aws.redshift.getServiceAccount
Explore with Pulumi AI
Use this data source to get the Account ID of the AWS Redshift Service Account in a given region for the purpose of allowing Redshift to store audit data in S3.
Note: AWS documentation states that a service principal name should be used instead of an AWS account ID in any relevant IAM policy. The
aws.redshift.getServiceAccount
data source has been deprecated and will be removed in a future version.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const main = aws.redshift.getServiceAccount({});
const bucket = new aws.s3.BucketV2("bucket", {
bucket: "tf-redshift-logging-test-bucket",
forceDestroy: true,
});
const allowAuditLogging = pulumi.all([main, bucket.arn, main]).apply(([main, arn, main1]) => aws.iam.getPolicyDocumentOutput({
statements: [
{
sid: "Put bucket policy needed for audit logging",
effect: "Allow",
principals: [{
type: "AWS",
identifiers: [main.arn],
}],
actions: ["s3:PutObject"],
resources: [`${arn}/*`],
},
{
sid: "Get bucket policy needed for audit logging",
effect: "Allow",
principals: [{
type: "AWS",
identifiers: [main1.arn],
}],
actions: ["s3:GetBucketAcl"],
resources: bucketAwsS3Bucket.arn,
},
],
}));
const allowAuditLoggingBucketPolicy = new aws.s3.BucketPolicy("allow_audit_logging", {
bucket: bucket.id,
policy: allowAuditLogging.apply(allowAuditLogging => allowAuditLogging.json),
});
import pulumi
import pulumi_aws as aws
main = aws.redshift.get_service_account()
bucket = aws.s3.BucketV2("bucket",
bucket="tf-redshift-logging-test-bucket",
force_destroy=True)
allow_audit_logging = bucket.arn.apply(lambda arn: aws.iam.get_policy_document_output(statements=[
{
"sid": "Put bucket policy needed for audit logging",
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": [main.arn],
}],
"actions": ["s3:PutObject"],
"resources": [f"{arn}/*"],
},
{
"sid": "Get bucket policy needed for audit logging",
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": [main.arn],
}],
"actions": ["s3:GetBucketAcl"],
"resources": bucket_aws_s3_bucket["arn"],
},
]))
allow_audit_logging_bucket_policy = aws.s3.BucketPolicy("allow_audit_logging",
bucket=bucket.id,
policy=allow_audit_logging.json)
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/redshift"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
main, err := redshift.GetServiceAccount(ctx, &redshift.GetServiceAccountArgs{
}, nil);
if err != nil {
return err
}
bucket, err := s3.NewBucketV2(ctx, "bucket", &s3.BucketV2Args{
Bucket: pulumi.String("tf-redshift-logging-test-bucket"),
ForceDestroy: pulumi.Bool(true),
})
if err != nil {
return err
}
allowAuditLogging := bucket.Arn.ApplyT(func(arn string) (iam.GetPolicyDocumentResult, error) {
return iam.GetPolicyDocumentResult(interface{}(iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: "Put bucket policy needed for audit logging",
Effect: "Allow",
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "AWS",
Identifiers: interface{}{
main.Arn,
},
},
},
Actions: []string{
"s3:PutObject",
},
Resources: []string{
fmt.Sprintf("%v/*", arn),
},
},
{
Sid: "Get bucket policy needed for audit logging",
Effect: "Allow",
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "AWS",
Identifiers: interface{}{
main.Arn,
},
},
},
Actions: []string{
"s3:GetBucketAcl",
},
Resources: bucketAwsS3Bucket.Arn,
},
},
}, nil))), nil
}).(iam.GetPolicyDocumentResultOutput)
_, err = s3.NewBucketPolicy(ctx, "allow_audit_logging", &s3.BucketPolicyArgs{
Bucket: bucket.ID(),
Policy: pulumi.String(allowAuditLogging.ApplyT(func(allowAuditLogging iam.GetPolicyDocumentResult) (*string, error) {
return &allowAuditLogging.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var main = Aws.RedShift.GetServiceAccount.Invoke();
var bucket = new Aws.S3.BucketV2("bucket", new()
{
Bucket = "tf-redshift-logging-test-bucket",
ForceDestroy = true,
});
var allowAuditLogging = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "Put bucket policy needed for audit logging",
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
main.Apply(getServiceAccountResult => getServiceAccountResult.Arn),
},
},
},
Actions = new[]
{
"s3:PutObject",
},
Resources = new[]
{
$"{bucket.Arn}/*",
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "Get bucket policy needed for audit logging",
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
main.Apply(getServiceAccountResult => getServiceAccountResult.Arn),
},
},
},
Actions = new[]
{
"s3:GetBucketAcl",
},
Resources = bucketAwsS3Bucket.Arn,
},
},
});
var allowAuditLoggingBucketPolicy = new Aws.S3.BucketPolicy("allow_audit_logging", new()
{
Bucket = bucket.Id,
Policy = allowAuditLogging.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.redshift.RedshiftFunctions;
import com.pulumi.aws.redshift.inputs.GetServiceAccountArgs;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var main = RedshiftFunctions.getServiceAccount();
var bucket = new BucketV2("bucket", BucketV2Args.builder()
.bucket("tf-redshift-logging-test-bucket")
.forceDestroy(true)
.build());
final var allowAuditLogging = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.sid("Put bucket policy needed for audit logging")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(main.applyValue(getServiceAccountResult -> getServiceAccountResult.arn()))
.build())
.actions("s3:PutObject")
.resources(bucket.arn().applyValue(arn -> String.format("%s/*", arn)))
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("Get bucket policy needed for audit logging")
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(main.applyValue(getServiceAccountResult -> getServiceAccountResult.arn()))
.build())
.actions("s3:GetBucketAcl")
.resources(bucketAwsS3Bucket.arn())
.build())
.build());
var allowAuditLoggingBucketPolicy = new BucketPolicy("allowAuditLoggingBucketPolicy", BucketPolicyArgs.builder()
.bucket(bucket.id())
.policy(allowAuditLogging.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(allowAuditLogging -> allowAuditLogging.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
.build());
}
}
resources:
bucket:
type: aws:s3:BucketV2
properties:
bucket: tf-redshift-logging-test-bucket
forceDestroy: true
allowAuditLoggingBucketPolicy:
type: aws:s3:BucketPolicy
name: allow_audit_logging
properties:
bucket: ${bucket.id}
policy: ${allowAuditLogging.json}
variables:
main:
fn::invoke:
Function: aws:redshift:getServiceAccount
Arguments: {}
allowAuditLogging:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- sid: Put bucket policy needed for audit logging
effect: Allow
principals:
- type: AWS
identifiers:
- ${main.arn}
actions:
- s3:PutObject
resources:
- ${bucket.arn}/*
- sid: Get bucket policy needed for audit logging
effect: Allow
principals:
- type: AWS
identifiers:
- ${main.arn}
actions:
- s3:GetBucketAcl
resources: ${bucketAwsS3Bucket.arn}
Using getServiceAccount
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getServiceAccount(args: GetServiceAccountArgs, opts?: InvokeOptions): Promise<GetServiceAccountResult>
function getServiceAccountOutput(args: GetServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetServiceAccountResult>
def get_service_account(region: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetServiceAccountResult
def get_service_account_output(region: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetServiceAccountResult]
func GetServiceAccount(ctx *Context, args *GetServiceAccountArgs, opts ...InvokeOption) (*GetServiceAccountResult, error)
func GetServiceAccountOutput(ctx *Context, args *GetServiceAccountOutputArgs, opts ...InvokeOption) GetServiceAccountResultOutput
> Note: This function is named GetServiceAccount
in the Go SDK.
public static class GetServiceAccount
{
public static Task<GetServiceAccountResult> InvokeAsync(GetServiceAccountArgs args, InvokeOptions? opts = null)
public static Output<GetServiceAccountResult> Invoke(GetServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetServiceAccountResult> getServiceAccount(GetServiceAccountArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: aws:redshift/getServiceAccount:getServiceAccount
arguments:
# arguments dictionary
The following arguments are supported:
- Region string
- Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
- Region string
- Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
- region String
- Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
- region string
- Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
- region str
- Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
- region String
- Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
getServiceAccount Result
The following output properties are available:
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aws
Terraform Provider.