diff --git a/.github/workflows/manual-terraform-apply.yaml b/.github/workflows/manual-terraform-apply.yaml
index 757c27a3c..c4f9fe151 100644
--- a/.github/workflows/manual-terraform-apply.yaml
+++ b/.github/workflows/manual-terraform-apply.yaml
@@ -17,6 +17,8 @@ jobs:
       id-token: write
       contents: read
 
+    timeout-minutes: 30
+
     steps:
       - name: "Setup Terraform"
         uses: hashicorp/setup-terraform@v3
diff --git a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
index a0937d692..ef6bbba3f 100644
--- a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
+++ b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
@@ -3,7 +3,7 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
   destination = "extended_s3"
 
   extended_s3_configuration {
-    role_arn   = var.audit_firehose_role_arn
+    role_arn   = var.audit_firehose_role.arn
     bucket_arn = var.s3_audit_bucket_arn
 
     buffering_size     = 1
@@ -25,5 +25,10 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
     key_type = "CUSTOMER_MANAGED_CMK"
   }
 
+  depends_on = [
+    aws_kms_key.firehose_cmk,
+    var.audit_firehose_role
+  ]
+
   tags = var.tags
 }
diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf
index 8ba36b987..4294a7960 100644
--- a/infrastructure/modules/kinesis_firehose/kms.tf
+++ b/infrastructure/modules/kinesis_firehose/kms.tf
@@ -67,7 +67,7 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [var.audit_firehose_role_arn]
+      identifiers = [var.audit_firehose_role.arn]
     }
     actions   = ["kms:*"]
     resources = [aws_kms_key.firehose_cmk.arn]
diff --git a/infrastructure/modules/kinesis_firehose/variables.tf b/infrastructure/modules/kinesis_firehose/variables.tf
index 69740d182..50f25d32a 100644
--- a/infrastructure/modules/kinesis_firehose/variables.tf
+++ b/infrastructure/modules/kinesis_firehose/variables.tf
@@ -3,9 +3,9 @@ variable "audit_firehose_delivery_stream_name" {
   type        = string
 }
 
-variable "audit_firehose_role_arn" {
-  description = "audit firehose role arn"
-  type        = string
+variable "audit_firehose_role" {
+  description = "audit firehose role"
+  type        = any
 }
 
 variable "s3_audit_bucket_arn" {
diff --git a/infrastructure/modules/s3/kms.tf b/infrastructure/modules/s3/kms.tf
index b117093b2..decb78315 100644
--- a/infrastructure/modules/s3/kms.tf
+++ b/infrastructure/modules/s3/kms.tf
@@ -3,6 +3,11 @@ resource "aws_kms_key" "storage_bucket_cmk" {
   deletion_window_in_days = 14
   is_enabled              = true
   enable_key_rotation     = true
+
+  depends_on = [
+    aws_s3_bucket.storage_bucket
+  ]
+
 }
 
 resource "aws_kms_alias" "storage_bucket_cmk" {
diff --git a/infrastructure/stacks/api-layer/kinesis_firehose.tf b/infrastructure/stacks/api-layer/kinesis_firehose.tf
index 90196d0e3..9571d9577 100644
--- a/infrastructure/stacks/api-layer/kinesis_firehose.tf
+++ b/infrastructure/stacks/api-layer/kinesis_firehose.tf
@@ -1,7 +1,7 @@
 module "eligibility_audit_firehose_delivery_stream" {
   source                              = "../../modules/kinesis_firehose"
   audit_firehose_delivery_stream_name = "audit_stream_to_s3"
-  audit_firehose_role_arn             = aws_iam_role.eligibility_audit_firehose_role.arn
+  audit_firehose_role                 = aws_iam_role.eligibility_audit_firehose_role
   s3_audit_bucket_arn                 = module.s3_audit_bucket.storage_bucket_arn
   environment                         = local.environment
   stack_name                          = local.stack_name
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 6ea409dad..2cf94cf87 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -456,7 +456,9 @@ resource "aws_iam_policy" "firehose_readonly" {
           "firehose:PutRecordBatch",
           "firehose:TagDeliveryStream",
           "firehose:ListTagsForDeliveryStream",
-          "firehose:UntagDeliveryStream"
+          "firehose:UntagDeliveryStream",
+          "firehose:StartDeliveryStreamEncryption",
+          "firehose:StopDeliveryStreamEncryption"
         ]
         Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*"
       }