From dc9255b6f69899d72a50e25fc601331bcd01178a Mon Sep 17 00:00:00 2001
From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Date: Mon, 7 Jul 2025 11:55:03 +0100
Subject: [PATCH] fix - kms firehose permissions

---
 infrastructure/modules/kinesis_firehose/kms.tf    | 15 ++++++++++++++-
 .../modules/kinesis_firehose/variables.tf         |  6 ++++++
 .../stacks/api-layer/kinesis_firehose.tf          |  1 +
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf
index 4294a7960..a725c4fab 100644
--- a/infrastructure/modules/kinesis_firehose/kms.tf
+++ b/infrastructure/modules/kinesis_firehose/kms.tf
@@ -91,11 +91,24 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" {
     condition {
       test     = "StringEquals"
       variable = "kms:EncryptionContext:aws:logs:arn"
-      values   = [
+      values = [
         "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit"
       ]
     }
   }
+
+  statement {
+    sid    = "AllowLambdaUsage"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [var.eligibility_lambda_role_arn]
+    }
+    actions = [
+      "kms:*"
+    ]
+    resources = [aws_kms_key.firehose_cmk.arn]
+  }
 }
 
 
diff --git a/infrastructure/modules/kinesis_firehose/variables.tf b/infrastructure/modules/kinesis_firehose/variables.tf
index 50f25d32a..03d81ebaf 100644
--- a/infrastructure/modules/kinesis_firehose/variables.tf
+++ b/infrastructure/modules/kinesis_firehose/variables.tf
@@ -23,5 +23,11 @@ variable "kinesis_cloud_watch_log_stream" {
   type        = string
 }
 
+variable "eligibility_lambda_role_arn" {
+  description = "iam role of eligibility lambda"
+  type        = any
+}
+
+
 
 
diff --git a/infrastructure/stacks/api-layer/kinesis_firehose.tf b/infrastructure/stacks/api-layer/kinesis_firehose.tf
index 9571d9577..850097b96 100644
--- a/infrastructure/stacks/api-layer/kinesis_firehose.tf
+++ b/infrastructure/stacks/api-layer/kinesis_firehose.tf
@@ -9,4 +9,5 @@ module "eligibility_audit_firehose_delivery_stream" {
   tags                                = local.tags
   kinesis_cloud_watch_log_group_name  = aws_cloudwatch_log_group.firehose_audit.name
   kinesis_cloud_watch_log_stream      = aws_cloudwatch_log_stream.firehose_audit_stream.name
+  eligibility_lambda_role_arn            = aws_iam_role.eligibility_lambda_role.arn
 }