[ELI-619] - adding depends and extending boundry

Author: TOEL2

infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf

@@ -53,6 +53,7 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
       # Kinesis Firehose - Lambda writing audit data
       "firehose:PutRecord",
       "firehose:PutRecordBatch",
+      "kinesis:*",
 
       # X-Ray - Lambda tracing
       "xray:PutTraceSegments",

infrastructure/stacks/api-layer/iam_policies.tf

@@ -224,15 +224,15 @@ resource "aws_iam_role_policy" "kinesis_firehose_logs_policy" {
           "logs:CreateLogStream",
           "logs:PutLogEvents"
         ],
-        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${module.eligibility_audit_firehose_delivery_stream.firehose_stream_name}:log-stream:*"
+        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${local.firehose_stream_name}:log-stream:*"
       },
       {
         Effect = "Allow",
         Action = [
           "logs:DescribeLogGroups",
           "logs:DescribeLogStreams"
         ],
-        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${module.eligibility_audit_firehose_delivery_stream.firehose_stream_name}"
+        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${local.firehose_stream_name}"
       }
     ]
   })

infrastructure/stacks/api-layer/kinesis_firehose.tf

@@ -11,4 +11,11 @@ module "eligibility_audit_firehose_delivery_stream" {
   firehose_cloud_watch_log_stream       = aws_cloudwatch_log_stream.firehose_audit_stream.name
   eligibility_lambda_role_arn           = aws_iam_role.eligibility_lambda_role.arn
   kinesis_source_stream_arn             = aws_kinesis_stream.kinesis_source_stream.arn
+
+  depends_on = [
+    aws_iam_role_policy.kinesis_firehose_read_policy,
+    aws_iam_role_policy.firehose_kinesis_source_kms_policy,
+    aws_iam_role_policy.kinesis_firehose_s3_write_policy,
+    aws_iam_role_policy.kinesis_firehose_logs_policy,
+  ]
 }

infrastructure/stacks/api-layer/locals.tf

@@ -10,6 +10,8 @@ locals {
     data.aws_ssm_parameter.mtls_api_ca_cert.value
   ])
 
+  firehose_stream_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-audit_stream_to_s3"
+
   # Toggle for deploying WAF resources in the current environment
   # True when var.environment is contained in var.waf_enabled_environments
   waf_enabled = contains(var.waf_enabled_environments, var.environment)