docs: Add Cross Account S3 Example

README.md

@@ -890,6 +890,7 @@ The destination variable configured in module is mapped to firehose valid destin
 ## Examples
 
 - [Direct Put](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/s3/direct-put-to-s3) - Creates an encrypted Kinesis firehose stream with Direct Put as source and S3 as destination.
+- [Direct Put With Cross Account S3](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/s3/direct-put-to-cross-account-s3) - Creates Kinesis firehose stream with Direct Put as source and Cross Account S3 bucket as destination.
 - [Direct Put With Lambda](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/s3/direct-put-to-s3-with-lambda) - Creates a Kinesis firehose stream with Direct Put as source and S3 as destination with transformation lambda.
 - [Kinesis Data Stream Source](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/s3/kinesis-to-s3-basic) - Creates a basic Kinesis Firehose stream with Kinesis data stream as source and s3 as destination.
 - [WAF Source](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/s3/waf-to-s3) - Creates a Kinesis Firehose Stream with AWS Web WAF as source and S3 as destination.

examples/s3/direct-put-to-cross-account-s3/README.md

@@ -0,0 +1,67 @@
+# Kinesis Firehose: Direct Put To S3
+
+Configuration in this directory creates kinesis firehose stream with Direct Put as source and Cross Account S3 bucket as destination with a basic configuration.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws.account2"></a> [aws.account2](#provider\_aws.account2) | ~> 5.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_firehose"></a> [firehose](#module\_firehose) | ../../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_account_2_role_arn"></a> [aws\_account\_2\_role\_arn](#input\_aws\_account\_2\_role\_arn) | AWS Account 2 ARN Role | `string` | n/a | yes |
+| <a name="input_aws_role_arn"></a> [aws\_role\_arn](#input\_aws\_role\_arn) | AWS Account 1 ARN Role | `string` | n/a | yes |
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Name prefix to use in resources | `string` | `"direct-put-to-s3"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_application_role_arn"></a> [application\_role\_arn](#output\_application\_role\_arn) | The ARN of the IAM application role created for Kinesis Firehose Stream Source |
+| <a name="output_application_role_name"></a> [application\_role\_name](#output\_application\_role\_name) | The Name of the IAM application role created for Kinesis Firehose Stream Source |
+| <a name="output_application_role_policy_arn"></a> [application\_role\_policy\_arn](#output\_application\_role\_policy\_arn) | The ARN of the IAM application role created for Kinesis Firehose Stream Source |
+| <a name="output_application_role_policy_name"></a> [application\_role\_policy\_name](#output\_application\_role\_policy\_name) | The Name of the IAM application role created for Kinesis Firehose Stream Source |
+| <a name="output_kinesis_firehose_arn"></a> [kinesis\_firehose\_arn](#output\_kinesis\_firehose\_arn) | The ARN of the Kinesis Firehose Stream |
+| <a name="output_kinesis_firehose_destination_id"></a> [kinesis\_firehose\_destination\_id](#output\_kinesis\_firehose\_destination\_id) | The Destination id of the Kinesis Firehose Stream |
+| <a name="output_kinesis_firehose_role_arn"></a> [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | The ARN of the IAM role created for Kinesis Firehose Stream |
+| <a name="output_kinesis_firehose_version_id"></a> [kinesis\_firehose\_version\_id](#output\_kinesis\_firehose\_version\_id) | The Version id of the Kinesis Firehose Stream |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/s3/direct-put-to-cross-account-s3/main.tf

@@ -0,0 +1,34 @@
+resource "random_pet" "this" {
+  length = 2
+}
+
+resource "aws_s3_bucket" "this" {
+  provider      = aws.account2
+  bucket        = "${var.name_prefix}-destination-bucket-${random_pet.this.id}"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  provider = aws.account2
+  bucket   = aws_s3_bucket.this.id
+  policy   = module.firehose.s3_cross_account_bucket_policy
+}
+
+module "firehose" {
+  source                        = "../../../"
+  name                          = "${var.name_prefix}-delivery-stream"
+  destination                   = "s3"
+  s3_bucket_arn                 = aws_s3_bucket.this.arn
+  s3_cross_account              = true
+  enable_sse                    = false
+  enable_s3_backup              = true
+  s3_backup_bucket_arn          = aws_s3_bucket.this.arn
+  s3_backup_prefix              = "backup/"
+  s3_backup_error_output_prefix = "error/"
+  s3_backup_buffering_interval  = 100
+  s3_backup_buffering_size      = 100
+  s3_backup_compression         = "GZIP"
+  s3_backup_enable_encryption   = false
+  s3_backup_enable_log          = true
+  create_application_role       = false
+}

examples/s3/direct-put-to-cross-account-s3/outputs.tf

@@ -0,0 +1,39 @@
+output "kinesis_firehose_arn" {
+  description = "The ARN of the Kinesis Firehose Stream"
+  value       = module.firehose.kinesis_firehose_arn
+}
+
+output "kinesis_firehose_destination_id" {
+  description = "The Destination id of the Kinesis Firehose Stream"
+  value       = module.firehose.kinesis_firehose_destination_id
+}
+
+output "kinesis_firehose_version_id" {
+  description = "The Version id of the Kinesis Firehose Stream"
+  value       = module.firehose.kinesis_firehose_version_id
+}
+
+output "kinesis_firehose_role_arn" {
+  description = "The ARN of the IAM role created for Kinesis Firehose Stream"
+  value       = module.firehose.kinesis_firehose_role_arn
+}
+
+output "application_role_arn" {
+  description = "The ARN of the IAM application role created for Kinesis Firehose Stream Source"
+  value       = module.firehose.application_role_arn
+}
+
+output "application_role_name" {
+  description = "The Name of the IAM application role created for Kinesis Firehose Stream Source"
+  value       = module.firehose.application_role_name
+}
+
+output "application_role_policy_arn" {
+  description = "The ARN of the IAM application role created for Kinesis Firehose Stream Source"
+  value       = module.firehose.application_role_policy_arn
+}
+
+output "application_role_policy_name" {
+  description = "The Name of the IAM application role created for Kinesis Firehose Stream Source"
+  value       = module.firehose.application_role_policy_name
+}

examples/s3/direct-put-to-cross-account-s3/providers.tf

@@ -0,0 +1,18 @@
+provider "aws" {
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  assume_role {
+    role_arn = var.aws_role_arn
+  }
+}
+
+provider "aws" {
+  alias                       = "account2"
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  assume_role {
+    role_arn = var.aws_account_2_role_arn
+  }
+}

examples/s3/direct-put-to-cross-account-s3/variables.tf

@@ -0,0 +1,15 @@
+variable "name_prefix" {
+  description = "Name prefix to use in resources"
+  type        = string
+  default     = "direct-put-to-s3"
+}
+
+variable "aws_role_arn" {
+  description = "AWS Account 1 ARN Role"
+  type        = string
+}
+
+variable "aws_account_2_role_arn" {
+  description = "AWS Account 2 ARN Role"
+  type        = string
+}

examples/s3/direct-put-to-cross-account-s3/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}