NHSDigital · Karthikeyannhs · Jul 1, 2025 · Jun 30, 2025 · Jun 30, 2025 · Jul 1, 2025
@@ -104,6 +104,8 @@ jobs:
         # just planning for now for safety and until review
         run: |
           mkdir -p ./build
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=iams-developer-roles tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=iams-developer-roles tf-command=apply workspace=$WORKSPACE
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
           make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"

@@ -133,6 +133,8 @@ jobs:
         # just planning for now for safety and until review
         run: |
           mkdir -p ./build
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=iams-developer-roles tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=iams-developer-roles tf-command=apply workspace=$WORKSPACE
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
           make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"

@@ -8,6 +8,9 @@ on:
         required: true
         type: choice
         options: [dev, test, preprod]
+      revision:
+        description: Git revision (commit SHA or tag)
+        required: false
 
 jobs:
   listS3:
@@ -18,8 +21,10 @@ jobs:
       contents: read
 
     steps:
-      - name: Checkout
+      - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.revision || 'main' }}
 
       - name: Set up Python
         uses: actions/setup-python@v5

@@ -364,6 +364,8 @@ resource "aws_iam_policy" "iam_management" {
         Resource = [
           # Lambda role
           "arn:aws:iam::*:role/eligibility_lambda-role*",
+          # Kinesis Role
+          "arn:aws:iam::*:role/eligibility_audit_firehose-role*",
           # API Gateway role
           "arn:aws:iam::*:role/*-api-gateway-*-role",
           # External write role
@@ -374,7 +376,9 @@ resource "aws_iam_policy" "iam_management" {
           # VPC flow logs role
           "arn:aws:iam::*:role/vpc-flow-logs-role",
           # API role
-          "arn:aws:iam::*:role/*eligibility-signposting-api-role"
+          "arn:aws:iam::*:role/*eligibility-signposting-api-role",
+          # Kinesis firehose role
+          "arn:aws:iam::*:role/eligibility_audit_firehose-role*"
         ]
       }
     ]
@@ -410,6 +414,50 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
   }
 }
 
+resource "aws_iam_policy" "cloudwatch_logging" {
+  name        = "cloudwatch-logging-management"
+  description = "Allow access to logging resources"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:ListTagsForResource",
+          "logs:DescribeLogGroups"
+        ],
+        Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*"
+      }
+    ]
+  })
+
+  tags = merge(local.tags, { Name = "cloudwatch-logging-management" })
+}
+
+resource "aws_iam_policy" "firehose_readonly" {
+  name        = "firehose-describe-access"
+  description = "Allow GitHub Actions to describe Firehose delivery stream"
+  path        = "/service-policies/"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "firehose:DescribeDeliveryStream",
+          "firehose:ListTagsForDeliveryStream"
+        ],
+        Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*"
+      }
+    ]
+  })
+
+  tags = merge(local.tags, { Name = "firehose-describe-access" })
+}
+
 # Attach the policies to the role
 resource "aws_iam_role_policy_attachment" "terraform_state" {
   role       = aws_iam_role.github_actions.name
@@ -445,3 +493,13 @@ resource "aws_iam_role_policy_attachment" "iam_management" {
   role       = aws_iam_role.github_actions.name
   policy_arn = aws_iam_policy.iam_management.arn
 }
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_logging" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = aws_iam_policy.cloudwatch_logging.arn
+}
+
+resource "aws_iam_role_policy_attachment" "firehose_readonly_attach" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = aws_iam_policy.firehose_readonly.arn
+}
@@ -17,7 +17,7 @@ resource "aws_iam_openid_connect_provider" "github" {
 resource "aws_iam_role" "github_actions" {
   name                 = "github-actions-api-deployment-role"
   description          = "Role for GitHub Actions to deploy infrastructure via Terraform"
-  permissions_boundary =  aws_iam_policy.permissions_boundary.arn
+  permissions_boundary = aws_iam_policy.permissions_boundary.arn
   path                 = "/service-roles/"
 
   # Trust policy allowing GitHub Actions to assume the role

@@ -1,9 +1,9 @@
 resource "aws_iam_role" "terraform_developer" {
-  name               = "terraform-developer-role"
-  description        = "Role for developers to plan and apply Terraform changes"
-  assume_role_policy = data.aws_iam_policy_document.terraform_developer_assume_role.json
-  permissions_boundary = aws_iam_policy.permissions_boundary.arn  # Attach permissions boundary
-  max_session_duration = 14400  # 4 hours
+  name                 = "terraform-developer-role"
+  description          = "Role for developers to plan and apply Terraform changes"
+  assume_role_policy   = data.aws_iam_policy_document.terraform_developer_assume_role.json
+  permissions_boundary = aws_iam_policy.permissions_boundary.arn # Attach permissions boundary
+  max_session_duration = 14400                                   # 4 hours
 
   tags = merge(
     local.tags,