d/aws_redshift_service_account: Deprecate

.changelog/31006.txt

@@ -0,0 +1,3 @@
+```release-note:note
+data-source/aws_db_security_group: The `aws_redshift_service_account` data source has been deprecated and will be removed in a future version. AWS documentation [states that](https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-bucket-permissions) a [service principal name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) should be used instead of an AWS account ID in any relevant IAM policy
+```

internal/service/redshift/cluster_data_source_test.go

@@ -180,8 +180,6 @@ data "aws_redshift_cluster" "test" {
 
 func testAccClusterDataSourceConfig_logging(rName string) string {
 	return fmt.Sprintf(`
-data "aws_redshift_service_account" "test" {}
-
 resource "aws_s3_bucket" "test" {
   bucket        = %[1]q
   force_destroy = true
@@ -193,8 +191,8 @@ data "aws_iam_policy_document" "test" {
     resources = ["${aws_s3_bucket.test.arn}/*"]
 
     principals {
-      identifiers = [data.aws_redshift_service_account.test.arn]
-      type        = "AWS"
+      type        = "Service"
+      identifiers = ["redshift.amazonaws.com"]
     }
   }
 
@@ -203,8 +201,8 @@ data "aws_iam_policy_document" "test" {
     resources = [aws_s3_bucket.test.arn]
 
     principals {
-      identifiers = [data.aws_redshift_service_account.test.arn]
-      type        = "AWS"
+      type        = "Service"
+      identifiers = ["redshift.amazonaws.com"]
     }
   }
 }

internal/service/redshift/cluster_test.go

@@ -1198,8 +1198,6 @@ func testAccClusterConfig_loggingEnabled(rName string) string {
 	return acctest.ConfigCompose(acctest.ConfigAvailableAZsNoOptInExclude("usw2-az2"), fmt.Sprintf(`
 data "aws_partition" "current" {}
 
-data "aws_redshift_service_account" "main" {}
-
 resource "aws_s3_bucket" "test" {
   bucket        = %[1]q
   force_destroy = true
@@ -1215,7 +1213,7 @@ resource "aws_s3_bucket_policy" "test" {
       "Sid": "Stmt1376526643067",
       "Effect": "Allow",
       "Principal": {
-        "AWS": "${data.aws_redshift_service_account.main.arn}"
+        "Service": "redshift.${data.aws_partition.current.dns_suffix}"
       },
       "Action": "s3:PutObject",
       "Resource": "arn:${data.aws_partition.current.partition}:s3:::%[1]s/*"
@@ -1224,7 +1222,7 @@ resource "aws_s3_bucket_policy" "test" {
       "Sid": "Stmt137652664067",
       "Effect": "Allow",
       "Principal": {
-        "AWS": "${data.aws_redshift_service_account.main.arn}"
+        "Service": "redshift.${data.aws_partition.current.dns_suffix}"
       },
       "Action": "s3:GetBucketAcl",
       "Resource": "arn:${data.aws_partition.current.partition}:s3:::%[1]s"

internal/service/redshift/service_account_data_source.go

@@ -59,6 +59,8 @@ func DataSourceServiceAccount() *schema.Resource {
 				Computed: true,
 			},
 		},
+
+		DeprecationMessage: `The aws_redshift_service_account data source has been deprecated and will be removed in a future version. Use a service principal name instead of AWS account ID in any relevant IAM policy.`,
 	}
 }
 

website/docs/d/redshift_service_account.html.markdown

@@ -12,7 +12,7 @@ Use this data source to get the Account ID of the [AWS Redshift Service Account]
 in a given region for the purpose of allowing Redshift to store audit data in S3.
 
 ~> **Note:** AWS documentation [states that](https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-bucket-permissions) a [service principal name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) should be used instead of an AWS account ID in any relevant IAM policy.
-The `aws_redshift_service_account` data source should now be considered deprecated and will be removed in a future version.
+The `aws_redshift_service_account` data source has been deprecated and will be removed in a future version.
 
 ## Example Usage