[ELI-619] - addressing comments

TOEL2 · TOEL2 · commit 7fb7ea1aa4eb · 2026-03-21T10:41:24.000Z
diff --git a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
@@ -23,7 +23,7 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
       log_stream_name = var.firehose_cloud_watch_log_stream
     }
   }
-
+  # Removed server_side_encryption_configuration as it is not supported for kinesis as source
   depends_on = [
     aws_kms_key.firehose_cmk,
     var.kinesis_source_stream_arn,
diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf
@@ -20,12 +20,12 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
       PERSON_TABLE_NAME            = var.eligibility_status_table_name,
       RULES_BUCKET_NAME            = var.eligibility_rules_bucket_name,
       CONSUMER_MAPPING_BUCKET_NAME = var.eligibility_consumer_mappings_bucket_name,
-      KINESIS_AUDIT_STREAM         = var.kinesis_audit_stream_name
-      ENV                          = var.environment
-      LOG_LEVEL                    = var.log_level
-      ENABLE_XRAY_PATCHING         = var.enable_xray_patching
-      API_DOMAIN_NAME              = var.api_domain_name
-      HASHING_SECRET_NAME          = var.hashing_secret_name
+      KINESIS_AUDIT_STREAM         = var.kinesis_audit_stream_name,
+      ENV                          = var.environment,
+      LOG_LEVEL                    = var.log_level,
+      ENABLE_XRAY_PATCHING         = var.enable_xray_patching,
+      API_DOMAIN_NAME              = var.api_domain_name,
+      HASHING_SECRET_NAME          = var.hashing_secret_name,
     }
   }
 
diff --git a/infrastructure/stacks/api-layer/kinesis_data_stream.tf b/infrastructure/stacks/api-layer/kinesis_data_stream.tf
@@ -74,7 +74,7 @@ data "aws_iam_policy_document" "kinesis_stream_kms_key_policy" {
     condition {
       test     = "StringEquals"
       variable = "kms:ViaService"
-      values   = ["firehose.eu-west-2.amazonaws.com"]
+      values   = ["firehose.${var.default_aws_region}.amazonaws.com"]
     }
   }
 }
diff --git a/infrastructure/stacks/api-layer/kinesis_firehose.tf b/infrastructure/stacks/api-layer/kinesis_firehose.tf
@@ -1,14 +1,14 @@
 module "eligibility_audit_firehose_delivery_stream" {
-  source                              = "../../modules/kinesis_firehose"
-  audit_firehose_delivery_stream_name = "audit_stream_to_s3"
-  audit_firehose_role                 = aws_iam_role.eligibility_audit_firehose_role
-  s3_audit_bucket_arn                 = module.s3_audit_bucket.storage_bucket_arn
-  environment                         = local.environment
-  stack_name                          = local.stack_name
-  workspace                           = local.workspace
-  tags                                = local.tags
-  firehose_cloud_watch_log_group_name  = aws_cloudwatch_log_group.firehose_audit.name
-  firehose_cloud_watch_log_stream      = aws_cloudwatch_log_stream.firehose_audit_stream.name
-  eligibility_lambda_role_arn            = aws_iam_role.eligibility_lambda_role.arn
-  kinesis_source_stream_arn = aws_kinesis_stream.kinesis_source_stream.arn
+  source                                = "../../modules/kinesis_firehose"
+  audit_firehose_delivery_stream_name   = "audit_stream_to_s3"
+  audit_firehose_role                   = aws_iam_role.eligibility_audit_firehose_role
+  s3_audit_bucket_arn                   = module.s3_audit_bucket.storage_bucket_arn
+  environment                           = local.environment
+  stack_name                            = local.stack_name
+  workspace                             = local.workspace
+  tags                                  = local.tags
+  firehose_cloud_watch_log_group_name   = aws_cloudwatch_log_group.firehose_audit.name
+  firehose_cloud_watch_log_stream       = aws_cloudwatch_log_stream.firehose_audit_stream.name
+  eligibility_lambda_role_arn           = aws_iam_role.eligibility_lambda_role.arn
+  kinesis_source_stream_arn             = aws_kinesis_stream.kinesis_source_stream.arn
 }
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -87,20 +87,7 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "firehose:StopDeliveryStreamEncryption",
 
       # Kinesis Stream - audit log streaming
-      "kinesis:CreateStream",
-      "kinesis:DeleteStream",
-      "kinesis:DescribeStream",
-      "kinesis:ListStreams",
-      "kinesis:PutRecord",
-      "kinesis:PutRecords",
-      "kinesis:TagStream",
-      "kinesis:ListTagsForStream",
-      "kinesis:UntagStream",
-      "kinesis:GetShardIterator",
-      "kinesis:GetRecords",
-      "kinesis:ListShards",
-      "kinesis:SubscribeToShard",
-      "kinesis:DescribeStreamSummary",
+      "kinesis:*",
 
       # IAM - specific role and policy management
       "iam:GetRole*",

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli`
`23`	`23`	`log_stream_name = var.firehose_cloud_watch_log_stream`
`24`	`24`	`}`
`25`	`25`	`}`
`26`		`-`
	`26`	`+ # Removed server_side_encryption_configuration as it is not supported for kinesis as source`
`27`	`27`	`depends_on = [`
`28`	`28`	`aws_kms_key.firehose_cmk,`
`29`	`29`	`var.kinesis_source_stream_arn,`
Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ data "aws_iam_policy_document" "kinesis_stream_kms_key_policy" {`
`74`	`74`	`condition {`
`75`	`75`	`test = "StringEquals"`
`76`	`76`	`variable = "kms:ViaService"`
`77`		`- values = ["firehose.eu-west-2.amazonaws.com"]`
	`77`	`+ values = ["firehose.${var.default_aws_region}.amazonaws.com"]`
`78`	`78`	`}`
`79`	`79`	`}`
`80`	`80`	`}`