Merge pull request #311 from trussworks/fix-redshift-principal

Removes the redshift service account and switches to service principal
trussworks · Jul 17, 2023 · 3d475e2 · 3d475e2
2 parents 5651e77 + 8589e94
commit 3d475e2
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -115,7 +115,6 @@ No modules.
 | [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
 | [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
-| [aws_redshift_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/redshift_service_account) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs

diff --git a/main.tf b/main.tf
@@ -3,11 +3,6 @@
 data "aws_elb_service_account" "main" {
 }
 
-# Get the account id of the RedShift service account in a given region for the
-# purpose of allowing RedShift to store audit data in S3.
-data "aws_redshift_service_account" "main" {
-}
-
 # The AWS account id
 data "aws_caller_identity" "current" {
 }
@@ -144,9 +139,6 @@ locals {
   # doesn't support logging to multiple prefixes
   redshift_effect = var.default_allow || var.allow_redshift ? "Allow" : "Deny"
 
-  # redshift logs user in our region
-  redshift_principal = "arn:${data.aws_partition.current.partition}:iam::${data.aws_redshift_service_account.main.id}:user/logs"
-
   redshift_resource = "${local.bucket_arn}/${var.redshift_logs_prefix}/*"
 
   #
@@ -335,8 +327,8 @@ data "aws_iam_policy_document" "main" {
     sid    = "redshift-logs-put-object"
     effect = local.redshift_effect
     principals {
-      type        = "AWS"
-      identifiers = [local.redshift_principal]
+      type        = "Service"
+      identifiers = ["redshift.amazonaws.com"]
     }
     actions   = ["s3:PutObject"]
     resources = [local.redshift_resource]
@@ -346,8 +338,8 @@ data "aws_iam_policy_document" "main" {
     sid    = "redshift-logs-get-bucket-acl"
     effect = local.redshift_effect
     principals {
-      type        = "AWS"
-      identifiers = [local.redshift_principal]
+      type        = "Service"
+      identifiers = ["redshift.amazonaws.com"]
     }
     actions   = ["s3:GetBucketAcl"]
     resources = [local.bucket_arn]