fix - kms firehose permissions (#218)

Karthikeyannhs · web-flow · commit 8e4f73e7113b · 2025-07-07T12:03:44.000+01:00
diff --git a/infrastructure/modules/kinesis_firehose/kms.tf b/infrastructure/modules/kinesis_firehose/kms.tf
@@ -91,11 +91,24 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" {
     condition {
       test     = "StringEquals"
       variable = "kms:EncryptionContext:aws:logs:arn"
-      values   = [
+      values = [
         "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit"
       ]
     }
   }
+
+  statement {
+    sid    = "AllowLambdaUsage"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [var.eligibility_lambda_role_arn]
+    }
+    actions = [
+      "kms:*"
+    ]
+    resources = [aws_kms_key.firehose_cmk.arn]
+  }
 }
 
 
diff --git a/infrastructure/modules/kinesis_firehose/variables.tf b/infrastructure/modules/kinesis_firehose/variables.tf
@@ -23,5 +23,11 @@ variable "kinesis_cloud_watch_log_stream" {
   type        = string
 }
 
+variable "eligibility_lambda_role_arn" {
+  description = "iam role of eligibility lambda"
+  type        = any
+}
+
+
 
 
diff --git a/infrastructure/stacks/api-layer/kinesis_firehose.tf b/infrastructure/stacks/api-layer/kinesis_firehose.tf
@@ -9,4 +9,5 @@ module "eligibility_audit_firehose_delivery_stream" {
   tags                                = local.tags
   kinesis_cloud_watch_log_group_name  = aws_cloudwatch_log_group.firehose_audit.name
   kinesis_cloud_watch_log_stream      = aws_cloudwatch_log_stream.firehose_audit_stream.name
+  eligibility_lambda_role_arn            = aws_iam_role.eligibility_lambda_role.arn
 }

Original file line number	Diff line number	Diff line change
`@@ -91,11 +91,24 @@ data "aws_iam_policy_document" "firehose_kms_key_policy" {`
`91`	`91`	`condition {`
`92`	`92`	`test = "StringEquals"`
`93`	`93`	`variable = "kms:EncryptionContext:aws:logs:arn"`
`94`		`- values = [`
	`94`	`+ values = [`
`95`	`95`	`"arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit"`
`96`	`96`	`]`
`97`	`97`	`}`
`98`	`98`	`}`
	`99`	`+`
	`100`	`+ statement {`
	`101`	`+ sid = "AllowLambdaUsage"`
	`102`	`+ effect = "Allow"`
	`103`	`+ principals {`
	`104`	`+ type = "AWS"`
	`105`	`+ identifiers = [var.eligibility_lambda_role_arn]`
	`106`	`+ }`
	`107`	`+ actions = [`
	`108`	`+ "kms:*"`
	`109`	`+ ]`
	`110`	`+ resources = [aws_kms_key.firehose_cmk.arn]`
	`111`	`+ }`
`99`	`112`	`}`
`100`	`113`
`101`	`114`
Original file line number	Diff line number	Diff line change
`@@ -23,5 +23,11 @@ variable "kinesis_cloud_watch_log_stream" {`
`23`	`23`	`type = string`
`24`	`24`	`}`
`25`	`25`
	`26`	`+variable "eligibility_lambda_role_arn" {`
	`27`	`+ description = "iam role of eligibility lambda"`
	`28`	`+ type = any`
	`29`	`+}`
	`30`	`+`
	`31`	`+`
`26`	`32`
`27`	`33`
Original file line number	Diff line number	Diff line change
`@@ -9,4 +9,5 @@ module "eligibility_audit_firehose_delivery_stream" {`
`9`	`9`	`tags = local.tags`
`10`	`10`	`kinesis_cloud_watch_log_group_name = aws_cloudwatch_log_group.firehose_audit.name`
`11`	`11`	`kinesis_cloud_watch_log_stream = aws_cloudwatch_log_stream.firehose_audit_stream.name`
	`12`	`+ eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn`
`12`	`13`	`}`