Rgjb te eli 422 add kms permissions to external role (#397)

robbailiff2 · web-flow · commit 52d14b521ed3 · 2025-09-29T16:56:39.000+01:00
* Added new kms policy for external write role

* Moved ref checkout to the top of deploy job

* Remove repeated code

* Appended firehouse kms permissions to external write role
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -515,7 +515,8 @@ data "aws_iam_policy_document" "external_role_s3_audit_kms_access_policy" {
       "kms:DescribeKey"
     ]
     resources = [
-      module.s3_audit_bucket.storage_bucket_kms_key_arn
+      module.s3_audit_bucket.storage_bucket_kms_key_arn,
+      module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk_arn
     ]
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -515,7 +515,8 @@ data "aws_iam_policy_document" "external_role_s3_audit_kms_access_policy" {`
`515`	`515`	`"kms:DescribeKey"`
`516`	`516`	`]`
`517`	`517`	`resources = [`
`518`		`- module.s3_audit_bucket.storage_bucket_kms_key_arn`
	`518`	`+ module.s3_audit_bucket.storage_bucket_kms_key_arn,`
	`519`	`+ module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk_arn`
`519`	`520`	`]`
`520`	`521`	`}`
`521`	`522`	`}`