From ca6bc832bf9ef0af75838ad247e538ec33ac5aa5 Mon Sep 17 00:00:00 2001
From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Date: Wed, 2 Jul 2025 14:06:17 +0100
Subject: [PATCH 1/6] updated manual-terraform apply

---
 .github/workflows/manual-terraform-apply.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/manual-terraform-apply.yaml b/.github/workflows/manual-terraform-apply.yaml
index d81d2092e..757c27a3c 100644
--- a/.github/workflows/manual-terraform-apply.yaml
+++ b/.github/workflows/manual-terraform-apply.yaml
@@ -10,7 +10,7 @@ on:
         options: [dev, test, preprod]
 
 jobs:
-  plan-stacks:
+  apply-stacks:
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     permissions:
@@ -57,7 +57,7 @@ jobs:
       - name: "Terraform Plan Stacks"
         env:
           ENVIRONMENT: ${{ inputs.environment }}
-          WORKSPACE: ${{ inputs.environment }}
+          WORKSPACE: "default"
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}

From ed57d59109bcfd653f39b7d29875317f1d4fe306 Mon Sep 17 00:00:00 2001
From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Date: Wed, 2 Jul 2025 16:25:04 +0100
Subject: [PATCH 2/6] added kinesis roles to github actions

---
 .../stacks/iams-developer-roles/github_actions_policies.tf    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
index 6ea409dad..2cf94cf87 100644
--- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
+++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -456,7 +456,9 @@ resource "aws_iam_policy" "firehose_readonly" {
           "firehose:PutRecordBatch",
           "firehose:TagDeliveryStream",
           "firehose:ListTagsForDeliveryStream",
-          "firehose:UntagDeliveryStream"
+          "firehose:UntagDeliveryStream",
+          "firehose:StartDeliveryStreamEncryption",
+          "firehose:StopDeliveryStreamEncryption"
         ]
         Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*"
       }

From 110dbfc7b280d16e94e9750e81f7016befb548e9 Mon Sep 17 00:00:00 2001
From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Date: Wed, 2 Jul 2025 16:58:30 +0100
Subject: [PATCH 3/6] increased timeout minutes

---
 .github/workflows/manual-terraform-apply.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/manual-terraform-apply.yaml b/.github/workflows/manual-terraform-apply.yaml
index 757c27a3c..c4f9fe151 100644
--- a/.github/workflows/manual-terraform-apply.yaml
+++ b/.github/workflows/manual-terraform-apply.yaml
@@ -17,6 +17,8 @@ jobs:
       id-token: write
       contents: read
 
+    timeout-minutes: 30
+
     steps:
       - name: "Setup Terraform"
         uses: hashicorp/setup-terraform@v3

From e7217ad098ef1c48c0d4d49d164cba1e69c9750b Mon Sep 17 00:00:00 2001
From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Date: Wed, 2 Jul 2025 17:08:11 +0100
Subject: [PATCH 4/6] dependency for kinesis firehose

---
 .../kinesis_firehose/kinesis_firehose_delivery_stream.tf     | 5 +++++
 infrastructure/modules/kinesis_firehose/variables.tf         | 5 +++++
 infrastructure/stacks/api-layer/kinesis_firehose.tf          | 1 +
 3 files changed, 11 insertions(+)

diff --git a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
index a0937d692..685487c57 100644
--- a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
+++ b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
@@ -25,5 +25,10 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
     key_type = "CUSTOMER_MANAGED_CMK"
   }
 
+  depends_on = [
+    aws_kms_key.firehose_cmk,
+    var.audit_firehose_role
+  ]
+
   tags = var.tags
 }
diff --git a/infrastructure/modules/kinesis_firehose/variables.tf b/infrastructure/modules/kinesis_firehose/variables.tf
index 69740d182..0e9b18396 100644
--- a/infrastructure/modules/kinesis_firehose/variables.tf
+++ b/infrastructure/modules/kinesis_firehose/variables.tf
@@ -3,6 +3,11 @@ variable "audit_firehose_delivery_stream_name" {
   type        = string
 }
 
+variable "audit_firehose_role" {
+  description = "audit firehose role"
+  type        = any
+}
+
 variable "audit_firehose_role_arn" {
   description = "audit firehose role arn"
   type        = string
diff --git a/infrastructure/stacks/api-layer/kinesis_firehose.tf b/infrastructure/stacks/api-layer/kinesis_firehose.tf
index 90196d0e3..098469e34 100644
--- a/infrastructure/stacks/api-layer/kinesis_firehose.tf
+++ b/infrastructure/stacks/api-layer/kinesis_firehose.tf
@@ -2,6 +2,7 @@ module "eligibility_audit_firehose_delivery_stream" {
   source                              = "../../modules/kinesis_firehose"
   audit_firehose_delivery_stream_name = "audit_stream_to_s3"
   audit_firehose_role_arn             = aws_iam_role.eligibility_audit_firehose_role.arn
+  audit_firehose_role                 = aws_iam_role.eligibility_audit_firehose_role
   s3_audit_bucket_arn                 = module.s3_audit_bucket.storage_bucket_arn
   environment                         = local.environment
   stack_name                          = local.stack_name

From 6b6acb50f8c250a9a574b83270b7f4c4a0c83c7c Mon Sep 17 00:00:00 2001
From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Date: Wed, 2 Jul 2025 21:00:43 +0100
Subject: [PATCH 5/6] s3 cmk key depends on bucket

---
 infrastructure/modules/s3/kms.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/infrastructure/modules/s3/kms.tf b/infrastructure/modules/s3/kms.tf
index b117093b2..decb78315 100644
--- a/infrastructure/modules/s3/kms.tf
+++ b/infrastructure/modules/s3/kms.tf
@@ -3,6 +3,11 @@ resource "aws_kms_key" "storage_bucket_cmk" {
   deletion_window_in_days = 14
   is_enabled              = true
   enable_key_rotation     = true
+
+  depends_on = [
+    aws_s3_bucket.storage_bucket
+  ]
+
 }
 
 resource "aws_kms_alias" "storage_bucket_cmk" {

From 51d147e83fa810a45abe13f53c94363508f0c1fc Mon Sep 17 00:00:00 2001
From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Date: Thu, 3 Jul 2025 09:58:43 +0100
Subject: [PATCH 6/6] redundant variable removed

---
 .../kinesis_firehose/kinesis_firehose_delivery_stream.tf     | 2 +-
 infrastructure/modules/kinesis_firehose/kms.tf               | 2 +-
 infrastructure/modules/kinesis_firehose/variables.tf         | 5 -----
 infrastructure/stacks/api-layer/kinesis_firehose.tf          | 1 -
 4 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
index 685487c57..ef6bbba3f 100644
--- a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
+++ b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
@@ -3,7 +3,7 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
   destination = "extended_s3"
 
   extended_s3_configuration {
-    role_arn   = var.audit_firehose_role_arn
+    role_arn   = var.audit_firehose_role.arn
     bucket_arn = var.s3_audit_bucket_arn
 
     buffering_size     = 1
diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf
index 8ba36b987..4294a7960 100644
--- a/infrastructure/modules/kinesis_firehose/kms.tf
+++ b/infrastructure/modules/kinesis_firehose/kms.tf
@@ -67,7 +67,7 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [var.audit_firehose_role_arn]
+      identifiers = [var.audit_firehose_role.arn]
     }
     actions   = ["kms:*"]
     resources = [aws_kms_key.firehose_cmk.arn]
diff --git a/infrastructure/modules/kinesis_firehose/variables.tf b/infrastructure/modules/kinesis_firehose/variables.tf
index 0e9b18396..50f25d32a 100644
--- a/infrastructure/modules/kinesis_firehose/variables.tf
+++ b/infrastructure/modules/kinesis_firehose/variables.tf
@@ -8,11 +8,6 @@ variable "audit_firehose_role" {
   type        = any
 }
 
-variable "audit_firehose_role_arn" {
-  description = "audit firehose role arn"
-  type        = string
-}
-
 variable "s3_audit_bucket_arn" {
   description = "s3 audit bucket arn"
   type        = string
diff --git a/infrastructure/stacks/api-layer/kinesis_firehose.tf b/infrastructure/stacks/api-layer/kinesis_firehose.tf
index 098469e34..9571d9577 100644
--- a/infrastructure/stacks/api-layer/kinesis_firehose.tf
+++ b/infrastructure/stacks/api-layer/kinesis_firehose.tf
@@ -1,7 +1,6 @@
 module "eligibility_audit_firehose_delivery_stream" {
   source                              = "../../modules/kinesis_firehose"
   audit_firehose_delivery_stream_name = "audit_stream_to_s3"
-  audit_firehose_role_arn             = aws_iam_role.eligibility_audit_firehose_role.arn
   audit_firehose_role                 = aws_iam_role.eligibility_audit_firehose_role
   s3_audit_bucket_arn                 = module.s3_audit_bucket.storage_bucket_arn
   environment                         = local.environment