1. Packages
  2. AWS
  3. API Docs
  4. redshift
  5. getServiceAccount
AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi

aws.redshift.getServiceAccount

Explore with Pulumi AI

aws logo
AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi

    Use this data source to get the Account ID of the AWS Redshift Service Account in a given region for the purpose of allowing Redshift to store audit data in S3.

    Note: AWS documentation states that a service principal name should be used instead of an AWS account ID in any relevant IAM policy. The aws.redshift.getServiceAccount data source has been deprecated and will be removed in a future version.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const main = aws.redshift.getServiceAccount({});
    const bucket = new aws.s3.BucketV2("bucket", {
        bucket: "tf-redshift-logging-test-bucket",
        forceDestroy: true,
    });
    const allowAuditLogging = pulumi.all([main, bucket.arn, main]).apply(([main, arn, main1]) => aws.iam.getPolicyDocumentOutput({
        statements: [
            {
                sid: "Put bucket policy needed for audit logging",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: [main.arn],
                }],
                actions: ["s3:PutObject"],
                resources: [`${arn}/*`],
            },
            {
                sid: "Get bucket policy needed for audit logging",
                effect: "Allow",
                principals: [{
                    type: "AWS",
                    identifiers: [main1.arn],
                }],
                actions: ["s3:GetBucketAcl"],
                resources: bucketAwsS3Bucket.arn,
            },
        ],
    }));
    const allowAuditLoggingBucketPolicy = new aws.s3.BucketPolicy("allow_audit_logging", {
        bucket: bucket.id,
        policy: allowAuditLogging.apply(allowAuditLogging => allowAuditLogging.json),
    });
    
    import pulumi
    import pulumi_aws as aws
    
    main = aws.redshift.get_service_account()
    bucket = aws.s3.BucketV2("bucket",
        bucket="tf-redshift-logging-test-bucket",
        force_destroy=True)
    allow_audit_logging = bucket.arn.apply(lambda arn: aws.iam.get_policy_document_output(statements=[
        {
            "sid": "Put bucket policy needed for audit logging",
            "effect": "Allow",
            "principals": [{
                "type": "AWS",
                "identifiers": [main.arn],
            }],
            "actions": ["s3:PutObject"],
            "resources": [f"{arn}/*"],
        },
        {
            "sid": "Get bucket policy needed for audit logging",
            "effect": "Allow",
            "principals": [{
                "type": "AWS",
                "identifiers": [main.arn],
            }],
            "actions": ["s3:GetBucketAcl"],
            "resources": bucket_aws_s3_bucket["arn"],
        },
    ]))
    allow_audit_logging_bucket_policy = aws.s3.BucketPolicy("allow_audit_logging",
        bucket=bucket.id,
        policy=allow_audit_logging.json)
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/redshift"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
    main, err := redshift.GetServiceAccount(ctx, &redshift.GetServiceAccountArgs{
    }, nil);
    if err != nil {
    return err
    }
    bucket, err := s3.NewBucketV2(ctx, "bucket", &s3.BucketV2Args{
    Bucket: pulumi.String("tf-redshift-logging-test-bucket"),
    ForceDestroy: pulumi.Bool(true),
    })
    if err != nil {
    return err
    }
    allowAuditLogging := bucket.Arn.ApplyT(func(arn string) (iam.GetPolicyDocumentResult, error) {
    return iam.GetPolicyDocumentResult(interface{}(iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
    Statements: []iam.GetPolicyDocumentStatement{
    {
    Sid: "Put bucket policy needed for audit logging",
    Effect: "Allow",
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: interface{}{
    main.Arn,
    },
    },
    },
    Actions: []string{
    "s3:PutObject",
    },
    Resources: []string{
    fmt.Sprintf("%v/*", arn),
    },
    },
    {
    Sid: "Get bucket policy needed for audit logging",
    Effect: "Allow",
    Principals: []iam.GetPolicyDocumentStatementPrincipal{
    {
    Type: "AWS",
    Identifiers: interface{}{
    main.Arn,
    },
    },
    },
    Actions: []string{
    "s3:GetBucketAcl",
    },
    Resources: bucketAwsS3Bucket.Arn,
    },
    },
    }, nil))), nil
    }).(iam.GetPolicyDocumentResultOutput)
    _, err = s3.NewBucketPolicy(ctx, "allow_audit_logging", &s3.BucketPolicyArgs{
    Bucket: bucket.ID(),
    Policy: pulumi.String(allowAuditLogging.ApplyT(func(allowAuditLogging iam.GetPolicyDocumentResult) (*string, error) {
    return &allowAuditLogging.Json, nil
    }).(pulumi.StringPtrOutput)),
    })
    if err != nil {
    return err
    }
    return nil
    })
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var main = Aws.RedShift.GetServiceAccount.Invoke();
    
        var bucket = new Aws.S3.BucketV2("bucket", new()
        {
            Bucket = "tf-redshift-logging-test-bucket",
            ForceDestroy = true,
        });
    
        var allowAuditLogging = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Put bucket policy needed for audit logging",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                main.Apply(getServiceAccountResult => getServiceAccountResult.Arn),
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "s3:PutObject",
                    },
                    Resources = new[]
                    {
                        $"{bucket.Arn}/*",
                    },
                },
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Sid = "Get bucket policy needed for audit logging",
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "AWS",
                            Identifiers = new[]
                            {
                                main.Apply(getServiceAccountResult => getServiceAccountResult.Arn),
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "s3:GetBucketAcl",
                    },
                    Resources = bucketAwsS3Bucket.Arn,
                },
            },
        });
    
        var allowAuditLoggingBucketPolicy = new Aws.S3.BucketPolicy("allow_audit_logging", new()
        {
            Bucket = bucket.Id,
            Policy = allowAuditLogging.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.redshift.RedshiftFunctions;
    import com.pulumi.aws.redshift.inputs.GetServiceAccountArgs;
    import com.pulumi.aws.s3.BucketV2;
    import com.pulumi.aws.s3.BucketV2Args;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.s3.BucketPolicy;
    import com.pulumi.aws.s3.BucketPolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var main = RedshiftFunctions.getServiceAccount();
    
            var bucket = new BucketV2("bucket", BucketV2Args.builder()
                .bucket("tf-redshift-logging-test-bucket")
                .forceDestroy(true)
                .build());
    
            final var allowAuditLogging = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(            
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Put bucket policy needed for audit logging")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(main.applyValue(getServiceAccountResult -> getServiceAccountResult.arn()))
                            .build())
                        .actions("s3:PutObject")
                        .resources(bucket.arn().applyValue(arn -> String.format("%s/*", arn)))
                        .build(),
                    GetPolicyDocumentStatementArgs.builder()
                        .sid("Get bucket policy needed for audit logging")
                        .effect("Allow")
                        .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                            .type("AWS")
                            .identifiers(main.applyValue(getServiceAccountResult -> getServiceAccountResult.arn()))
                            .build())
                        .actions("s3:GetBucketAcl")
                        .resources(bucketAwsS3Bucket.arn())
                        .build())
                .build());
    
            var allowAuditLoggingBucketPolicy = new BucketPolicy("allowAuditLoggingBucketPolicy", BucketPolicyArgs.builder()
                .bucket(bucket.id())
                .policy(allowAuditLogging.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult).applyValue(allowAuditLogging -> allowAuditLogging.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json())))
                .build());
    
        }
    }
    
    resources:
      bucket:
        type: aws:s3:BucketV2
        properties:
          bucket: tf-redshift-logging-test-bucket
          forceDestroy: true
      allowAuditLoggingBucketPolicy:
        type: aws:s3:BucketPolicy
        name: allow_audit_logging
        properties:
          bucket: ${bucket.id}
          policy: ${allowAuditLogging.json}
    variables:
      main:
        fn::invoke:
          Function: aws:redshift:getServiceAccount
          Arguments: {}
      allowAuditLogging:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - sid: Put bucket policy needed for audit logging
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - ${main.arn}
                actions:
                  - s3:PutObject
                resources:
                  - ${bucket.arn}/*
              - sid: Get bucket policy needed for audit logging
                effect: Allow
                principals:
                  - type: AWS
                    identifiers:
                      - ${main.arn}
                actions:
                  - s3:GetBucketAcl
                resources: ${bucketAwsS3Bucket.arn}
    

    Using getServiceAccount

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getServiceAccount(args: GetServiceAccountArgs, opts?: InvokeOptions): Promise<GetServiceAccountResult>
    function getServiceAccountOutput(args: GetServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetServiceAccountResult>
    def get_service_account(region: Optional[str] = None,
                            opts: Optional[InvokeOptions] = None) -> GetServiceAccountResult
    def get_service_account_output(region: Optional[pulumi.Input[str]] = None,
                            opts: Optional[InvokeOptions] = None) -> Output[GetServiceAccountResult]
    func GetServiceAccount(ctx *Context, args *GetServiceAccountArgs, opts ...InvokeOption) (*GetServiceAccountResult, error)
    func GetServiceAccountOutput(ctx *Context, args *GetServiceAccountOutputArgs, opts ...InvokeOption) GetServiceAccountResultOutput

    > Note: This function is named GetServiceAccount in the Go SDK.

    public static class GetServiceAccount 
    {
        public static Task<GetServiceAccountResult> InvokeAsync(GetServiceAccountArgs args, InvokeOptions? opts = null)
        public static Output<GetServiceAccountResult> Invoke(GetServiceAccountInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetServiceAccountResult> getServiceAccount(GetServiceAccountArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: aws:redshift/getServiceAccount:getServiceAccount
      arguments:
        # arguments dictionary

    The following arguments are supported:

    Region string
    Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
    Region string
    Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
    region String
    Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
    region string
    Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
    region str
    Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.
    region String
    Name of the region whose AWS Redshift account ID is desired. Defaults to the region from the AWS provider configuration.

    getServiceAccount Result

    The following output properties are available:

    Arn string
    ARN of the AWS Redshift service account in the selected region.
    Id string
    The provider-assigned unique ID for this managed resource.
    Region string
    Arn string
    ARN of the AWS Redshift service account in the selected region.
    Id string
    The provider-assigned unique ID for this managed resource.
    Region string
    arn String
    ARN of the AWS Redshift service account in the selected region.
    id String
    The provider-assigned unique ID for this managed resource.
    region String
    arn string
    ARN of the AWS Redshift service account in the selected region.
    id string
    The provider-assigned unique ID for this managed resource.
    region string
    arn str
    ARN of the AWS Redshift service account in the selected region.
    id str
    The provider-assigned unique ID for this managed resource.
    region str
    arn String
    ARN of the AWS Redshift service account in the selected region.
    id String
    The provider-assigned unique ID for this managed resource.
    region String

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo
    AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi