From f8767eece4b94fe460804938097c74d3830ceec3 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 10:56:16 +0100 Subject: [PATCH 1/5] fix kinesis log permissions --- infrastructure/modules/kinesis_firehose/kms.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf index 3eadd10ba..8ba36b987 100644 --- a/infrastructure/modules/kinesis_firehose/kms.tf +++ b/infrastructure/modules/kinesis_firehose/kms.tf @@ -88,6 +88,13 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" { "kms:DescribeKey" ] resources = [aws_kms_key.firehose_cmk.arn] + condition { + test = "StringEquals" + variable = "kms:EncryptionContext:aws:logs:arn" + values = [ + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit" + ] + } } } From c77d0a19686eb777811947e8327f475967f0f8a6 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 11:33:22 +0100 Subject: [PATCH 2/5] fix kinesis log permissions --- .../stacks/iams-developer-roles/github_actions_policies.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index c0fd0ed43..3d3a32b01 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -426,7 +426,8 @@ resource "aws_iam_policy" "cloudwatch_logging" { Effect = "Allow", Action = [ "logs:ListTagsForResource", - "logs:DescribeLogGroups" + "logs:DescribeLogGroups", + "logs:PutRetentionPolicy" ], Resource = "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*" } From 5f57107d460ecb0818062a9c9eb010742e07805e Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 11:47:44 +0100 Subject: [PATCH 3/5] gihubaction role --- .../stacks/iams-developer-roles/github_actions_policies.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 3d3a32b01..3dd754c2e 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -449,7 +449,8 @@ resource "aws_iam_policy" "firehose_readonly" { Effect = "Allow", Action = [ "firehose:DescribeDeliveryStream", - "firehose:ListTagsForDeliveryStream" + "firehose:ListTagsForDeliveryStream", + "firehose:TagDeliveryStream" ], Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*" } From 9b6b18250d28af6cd662332f634f6e25285a1737 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 12:01:04 +0100 Subject: [PATCH 4/5] checkov fixes --- .../iams-developer-roles/github_actions_policies.tf | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 3dd754c2e..d7d419469 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -447,11 +447,17 @@ resource "aws_iam_policy" "firehose_readonly" { Statement = [ { Effect = "Allow", - Action = [ + actions = [ + "firehose:CreateDeliveryStream", + "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", + "firehose:UpdateDestination", + "firehose:PutRecord", + "firehose:PutRecordBatch", + "firehose:TagDeliveryStream", "firehose:ListTagsForDeliveryStream", - "firehose:TagDeliveryStream" - ], + "firehose:UntagDeliveryStream" + ] Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*" } ] From e9603816e54746c7e8e90120c8ff8f3d35262ff1 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 1 Jul 2025 12:09:11 +0100 Subject: [PATCH 5/5] checkov fixes --- .../stacks/iams-developer-roles/github_actions_policies.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index d7d419469..6ea409dad 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -447,7 +447,7 @@ resource "aws_iam_policy" "firehose_readonly" { Statement = [ { Effect = "Allow", - actions = [ + Action = [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", @@ -462,7 +462,6 @@ resource "aws_iam_policy" "firehose_readonly" { } ] }) - tags = merge(local.tags, { Name = "firehose-describe-access" }) }