From 1b68eee213beef442d100734a15b3d8c4c086917 Mon Sep 17 00:00:00 2001
From: Vladimir Andrijevikj <vandrijevik@users.noreply.github.com>
Date: Wed, 16 May 2018 12:39:48 +0200
Subject: [PATCH] =?UTF-8?q?Use=20ARN=20instead=20of=20account=20ID=20in=20?=
 =?UTF-8?q?S3=20policy=E2=80=99s=20Principal?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Due to a Terraform bug (https://github.com/hashicorp/terraform/issues/4948), if Principal is set to an account id, Terraform always reports the resource as if it needs changing (because the AWS API accepts the value, but turns it into an ARN).
---
 aws/application_load_balancer/__examples__/.planshots.txt | 2 +-
 aws/application_load_balancer/load_balancer/main.tf       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aws/application_load_balancer/__examples__/.planshots.txt b/aws/application_load_balancer/__examples__/.planshots.txt
index 7cfa395..47ea069 100644
--- a/aws/application_load_balancer/__examples__/.planshots.txt
+++ b/aws/application_load_balancer/__examples__/.planshots.txt
@@ -565,6 +565,6 @@ website_endpoint:                                     <computed>
 + module.initech_production_load_balancer.module.load_balancer.aws_s3_bucket_policy.load_balancer_access_logs
 id:                                                   <computed>
 bucket:                                               "${aws_s3_bucket.load_balancer_access_logs.id}"
-policy:                                               "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"s3:PutObject\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*\",\n      \"Principal\": {\n        \"AWS\": [\n          \"${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}\"\n        ]\n      }\n    }\n  ]\n}\n"
+policy:                                               "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\n        \"s3:PutObject\"\n      ],\n      \"Effect\": \"Allow\",\n      \"Resource\": \"${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*\",\n      \"Principal\": {\n        \"AWS\": [\n          \"arn:aws:iam::${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}:root\"\n        ]\n      }\n    }\n  ]\n}\n"
 Plan: 38 to add, 0 to change, 0 to destroy.
 
diff --git a/aws/application_load_balancer/load_balancer/main.tf b/aws/application_load_balancer/load_balancer/main.tf
index 2a59571..9bddd1f 100644
--- a/aws/application_load_balancer/load_balancer/main.tf
+++ b/aws/application_load_balancer/load_balancer/main.tf
@@ -77,7 +77,7 @@ resource "aws_s3_bucket_policy" "load_balancer_access_logs" {
           "Resource": "${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*",
           "Principal": {
             "AWS": [
-              "${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}"
+              "arn:aws:iam::${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}:root"
             ]
           }
         }