こんな感じの書き方で、ELB ALBのアクセスログをS3に保存する用のバケットポリシーに必要なAWSアカウントを参照できる
data "aws_elb_service_account" "main" {} resource "aws_s3_bucket" "elb_logs" { bucket = "my-elb-tf-test-bucket" } data "aws_iam_policy_document" "allow_elb_logging" { statement { effect = "Allow" principals { type = "AWS" identifiers = [data.aws_elb_service_account.main.arn] } actions = ["s3:PutObject"] resources = ["${aws_s3_bucket.elb_logs.arn}/AWSLogs/*"] } } resource "aws_s3_bucket_policy" "allow_elb_logging" { bucket = aws_s3_bucket.elb_logs.id policy = data.aws_iam_policy_document.allow_elb_logging.json }