Use ARN instead of account ID in S3 policy’s Principal

Due to a Terraform bug (hashicorp/terraform#4948), if Principal is set to an account id, Terraform always reports the resource as if it needs changing (because the AWS API accepts the value, but turns it into an ARN).
tablexi · May 16, 2018 · 0c7c995 · 0c7c995
1 parent 2afc8de
commit 0c7c995
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/aws/application_load_balancer/load_balancer/main.tf b/aws/application_load_balancer/load_balancer/main.tf
@@ -77,7 +77,7 @@ resource "aws_s3_bucket_policy" "load_balancer_access_logs" {
           "Resource": "${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*",
           "Principal": {
             "AWS": [
-              "${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}"
+              "arn:aws:iam::${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}:root"
             ]
           }
         }