diff --git a/.changelog/31006.txt b/.changelog/31006.txt new file mode 100644 index 00000000000..694bab7f76c --- /dev/null +++ b/.changelog/31006.txt @@ -0,0 +1,3 @@ +```release-note:note +data-source/aws_db_security_group: The `aws_redshift_service_account` data source has been deprecated and will be removed in a future version. AWS documentation [states that](https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-bucket-permissions) a [service principal name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) should be used instead of an AWS account ID in any relevant IAM policy +``` \ No newline at end of file diff --git a/internal/service/redshift/cluster_data_source_test.go b/internal/service/redshift/cluster_data_source_test.go index da798fcebb6..bb0cacb9e59 100644 --- a/internal/service/redshift/cluster_data_source_test.go +++ b/internal/service/redshift/cluster_data_source_test.go @@ -180,8 +180,6 @@ data "aws_redshift_cluster" "test" { func testAccClusterDataSourceConfig_logging(rName string) string { return fmt.Sprintf(` -data "aws_redshift_service_account" "test" {} - resource "aws_s3_bucket" "test" { bucket = %[1]q force_destroy = true @@ -193,8 +191,8 @@ data "aws_iam_policy_document" "test" { resources = ["${aws_s3_bucket.test.arn}/*"] principals { - identifiers = [data.aws_redshift_service_account.test.arn] - type = "AWS" + type = "Service" + identifiers = ["redshift.amazonaws.com"] } } @@ -203,8 +201,8 @@ data "aws_iam_policy_document" "test" { resources = [aws_s3_bucket.test.arn] principals { - identifiers = [data.aws_redshift_service_account.test.arn] - type = "AWS" + type = "Service" + identifiers = ["redshift.amazonaws.com"] } } } diff --git a/internal/service/redshift/cluster_test.go b/internal/service/redshift/cluster_test.go index c0519fd9591..4064c406e38 100644 --- a/internal/service/redshift/cluster_test.go +++ b/internal/service/redshift/cluster_test.go @@ -1198,8 +1198,6 @@ func testAccClusterConfig_loggingEnabled(rName string) string { return acctest.ConfigCompose(acctest.ConfigAvailableAZsNoOptInExclude("usw2-az2"), fmt.Sprintf(` data "aws_partition" "current" {} -data "aws_redshift_service_account" "main" {} - resource "aws_s3_bucket" "test" { bucket = %[1]q force_destroy = true @@ -1215,7 +1213,7 @@ resource "aws_s3_bucket_policy" "test" { "Sid": "Stmt1376526643067", "Effect": "Allow", "Principal": { - "AWS": "${data.aws_redshift_service_account.main.arn}" + "Service": "redshift.${data.aws_partition.current.dns_suffix}" }, "Action": "s3:PutObject", "Resource": "arn:${data.aws_partition.current.partition}:s3:::%[1]s/*" @@ -1224,7 +1222,7 @@ resource "aws_s3_bucket_policy" "test" { "Sid": "Stmt137652664067", "Effect": "Allow", "Principal": { - "AWS": "${data.aws_redshift_service_account.main.arn}" + "Service": "redshift.${data.aws_partition.current.dns_suffix}" }, "Action": "s3:GetBucketAcl", "Resource": "arn:${data.aws_partition.current.partition}:s3:::%[1]s" diff --git a/internal/service/redshift/service_account_data_source.go b/internal/service/redshift/service_account_data_source.go index 0874f396d7a..28cc354fbf0 100644 --- a/internal/service/redshift/service_account_data_source.go +++ b/internal/service/redshift/service_account_data_source.go @@ -59,6 +59,8 @@ func DataSourceServiceAccount() *schema.Resource { Computed: true, }, }, + + DeprecationMessage: `The aws_redshift_service_account data source has been deprecated and will be removed in a future version. Use a service principal name instead of AWS account ID in any relevant IAM policy.`, } } diff --git a/internal/service/redshift/service_account_data_source_test.go b/internal/service/redshift/service_account_data_source_test.go deleted file mode 100644 index b19e8e64fa1..00000000000 --- a/internal/service/redshift/service_account_data_source_test.go +++ /dev/null @@ -1,66 +0,0 @@ -package redshift_test - -import ( - "testing" - - "github.com/aws/aws-sdk-go/service/redshift" - "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" - "github.com/hashicorp/terraform-provider-aws/internal/acctest" - tfredshift "github.com/hashicorp/terraform-provider-aws/internal/service/redshift" -) - -func TestAccRedshiftServiceAccountDataSource_basic(t *testing.T) { - ctx := acctest.Context(t) - expectedAccountID := tfredshift.ServiceAccountPerRegionMap[acctest.Region()] - - dataSourceName := "data.aws_redshift_service_account.main" - - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { acctest.PreCheck(ctx, t) }, - ErrorCheck: acctest.ErrorCheck(t, redshift.EndpointsID), - ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, - Steps: []resource.TestStep{ - { - Config: testAccServiceAccountDataSourceConfig_basic, - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(dataSourceName, "id", expectedAccountID), - acctest.CheckResourceAttrGlobalARNAccountID(dataSourceName, "arn", expectedAccountID, "iam", "user/logs"), - ), - }, - }, - }) -} - -func TestAccRedshiftServiceAccountDataSource_region(t *testing.T) { - ctx := acctest.Context(t) - expectedAccountID := tfredshift.ServiceAccountPerRegionMap[acctest.Region()] - - dataSourceName := "data.aws_redshift_service_account.regional" - - resource.ParallelTest(t, resource.TestCase{ - PreCheck: func() { acctest.PreCheck(ctx, t) }, - ErrorCheck: acctest.ErrorCheck(t, redshift.EndpointsID), - ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories, - Steps: []resource.TestStep{ - { - Config: testAccServiceAccountDataSourceConfig_explicitRegion, - Check: resource.ComposeTestCheckFunc( - resource.TestCheckResourceAttr(dataSourceName, "id", expectedAccountID), - acctest.CheckResourceAttrGlobalARNAccountID(dataSourceName, "arn", expectedAccountID, "iam", "user/logs"), - ), - }, - }, - }) -} - -const testAccServiceAccountDataSourceConfig_basic = ` -data "aws_redshift_service_account" "main" {} -` - -const testAccServiceAccountDataSourceConfig_explicitRegion = ` -data "aws_region" "current" {} - -data "aws_redshift_service_account" "regional" { - region = data.aws_region.current.name -} -` diff --git a/website/docs/d/redshift_service_account.html.markdown b/website/docs/d/redshift_service_account.html.markdown index 0fa5cf44556..02c009f7ef9 100644 --- a/website/docs/d/redshift_service_account.html.markdown +++ b/website/docs/d/redshift_service_account.html.markdown @@ -12,7 +12,7 @@ Use this data source to get the Account ID of the [AWS Redshift Service Account] in a given region for the purpose of allowing Redshift to store audit data in S3. ~> **Note:** AWS documentation [states that](https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html#db-auditing-bucket-permissions) a [service principal name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services) should be used instead of an AWS account ID in any relevant IAM policy. -The `aws_redshift_service_account` data source should now be considered deprecated and will be removed in a future version. +The `aws_redshift_service_account` data source has been deprecated and will be removed in a future version. ## Example Usage