NHSDigital · Karthikeyannhs · Oct 8, 2025 · Oct 8, 2025
diff --git a/infrastructure/modules/api_gateway/cloudwatch.tf b/infrastructure/modules/api_gateway/cloudwatch.tf
@@ -4,6 +4,11 @@ resource "aws_cloudwatch_log_group" "api_gateway" {
   tags              = var.tags
   kms_key_id        = aws_kms_key.api_gateway.arn
 
+  depends_on = [
+    aws_kms_key.api_gateway,
+    aws_kms_key_policy.api_gateway
+  ]
+
   lifecycle {
     prevent_destroy = false
   }

diff --git a/infrastructure/modules/kinesis_firehose/outputs.tf b/infrastructure/modules/kinesis_firehose/outputs.tf
@@ -5,3 +5,11 @@ output "firehose_stream_name" {
 output "kinesis_firehose_cmk_arn" {
   value = aws_kms_key.firehose_cmk.arn
 }
+
+output "kinesis_firehose_cmk" {
+  value = aws_kms_key.firehose_cmk
+}
+
+output "kinesis_firehose_key_policy" {
+  value = aws_kms_key_policy.firehose_key_policy
+}
diff --git a/infrastructure/stacks/api-layer/cloudwatch.tf b/infrastructure/stacks/api-layer/cloudwatch.tf
@@ -21,7 +21,8 @@ resource "aws_cloudwatch_log_group" "firehose_audit" {
   }
 
   depends_on = [
-    module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk_arn
+    module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk,
+    module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_key_policy,
   ]
 }
 

diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf
@@ -15,29 +15,29 @@ resource "aws_s3_bucket_policy" "truststore" {
 data "aws_iam_policy_document" "truststore_api_gateway" {
   # Deny non-SSL
   statement {
-    sid     = "AllowSslRequestsOnly"
+    sid    = "AllowSslRequestsOnly"
     actions = ["s3:*"]
-    effect  = "Deny"
+    effect = "Deny"
     resources = [
       module.s3_truststore_bucket.storage_bucket_arn,
       "${module.s3_truststore_bucket.storage_bucket_arn}/*"
     ]
     principals {
-      type        = "*"
+      type = "*"
       identifiers = ["*"]
     }
     condition {
       test     = "Bool"
       variable = "aws:SecureTransport"
-      values   = ["false"]
+      values = ["false"]
     }
   }
   statement {
     sid    = "Enable S3 access permissions for API Gateway"
     effect = "Allow"
 
     principals {
-      type        = "Service"
+      type = "Service"
       identifiers = ["apigateway.amazonaws.com"]
     }
 
@@ -56,6 +56,12 @@ resource "aws_s3_object" "pem_file" {
 
   acl = "private"
 
+  override_provider {
+    default_tags {
+      tags = {}
+    }
+  }
+
   # Explicitly set empty tags to override default_tags due to S3 object 10-tag limit
   tags = {}