kinesis permission for github actions

.github/workflows/manual-terraform-apply.yaml

@@ -17,6 +17,8 @@ jobs:
       id-token: write
       contents: read
 
+    timeout-minutes: 30
+
     steps:
       - name: "Setup Terraform"
         uses: hashicorp/setup-terraform@v3

infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf

@@ -3,7 +3,7 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
   destination = "extended_s3"
 
   extended_s3_configuration {
-    role_arn   = var.audit_firehose_role_arn
+    role_arn   = var.audit_firehose_role.arn
     bucket_arn = var.s3_audit_bucket_arn
 
     buffering_size     = 1
@@ -25,5 +25,10 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
     key_type = "CUSTOMER_MANAGED_CMK"
   }
 
+  depends_on = [
+    aws_kms_key.firehose_cmk,
+    var.audit_firehose_role
+  ]
+
   tags = var.tags
 }

infrastructure/modules/kinesis_firehose/kms.tf

@@ -67,7 +67,7 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [var.audit_firehose_role_arn]
+      identifiers = [var.audit_firehose_role.arn]
     }
     actions   = ["kms:*"]
     resources = [aws_kms_key.firehose_cmk.arn]

infrastructure/modules/kinesis_firehose/variables.tf

@@ -3,9 +3,9 @@ variable "audit_firehose_delivery_stream_name" {
   type        = string
 }
 
-variable "audit_firehose_role_arn" {
-  description = "audit firehose role arn"
-  type        = string
+variable "audit_firehose_role" {
+  description = "audit firehose role"
+  type        = any
 }
 
 variable "s3_audit_bucket_arn" {

infrastructure/modules/s3/kms.tf

@@ -3,6 +3,11 @@ resource "aws_kms_key" "storage_bucket_cmk" {
   deletion_window_in_days = 14
   is_enabled              = true
   enable_key_rotation     = true
+
+  depends_on = [
+    aws_s3_bucket.storage_bucket
+  ]
+
 }
 
 resource "aws_kms_alias" "storage_bucket_cmk" {

infrastructure/stacks/api-layer/kinesis_firehose.tf

@@ -1,7 +1,7 @@
 module "eligibility_audit_firehose_delivery_stream" {
   source                              = "../../modules/kinesis_firehose"
   audit_firehose_delivery_stream_name = "audit_stream_to_s3"
-  audit_firehose_role_arn             = aws_iam_role.eligibility_audit_firehose_role.arn
+  audit_firehose_role                 = aws_iam_role.eligibility_audit_firehose_role
   s3_audit_bucket_arn                 = module.s3_audit_bucket.storage_bucket_arn
   environment                         = local.environment
   stack_name                          = local.stack_name

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -456,7 +456,9 @@ resource "aws_iam_policy" "firehose_readonly" {
           "firehose:PutRecordBatch",
           "firehose:TagDeliveryStream",
           "firehose:ListTagsForDeliveryStream",
-          "firehose:UntagDeliveryStream"
+          "firehose:UntagDeliveryStream",
+          "firehose:StartDeliveryStreamEncryption",
+          "firehose:StopDeliveryStreamEncryption"
         ]
         Resource = "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*"
       }