Use ARN instead of account ID in S3 policy’s Principal

Due to a Terraform bug (hashicorp/terraform#4948), if Principal is set to an account id, Terraform always reports the resource as if it needs changing (because the AWS API accepts the value, but turns it into an ARN).
tablexi · May 16, 2018 · 1b68eee · 1b68eee
1 parent 2afc8de
commit 1b68eee
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/aws/application_load_balancer/__examples__/.planshots.txt b/aws/application_load_balancer/__examples__/.planshots.txt
@@ -565,6 +565,6 @@ website_endpoint:                                     <computed>
 + module.initech_production_load_balancer.module.load_balancer.aws_s3_bucket_policy.load_balancer_access_logs
 id:                                                   <computed>
 bucket:                                               "${aws_s3_bucket.load_balancer_access_logs.id}"
-policy:                                               "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"s3:PutObject\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*\",\n      \"Principal\": {\n        \"AWS\": [\n          \"${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}\"\n        ]\n      }\n    }\n  ]\n}\n"
+policy:                                               "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"s3:PutObject\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}:root\"\n        ]\n      }\n    }\n  ]\n}\n"
 Plan: 38 to add, 0 to change, 0 to destroy.
 
diff --git a/aws/application_load_balancer/load_balancer/main.tf b/aws/application_load_balancer/load_balancer/main.tf
@@ -77,7 +77,7 @@ resource "aws_s3_bucket_policy" "load_balancer_access_logs" {
           "Resource": "${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*",
           "Principal": {
             "AWS": [
-              "${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}"
+              "arn:aws:iam::${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}:root"
             ]
           }
         }