From 80b172ae7f820b0ea84bf6d332ae502bd4e9d917 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 7 Oct 2025 11:36:31 +0100 Subject: [PATCH 1/6] fix : added kms resource depends in kinesis cloudwatch --- infrastructure/modules/kinesis_firehose/outputs.tf | 5 +++++ infrastructure/stacks/api-layer/cloudwatch.tf | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/infrastructure/modules/kinesis_firehose/outputs.tf b/infrastructure/modules/kinesis_firehose/outputs.tf index d457b669a..1b288941a 100644 --- a/infrastructure/modules/kinesis_firehose/outputs.tf +++ b/infrastructure/modules/kinesis_firehose/outputs.tf @@ -5,3 +5,8 @@ output "firehose_stream_name" { output "kinesis_firehose_cmk_arn" { value = aws_kms_key.firehose_cmk.arn } + +output "kinesis_firehose_cmk" { + value = aws_kms_key.firehose_cmk +} + diff --git a/infrastructure/stacks/api-layer/cloudwatch.tf b/infrastructure/stacks/api-layer/cloudwatch.tf index babe1753f..524e9114c 100644 --- a/infrastructure/stacks/api-layer/cloudwatch.tf +++ b/infrastructure/stacks/api-layer/cloudwatch.tf @@ -21,7 +21,7 @@ resource "aws_cloudwatch_log_group" "firehose_audit" { } depends_on = [ - module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk_arn + module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk ] } From 48c7570e718d2737b26f13d08583b3b808c81cc3 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 7 Oct 2025 11:48:32 +0100 Subject: [PATCH 2/6] override provide tags --- .../stacks/api-layer/truststore_s3_bucket.tf | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index 48cd73a73..b36f39e68 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -15,21 +15,21 @@ resource "aws_s3_bucket_policy" "truststore" { data "aws_iam_policy_document" "truststore_api_gateway" { # Deny non-SSL statement { - sid = "AllowSslRequestsOnly" + sid = "AllowSslRequestsOnly" actions = ["s3:*"] - effect = "Deny" + effect = "Deny" resources = [ module.s3_truststore_bucket.storage_bucket_arn, "${module.s3_truststore_bucket.storage_bucket_arn}/*" ] principals { - type = "*" + type = "*" identifiers = ["*"] } condition { test = "Bool" variable = "aws:SecureTransport" - values = ["false"] + values = ["false"] } } statement { @@ -37,7 +37,7 @@ data "aws_iam_policy_document" "truststore_api_gateway" { effect = "Allow" principals { - type = "Service" + type = "Service" identifiers = ["apigateway.amazonaws.com"] } @@ -59,6 +59,13 @@ resource "aws_s3_object" "pem_file" { # Explicitly set empty tags to override default_tags due to S3 object 10-tag limit tags = {} + override_provider { + default_tags { + tags = {} + } + } + + lifecycle { ignore_changes = [tags_all] } From 2a876b0c8c65587b58e8098e9e53e0b34149e3ba Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 7 Oct 2025 13:47:44 +0100 Subject: [PATCH 3/6] delay to fix dependency issue --- infrastructure/stacks/api-layer/cloudwatch.tf | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/cloudwatch.tf b/infrastructure/stacks/api-layer/cloudwatch.tf index 524e9114c..1e56fb0cd 100644 --- a/infrastructure/stacks/api-layer/cloudwatch.tf +++ b/infrastructure/stacks/api-layer/cloudwatch.tf @@ -10,6 +10,17 @@ resource "aws_cloudwatch_log_group" "lambda_logs" { } } +resource "null_resource" "kms_policy_propagation_delay" { + depends_on = [ + module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk, + # Add any KMS key policy resource if you manage separately + ] + + provisioner "local-exec" { + command = "sleep 15" # 15 seconds delay + } +} + resource "aws_cloudwatch_log_group" "firehose_audit" { name = "/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit" retention_in_days = 365 @@ -21,7 +32,8 @@ resource "aws_cloudwatch_log_group" "firehose_audit" { } depends_on = [ - module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk + module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk, + null_resource.kms_policy_propagation_delay ] } From f1ac27b06fd1fcd0a04676982641ef936aa61e13 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 7 Oct 2025 13:58:30 +0100 Subject: [PATCH 4/6] delay to fix dependency issue --- infrastructure/modules/api_gateway/cloudwatch.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/infrastructure/modules/api_gateway/cloudwatch.tf b/infrastructure/modules/api_gateway/cloudwatch.tf index 272a1c465..88678d6ac 100644 --- a/infrastructure/modules/api_gateway/cloudwatch.tf +++ b/infrastructure/modules/api_gateway/cloudwatch.tf @@ -1,3 +1,13 @@ +resource "null_resource" "kms_policy_propagation_delay" { + depends_on = [ + aws_kms_key.api_gateway + ] + + provisioner "local-exec" { + command = "sleep 15" # 15 seconds delay + } +} + resource "aws_cloudwatch_log_group" "api_gateway" { name = "/aws/apigateway/${var.workspace}-${var.api_gateway_name}" retention_in_days = 365 @@ -7,4 +17,9 @@ resource "aws_cloudwatch_log_group" "api_gateway" { lifecycle { prevent_destroy = false } + + depends_on = [ + null_resource.kms_policy_propagation_delay + ] + } From 9f652ee3813ae2cd6f95a2832b6c0e253d189ef0 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 7 Oct 2025 14:06:32 +0100 Subject: [PATCH 5/6] code cleanup --- infrastructure/stacks/api-layer/cloudwatch.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/cloudwatch.tf b/infrastructure/stacks/api-layer/cloudwatch.tf index 1e56fb0cd..1e962c488 100644 --- a/infrastructure/stacks/api-layer/cloudwatch.tf +++ b/infrastructure/stacks/api-layer/cloudwatch.tf @@ -13,7 +13,6 @@ resource "aws_cloudwatch_log_group" "lambda_logs" { resource "null_resource" "kms_policy_propagation_delay" { depends_on = [ module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk, - # Add any KMS key policy resource if you manage separately ] provisioner "local-exec" { From 65c1d01e66b6763ecc3c9a7adb7390f97a7f6d47 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Tue, 7 Oct 2025 14:10:48 +0100 Subject: [PATCH 6/6] code cleanup --- infrastructure/modules/api_gateway/cloudwatch.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/modules/api_gateway/cloudwatch.tf b/infrastructure/modules/api_gateway/cloudwatch.tf index 88678d6ac..cccb1664e 100644 --- a/infrastructure/modules/api_gateway/cloudwatch.tf +++ b/infrastructure/modules/api_gateway/cloudwatch.tf @@ -4,7 +4,7 @@ resource "null_resource" "kms_policy_propagation_delay" { ] provisioner "local-exec" { - command = "sleep 15" # 15 seconds delay + command = "sleep 15" # 15 seconds delay } } @@ -18,7 +18,7 @@ resource "aws_cloudwatch_log_group" "api_gateway" { prevent_destroy = false } - depends_on = [ + depends_on = [ null_resource.kms_policy_propagation_delay ]