diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf index 3eadd10ba..8ba36b987 100644 --- a/infrastructure/modules/kinesis_firehose/kms.tf +++ b/infrastructure/modules/kinesis_firehose/kms.tf @@ -88,6 +88,13 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" { "kms:DescribeKey" ] resources = [aws_kms_key.firehose_cmk.arn] + condition { + test = "StringEquals" + variable = "kms:EncryptionContext:aws:logs:arn" + values = [ + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit" + ] + } } } diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index c0fd0ed43..6ea409dad 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -426,7 +426,8 @@ resource "aws_iam_policy" "cloudwatch_logging" { Effect = "Allow", Action = [ "logs:ListTagsForResource", - "logs:DescribeLogGroups" + "logs:DescribeLogGroups", + "logs:PutRetentionPolicy" ], Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*" } @@ -447,14 +448,20 @@ resource "aws_iam_policy" "firehose_readonly" { { Effect = "Allow", Action = [ + "firehose:CreateDeliveryStream", + "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", - "firehose:ListTagsForDeliveryStream" - ], + "firehose:UpdateDestination", + "firehose:PutRecord", + "firehose:PutRecordBatch", + "firehose:TagDeliveryStream", + "firehose:ListTagsForDeliveryStream", + "firehose:UntagDeliveryStream" + ] Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*" } ] }) - tags = merge(local.tags, { Name = "firehose-describe-access" }) }