From 78a3b1594ce6d3099925cea04e5b7e877b7f42e4 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 1 Jul 2024 16:17:39 -0400
Subject: [PATCH] change to account of elb service account

---
 s3-access-logs/README.md      |  1 +
 s3-access-logs/policy_data.tf | 23 +++++++++++++++++------
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/s3-access-logs/README.md b/s3-access-logs/README.md
index df3d552..38fcb39 100644
--- a/s3-access-logs/README.md
+++ b/s3-access-logs/README.md
@@ -167,6 +167,7 @@ No modules.
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_elb_service_account.elb_account_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
 | [aws_iam_policy_document.logs_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
diff --git a/s3-access-logs/policy_data.tf b/s3-access-logs/policy_data.tf
index 367ba98..7174d72 100644
--- a/s3-access-logs/policy_data.tf
+++ b/s3-access-logs/policy_data.tf
@@ -2,6 +2,8 @@
 # * https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
 # * https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
 
+data "aws_elb_service_account" "elb_account_id" {}
+
 data "aws_iam_policy_document" "logs_s3" {
   statement {
     sid       = "AWSLogWrite"
@@ -9,8 +11,11 @@ data "aws_iam_policy_document" "logs_s3" {
     actions   = ["s3:PutObject"]
     resources = ["${aws_s3_bucket.logs.arn}/*"]
     principals {
-      type        = "AWS"
-      identifiers = [format("arn:%v:iam::%v:root", data.aws_arn.current.partition, local.account_id)]
+      type = "AWS"
+      identifiers = [
+        format("arn:%v:iam::%v:root", data.aws_arn.current.partition, local.account_id),
+        format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.logs_region, data.aws_elb_service_account.main.id),
+      ]
     }
   }
   statement {
@@ -35,7 +40,8 @@ data "aws_iam_policy_document" "logs_s3" {
     condition {
       test     = "ArnLike"
       variable = "aws:SourceArn"
-      values   = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.logs_region, local.account_id)]
+      #      values   = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.logs_region, local.account_id)]
+      values = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.logs_region, data.aws_elb_service_account.main.id)]
     }
   }
   statement {
@@ -55,7 +61,8 @@ data "aws_iam_policy_document" "logs_s3" {
     condition {
       test     = "ArnLike"
       variable = "aws:SourceArn"
-      values   = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.logs_region, local.account_id)]
+      #      values   = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.logs_region, local.account_id)]
+      values = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.logs_region, data.aws_elb_service_account.main.id)]
     }
   }
 
@@ -68,8 +75,12 @@ data "aws_iam_policy_document" "logs_s3" {
       "${aws_s3_bucket.logs.arn}/nlb-logs/*",
     ]
     principals {
-      type        = "AWS"
-      identifiers = [format("arn:%v:iam::%v:root", data.aws_arn.current.partition, local.logs_alb_account)]
+      type = "AWS"
+      identifiers = [
+        format("arn:%v:iam::%v:root", data.aws_arn.current.partition, local.account_id),
+        format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, local.logs_region, data.aws_elb_service_account.main.id),
+      ]
     }
   }
 }
+