AWS Account ID doesn't work with newer AWS regions #96
Description
Describe the Bug
The data source for the ELB doesn't work with newer regions:
For AWS Regions opened since Jakarta (ap-southeast-3) in December 2021, AWS documents that a service principal name should be used instead of an AWS account ID in any relevant IAM policy.
Reference:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account
Expected Behavior
Region accepted and policy attached
Steps to Reproduce
Set the following in the provider block for aws provider:
region = "il-central-1"
Execute the base example to spin up the S3 bucket with ELB
The error would be like this:
│ Error: Unknown region ("il-central-1")
│
│ with module.s3_bucket.data.aws_elb_service_account.default[0],
│ on .terraform/modules/s3_bucket/main.tf line 18, in data "aws_elb_service_account" "default":
│ 18: data "aws_elb_service_account" "default" {
Screenshots
No response
Environment
- OS: Linux
- Terraform version: 1.9.7
- Terraform AWS provider: 5.52.0
terraform version output:
Terraform v1.9.7
on linux_amd64
- provider registry.terraform.io/hashicorp/aws v5.52.0
- provider registry.terraform.io/hashicorp/local v2.5.1
- provider registry.terraform.io/hashicorp/null v3.2.2
- provider registry.terraform.io/hashicorp/random v3.6.2
- provider registry.terraform.io/hashicorp/time v0.11.2
- provider registry.terraform.io/hashicorp/tls v4.0.5
Additional Context
Seems like we need to adjust the conditions to support an updated policy:
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy
Open question: how could we detect new (August 2022 or later) regions programmatically?
Possible solution (from other repository) - check the aws_iam_policy_document data block:
https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/blob/master/main.tf