UNPKG

@pulumi/aws

Version:

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

pulumi.io

pulumi/pulumi-aws

118 lines 5.37 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
"use strict"; // *** WARNING: this file was generated by pulumi-language-nodejs. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); exports.getServiceAccountOutput = exports.getServiceAccount = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../utilities"); /** * Use this data source to get the Account ID of the [AWS CloudTrail Service Account](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-regions.html) * in a given region for the purpose of allowing CloudTrail to store trail data in S3. * * > **Warning:** This data source is deprecated. The AWS documentation [states that](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#troubleshooting-s3-bucket-policy) a [service principal name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) should be used instead of an AWS account ID in any relevant IAM policy. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const main = aws.cloudtrail.getServiceAccount({}); * const bucket = new aws.s3.Bucket("bucket", { * bucket: "tf-cloudtrail-logging-test-bucket", * forceDestroy: true, * }); * const allowCloudtrailLogging = pulumi.all([main, bucket.arn, main, bucket.arn]).apply(([main, bucketArn, main1, bucketArn1]) => aws.iam.getPolicyDocumentOutput({ * statements: [ * { * sid: "Put bucket policy needed for trails", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: [main.arn], * }], * actions: ["s3:PutObject"], * resources: [`${bucketArn}/*`], * }, * { * sid: "Get bucket policy needed for trails", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: [main1.arn], * }], * actions: ["s3:GetBucketAcl"], * resources: [bucketArn1], * }, * ], * })); * const allowCloudtrailLoggingBucketPolicy = new aws.s3.BucketPolicy("allow_cloudtrail_logging", { * bucket: bucket.id, * policy: allowCloudtrailLogging.apply(allowCloudtrailLogging => allowCloudtrailLogging.json), * }); * ``` */ function getServiceAccount(args, opts) { args = args || {}; opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); return pulumi.runtime.invoke("aws:cloudtrail/getServiceAccount:getServiceAccount", { "region": args.region, }, opts); } exports.getServiceAccount = getServiceAccount; /** * Use this data source to get the Account ID of the [AWS CloudTrail Service Account](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-regions.html) * in a given region for the purpose of allowing CloudTrail to store trail data in S3. * * > **Warning:** This data source is deprecated. The AWS documentation [states that](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html#troubleshooting-s3-bucket-policy) a [service principal name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) should be used instead of an AWS account ID in any relevant IAM policy. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const main = aws.cloudtrail.getServiceAccount({}); * const bucket = new aws.s3.Bucket("bucket", { * bucket: "tf-cloudtrail-logging-test-bucket", * forceDestroy: true, * }); * const allowCloudtrailLogging = pulumi.all([main, bucket.arn, main, bucket.arn]).apply(([main, bucketArn, main1, bucketArn1]) => aws.iam.getPolicyDocumentOutput({ * statements: [ * { * sid: "Put bucket policy needed for trails", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: [main.arn], * }], * actions: ["s3:PutObject"], * resources: [`${bucketArn}/*`], * }, * { * sid: "Get bucket policy needed for trails", * effect: "Allow", * principals: [{ * type: "AWS", * identifiers: [main1.arn], * }], * actions: ["s3:GetBucketAcl"], * resources: [bucketArn1], * }, * ], * })); * const allowCloudtrailLoggingBucketPolicy = new aws.s3.BucketPolicy("allow_cloudtrail_logging", { * bucket: bucket.id, * policy: allowCloudtrailLogging.apply(allowCloudtrailLogging => allowCloudtrailLogging.json), * }); * ``` */ function getServiceAccountOutput(args, opts) { args = args || {}; opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); return pulumi.runtime.invokeOutput("aws:cloudtrail/getServiceAccount:getServiceAccount", { "region": args.region, }, opts); } exports.getServiceAccountOutput = getServiceAccountOutput; //# sourceMappingURL=getServiceAccount.js.map