/*`],
          sid: "Put bucket policy needed for audit logging",
        },
        {
          actions: ["s3:GetBucketAcl"],
          effect: "Allow",
          principals: [
            {
              identifiers: [dataAwsRedshiftServiceAccountMain.arn],
              type: "AWS",
            },
          ],
          resources: "${data.aws_s3_bucket.bucket.arn}",
          sid: "Get bucket policy needed for audit logging",
        },
      ],
    }
  );
const awsS3BucketPolicyAllowAuditLogging =
  new aws.s3BucketPolicy.S3BucketPolicy(this, "allow_audit_logging_3", {
    bucket: awsS3BucketBucket.id,
    policy: dataAwsIamPolicyDocumentAllowAuditLogging.json,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketPolicyAllowAuditLogging.overrideLogicalId("allow_audit_logging");

Argument Reference

  • region - (Optional) Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.

Attributes Reference

  • id - ID of the AWS Redshift service account in the selected region.
  • arn - ARN of the AWS Redshift service account in the selected region.