From 317767592e0fc4526e83f9b07ac6da24e7a4a48c Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit.Ewbank@capitalone.com>
Date: Thu, 28 Sep 2017 18:37:53 -0400
Subject: [PATCH] Add 'aws_cloudtrail_service_account' data source.

---
 ...a_source_aws_cloudtrail_service_account.go | 57 ++++++++++++++++++
 ...rce_aws_cloudtrail_service_account_test.go | 40 +++++++++++++
 aws/provider.go                               | 47 ++++++++-------
 website/aws.erb                               |  3 +
 .../cloudtrail_service_account.html.markdown  | 60 +++++++++++++++++++
 5 files changed, 184 insertions(+), 23 deletions(-)
 create mode 100644 aws/data_source_aws_cloudtrail_service_account.go
 create mode 100644 aws/data_source_aws_cloudtrail_service_account_test.go
 create mode 100644 website/docs/d/cloudtrail_service_account.html.markdown

diff --git a/aws/data_source_aws_cloudtrail_service_account.go b/aws/data_source_aws_cloudtrail_service_account.go
new file mode 100644
index 00000000000..e41b6fb3d93
--- /dev/null
+++ b/aws/data_source_aws_cloudtrail_service_account.go
@@ -0,0 +1,57 @@
+package aws
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+// See http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-regions.html
+var cloudTrailServiceAccountPerRegionMap = map[string]string{
+	"us-east-1":      "086441151436",
+	"us-east-2":      "475085895292",
+	"us-west-1":      "388731089494",
+	"us-west-2":      "113285607260",
+	"ap-south-1":     "977081816279",
+	"ap-northeast-2": "492519147666",
+	"ap-southeast-1": "903692715234",
+	"ap-southeast-2": "284668455005",
+	"ap-northeast-1": "216624486486",
+	"ca-central-1":   "819402241893",
+	"eu-central-1":   "035351147821",
+	"eu-west-1":      "859597730677",
+	"eu-west-2":      "282025262664",
+	"sa-east-1":      "814480443879",
+}
+
+func dataSourceAwsCloudTrailServiceAccount() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceAwsCloudTrailServiceAccountRead,
+
+		Schema: map[string]*schema.Schema{
+			"region": &schema.Schema{
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"arn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceAwsCloudTrailServiceAccountRead(d *schema.ResourceData, meta interface{}) error {
+	region := meta.(*AWSClient).region
+	if v, ok := d.GetOk("region"); ok {
+		region = v.(string)
+	}
+
+	if accid, ok := cloudTrailServiceAccountPerRegionMap[region]; ok {
+		d.SetId(accid)
+		d.Set("arn", iamArnString(meta.(*AWSClient).partition, accid, "root"))
+		return nil
+	}
+
+	return fmt.Errorf("Unknown region (%q)", region)
+}
diff --git a/aws/data_source_aws_cloudtrail_service_account_test.go b/aws/data_source_aws_cloudtrail_service_account_test.go
new file mode 100644
index 00000000000..0e5cdd4bc4d
--- /dev/null
+++ b/aws/data_source_aws_cloudtrail_service_account_test.go
@@ -0,0 +1,40 @@
+package aws
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform/helper/resource"
+)
+
+func TestAccAWSCloudTrailServiceAccount_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccCheckAwsCloudTrailServiceAccountConfig,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.aws_cloudtrail_service_account.main", "id", "113285607260"),
+					resource.TestCheckResourceAttr("data.aws_cloudtrail_service_account.main", "arn", "arn:aws:iam::113285607260:root"),
+				),
+			},
+			resource.TestStep{
+				Config: testAccCheckAwsCloudTrailServiceAccountExplicitRegionConfig,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.aws_cloudtrail_service_account.regional", "id", "282025262664"),
+					resource.TestCheckResourceAttr("data.aws_cloudtrail_service_account.regional", "arn", "arn:aws:iam::282025262664:root"),
+				),
+			},
+		},
+	})
+}
+
+const testAccCheckAwsCloudTrailServiceAccountConfig = `
+data "aws_cloudtrail_service_account" "main" { }
+`
+
+const testAccCheckAwsCloudTrailServiceAccountExplicitRegionConfig = `
+data "aws_cloudtrail_service_account" "regional" {
+	region = "eu-west-2"
+}
+`
diff --git a/aws/provider.go b/aws/provider.go
index 2d4d11ebc5c..5b033c65fb3 100644
--- a/aws/provider.go
+++ b/aws/provider.go
@@ -160,29 +160,30 @@ func Provider() terraform.ResourceProvider {
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{
-			"aws_acm_certificate":          dataSourceAwsAcmCertificate(),
-			"aws_ami":                      dataSourceAwsAmi(),
-			"aws_ami_ids":                  dataSourceAwsAmiIds(),
-			"aws_autoscaling_groups":       dataSourceAwsAutoscalingGroups(),
-			"aws_availability_zone":        dataSourceAwsAvailabilityZone(),
-			"aws_availability_zones":       dataSourceAwsAvailabilityZones(),
-			"aws_billing_service_account":  dataSourceAwsBillingServiceAccount(),
-			"aws_caller_identity":          dataSourceAwsCallerIdentity(),
-			"aws_canonical_user_id":        dataSourceAwsCanonicalUserId(),
-			"aws_cloudformation_stack":     dataSourceAwsCloudFormationStack(),
-			"aws_db_instance":              dataSourceAwsDbInstance(),
-			"aws_db_snapshot":              dataSourceAwsDbSnapshot(),
-			"aws_dynamodb_table":           dataSourceAwsDynamoDbTable(),
-			"aws_ebs_snapshot":             dataSourceAwsEbsSnapshot(),
-			"aws_ebs_snapshot_ids":         dataSourceAwsEbsSnapshotIds(),
-			"aws_ebs_volume":               dataSourceAwsEbsVolume(),
-			"aws_ecr_repository":           dataSourceAwsEcrRepository(),
-			"aws_ecs_cluster":              dataSourceAwsEcsCluster(),
-			"aws_ecs_container_definition": dataSourceAwsEcsContainerDefinition(),
-			"aws_ecs_task_definition":      dataSourceAwsEcsTaskDefinition(),
-			"aws_efs_file_system":          dataSourceAwsEfsFileSystem(),
-			"aws_efs_mount_target":         dataSourceAwsEfsMountTarget(),
-			"aws_eip":                      dataSourceAwsEip(),
+			"aws_acm_certificate":            dataSourceAwsAcmCertificate(),
+			"aws_ami":                        dataSourceAwsAmi(),
+			"aws_ami_ids":                    dataSourceAwsAmiIds(),
+			"aws_autoscaling_groups":         dataSourceAwsAutoscalingGroups(),
+			"aws_availability_zone":          dataSourceAwsAvailabilityZone(),
+			"aws_availability_zones":         dataSourceAwsAvailabilityZones(),
+			"aws_billing_service_account":    dataSourceAwsBillingServiceAccount(),
+			"aws_caller_identity":            dataSourceAwsCallerIdentity(),
+			"aws_canonical_user_id":          dataSourceAwsCanonicalUserId(),
+			"aws_cloudformation_stack":       dataSourceAwsCloudFormationStack(),
+			"aws_cloudtrail_service_account": dataSourceAwsCloudTrailServiceAccount(),
+			"aws_db_instance":                dataSourceAwsDbInstance(),
+			"aws_db_snapshot":                dataSourceAwsDbSnapshot(),
+			"aws_dynamodb_table":             dataSourceAwsDynamoDbTable(),
+			"aws_ebs_snapshot":               dataSourceAwsEbsSnapshot(),
+			"aws_ebs_snapshot_ids":           dataSourceAwsEbsSnapshotIds(),
+			"aws_ebs_volume":                 dataSourceAwsEbsVolume(),
+			"aws_ecr_repository":             dataSourceAwsEcrRepository(),
+			"aws_ecs_cluster":                dataSourceAwsEcsCluster(),
+			"aws_ecs_container_definition":   dataSourceAwsEcsContainerDefinition(),
+			"aws_ecs_task_definition":        dataSourceAwsEcsTaskDefinition(),
+			"aws_efs_file_system":            dataSourceAwsEfsFileSystem(),
+			"aws_efs_mount_target":           dataSourceAwsEfsMountTarget(),
+			"aws_eip":                        dataSourceAwsEip(),
 			"aws_elastic_beanstalk_solution_stack": dataSourceAwsElasticBeanstalkSolutionStack(),
 			"aws_elasticache_cluster":              dataSourceAwsElastiCacheCluster(),
 			"aws_elb_hosted_zone_id":               dataSourceAwsElbHostedZoneId(),
diff --git a/website/aws.erb b/website/aws.erb
index 48332f3ae67..5941371cd35 100644
--- a/website/aws.erb
+++ b/website/aws.erb
@@ -53,6 +53,9 @@
                         <li<%= sidebar_current("docs-aws-datasource-cloudformation-stack") %>>
                             <a href="/docs/providers/aws/d/cloudformation_stack.html">aws_cloudformation_stack</a>
                         </li>
+                        <li<%= sidebar_current("docs-aws-datasource-cloudtrail-service-account") %>>
+                            <a href="/docs/providers/aws/d/cloudtrail_service_account.html">aws_cloudtrail_service_account</a>
+                        </li>
                         <li<%= sidebar_current("docs-aws-datasource-db-instance") %>>
                             <a href="/docs/providers/aws/d/db_instance.html">aws_db_instance</a>
                         </li>
diff --git a/website/docs/d/cloudtrail_service_account.html.markdown b/website/docs/d/cloudtrail_service_account.html.markdown
new file mode 100644
index 00000000000..8825de8bcd0
--- /dev/null
+++ b/website/docs/d/cloudtrail_service_account.html.markdown
@@ -0,0 +1,60 @@
+---
+layout: "aws"
+page_title: "AWS: aws_cloudtrail_service_account"
+sidebar_current: "docs-aws-datasource-cloudtrail-service-account"
+description: |-
+  Get AWS CloudTrail Service Account ID for storing trail data in S3.
+---
+
+# aws_cloudtrail_service_account
+
+Use this data source to get the Account ID of the [AWS CloudTrail Service Account](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-regions.html)
+in a given region for the purpose of allowing CloudTrail to store trail data in S3.
+
+## Example Usage
+
+```hcl
+data "aws_cloudtrail_service_account" "main" {}
+
+resource "aws_s3_bucket" "bucket" {
+  bucket        = "tf-cloudtrail-logging-test-bucket"
+  force_destroy = true
+
+  policy = <<EOF
+{
+  "Version": "2008-10-17",
+  "Statement": [
+    {
+      "Sid": "Put bucket policy needed for trails",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${data.aws_cloudtrail_service_account.main.arn}"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket/*"
+    },
+    {
+      "Sid": "Get bucket policy needed for trails",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${data.aws_cloudtrail_service_account.main.arn}"
+      },
+      "Action": "s3:GetBucketAcl",
+      "Resource": "arn:aws:s3:::tf-cloudtrail-logging-test-bucket"
+    }
+  ]
+}
+EOF
+}
+```
+
+## Argument Reference
+
+* `region` - (Optional) Name of the region whose AWS CloudTrail account ID is desired.
+Defaults to the region from the AWS provider configuration.
+
+
+## Attributes Reference
+
+* `id` - The ID of the AWS CloudTrail service account in the selected region.
+* `arn` - The ARN of the AWS CloudTrail service account in the selected region.