Use this data source to get the Account ID of the AWS Billing and Cost Management Service Account for the purpose of permitting in S3 bucket policy.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const main = aws.getBillingServiceAccount({});
const billingLogs = new aws.s3.Bucket("billing_logs", {bucket: "my-billing-tf-test-bucket"});
const billingLogsAcl = new aws.s3.BucketAcl("billing_logs_acl", {
bucket: billingLogs.id,
acl: "private",
});
const allowBillingLogging = pulumi.all([main, billingLogs.arn, main, billingLogs.arn]).apply(([main, billingLogsArn, main1, billingLogsArn1]) => aws.iam.getPolicyDocumentOutput({
statements: [
{
effect: "Allow",
principals: [{
type: "AWS",
identifiers: [main.arn],
}],
actions: [
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
],
resources: [billingLogsArn],
},
{
effect: "Allow",
principals: [{
type: "AWS",
identifiers: [main1.arn],
}],
actions: ["s3:PutObject"],
resources: [`${billingLogsArn1}/*`],
},
],
}));
const allowBillingLoggingBucketPolicy = new aws.s3.BucketPolicy("allow_billing_logging", {
bucket: billingLogs.id,
policy: allowBillingLogging.apply(allowBillingLogging => allowBillingLogging.json),
});
import pulumi
import pulumi_aws as aws
main = aws.get_billing_service_account()
billing_logs = aws.s3.Bucket("billing_logs", bucket="my-billing-tf-test-bucket")
billing_logs_acl = aws.s3.BucketAcl("billing_logs_acl",
bucket=billing_logs.id,
acl="private")
allow_billing_logging = pulumi.Output.all(
billingLogsArn=billing_logs.arn,
billingLogsArn1=billing_logs.arn
).apply(lambda resolved_outputs: aws.iam.get_policy_document(statements=[
{
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": [main.arn],
}],
"actions": [
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
],
"resources": [resolved_outputs['billingLogsArn']],
},
{
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": [main.arn],
}],
"actions": ["s3:PutObject"],
"resources": [f"{resolved_outputs['billingLogsArn1']}/*"],
},
]))
allow_billing_logging_bucket_policy = aws.s3.BucketPolicy("allow_billing_logging",
bucket=billing_logs.id,
policy=allow_billing_logging.json)
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
main, err := aws.GetBillingServiceAccount(ctx, &aws.GetBillingServiceAccountArgs{
}, nil);
if err != nil {
return err
}
billingLogs, err := s3.NewBucket(ctx, "billing_logs", &s3.BucketArgs{
Bucket: pulumi.String("my-billing-tf-test-bucket"),
})
if err != nil {
return err
}
_, err = s3.NewBucketAcl(ctx, "billing_logs_acl", &s3.BucketAclArgs{
Bucket: billingLogs.ID(),
Acl: pulumi.String("private"),
})
if err != nil {
return err
}
allowBillingLogging := pulumi.All(billingLogs.Arn,billingLogs.Arn).ApplyT(func(_args []interface{}) (iam.GetPolicyDocumentResult, error) {
billingLogsArn := _args[0].(string)
billingLogsArn1 := _args[1].(string)
return iam.GetPolicyDocumentResult(iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef(pulumi.String(pulumi.StringRef("Allow"))),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "AWS",
Identifiers: interface{}{
main.Arn,
},
},
},
Actions: []string{
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
},
Resources: []string{
billingLogsArn,
},
},
{
Effect: pulumi.StringRef(pulumi.String(pulumi.StringRef("Allow"))),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "AWS",
Identifiers: interface{}{
main.Arn,
},
},
},
Actions: []string{
"s3:PutObject",
},
Resources: []string{
fmt.Sprintf("%v/*", billingLogsArn1),
},
},
},
}, nil)), nil
}).(iam.GetPolicyDocumentResultOutput)
_, err = s3.NewBucketPolicy(ctx, "allow_billing_logging", &s3.BucketPolicyArgs{
Bucket: billingLogs.ID(),
Policy: pulumi.String(allowBillingLogging.Json),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var main = Aws.GetBillingServiceAccount.Invoke();
var billingLogs = new Aws.S3.Bucket("billing_logs", new()
{
BucketName = "my-billing-tf-test-bucket",
});
var billingLogsAcl = new Aws.S3.BucketAcl("billing_logs_acl", new()
{
Bucket = billingLogs.Id,
Acl = "private",
});
var allowBillingLogging = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
main.Apply(getBillingServiceAccountResult => getBillingServiceAccountResult.Arn),
},
},
},
Actions = new[]
{
"s3:GetBucketAcl",
"s3:GetBucketPolicy",
},
Resources = new[]
{
billingLogs.Arn,
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
main.Apply(getBillingServiceAccountResult => getBillingServiceAccountResult.Arn),
},
},
},
Actions = new[]
{
"s3:PutObject",
},
Resources = new[]
{
$"{billingLogs.Arn}/*",
},
},
},
});
var allowBillingLoggingBucketPolicy = new Aws.S3.BucketPolicy("allow_billing_logging", new()
{
Bucket = billingLogs.Id,
Policy = allowBillingLogging.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetBillingServiceAccountArgs;
import com.pulumi.aws.s3.Bucket;
import com.pulumi.aws.s3.BucketArgs;
import com.pulumi.aws.s3.BucketAcl;
import com.pulumi.aws.s3.BucketAclArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var main = AwsFunctions.getBillingServiceAccount(GetBillingServiceAccountArgs.builder()
.build());
var billingLogs = new Bucket("billingLogs", BucketArgs.builder()
.bucket("my-billing-tf-test-bucket")
.build());
var billingLogsAcl = new BucketAcl("billingLogsAcl", BucketAclArgs.builder()
.bucket(billingLogs.id())
.acl("private")
.build());
final var allowBillingLogging = Output.tuple(billingLogs.arn(), billingLogs.arn()).applyValue(values -> {
var billingLogsArn = values.t1;
var billingLogsArn1 = values.t2;
return IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(main.arn())
.build())
.actions(
"s3:GetBucketAcl",
"s3:GetBucketPolicy")
.resources(billingLogsArn)
.build(),
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(main.arn())
.build())
.actions("s3:PutObject")
.resources(String.format("%s/*", billingLogsArn1))
.build())
.build());
});
var allowBillingLoggingBucketPolicy = new BucketPolicy("allowBillingLoggingBucketPolicy", BucketPolicyArgs.builder()
.bucket(billingLogs.id())
.policy(allowBillingLogging.json())
.build());
}
}
resources:
billingLogs:
type: aws:s3:Bucket
name: billing_logs
properties:
bucket: my-billing-tf-test-bucket
billingLogsAcl:
type: aws:s3:BucketAcl
name: billing_logs_acl
properties:
bucket: ${billingLogs.id}
acl: private
allowBillingLoggingBucketPolicy:
type: aws:s3:BucketPolicy
name: allow_billing_logging
properties:
bucket: ${billingLogs.id}
policy: ${allowBillingLogging.json}
variables:
main:
fn::invoke:
function: aws:getBillingServiceAccount
arguments: {}
allowBillingLogging:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: AWS
identifiers:
- ${main.arn}
actions:
- s3:GetBucketAcl
- s3:GetBucketPolicy
resources:
- ${billingLogs.arn}
- effect: Allow
principals:
- type: AWS
identifiers:
- ${main.arn}
actions:
- s3:PutObject
resources:
- ${billingLogs.arn}/*
Using getBillingServiceAccount
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getBillingServiceAccount(args: GetBillingServiceAccountArgs, opts?: InvokeOptions): Promise<GetBillingServiceAccountResult>
function getBillingServiceAccountOutput(args: GetBillingServiceAccountOutputArgs, opts?: InvokeOptions): Output<GetBillingServiceAccountResult>def get_billing_service_account(id: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetBillingServiceAccountResult
def get_billing_service_account_output(id: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetBillingServiceAccountResult]func GetBillingServiceAccount(ctx *Context, args *GetBillingServiceAccountArgs, opts ...InvokeOption) (*GetBillingServiceAccountResult, error)
func GetBillingServiceAccountOutput(ctx *Context, args *GetBillingServiceAccountOutputArgs, opts ...InvokeOption) GetBillingServiceAccountResultOutput> Note: This function is named GetBillingServiceAccount in the Go SDK.
public static class GetBillingServiceAccount
{
public static Task<GetBillingServiceAccountResult> InvokeAsync(GetBillingServiceAccountArgs args, InvokeOptions? opts = null)
public static Output<GetBillingServiceAccountResult> Invoke(GetBillingServiceAccountInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetBillingServiceAccountResult> getBillingServiceAccount(GetBillingServiceAccountArgs args, InvokeOptions options)
public static Output<GetBillingServiceAccountResult> getBillingServiceAccount(GetBillingServiceAccountArgs args, InvokeOptions options)
fn::invoke:
function: aws:index/getBillingServiceAccount:getBillingServiceAccount
arguments:
# arguments dictionaryThe following arguments are supported:
- Id string
- ID of the AWS billing service account.
- Id string
- ID of the AWS billing service account.
- id String
- ID of the AWS billing service account.
- id string
- ID of the AWS billing service account.
- id str
- ID of the AWS billing service account.
- id String
- ID of the AWS billing service account.
getBillingServiceAccount Result
The following output properties are available:
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
