CCM-18334: Firehose Delivery Stream Permissions Update

jamesthompson26-nhs · jamesthompson26-nhs · commit c19fb5774777 · 2026-06-22T14:55:01.000+01:00
diff --git a/infrastructure/terraform/modules/eventpub/iam_role_sns.tf b/infrastructure/terraform/modules/eventpub/iam_role_sns.tf
@@ -49,4 +49,18 @@ data "aws_iam_policy_document" "firehose_delivery" {
       "${aws_kinesis_firehose_delivery_stream.main[0].arn}",
     ]
   }
+
+  statement {
+    sid    = "AllowKmsAccessForFirehoseDelivery"
+    effect = "Allow"
+
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      var.kms_key_arn,
+    ]
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -49,4 +49,18 @@ data "aws_iam_policy_document" "firehose_delivery" {`
`49`	`49`	`"${aws_kinesis_firehose_delivery_stream.main[0].arn}",`
`50`	`50`	`]`
`51`	`51`	`}`
	`52`	`+`
	`53`	`+ statement {`
	`54`	`+ sid = "AllowKmsAccessForFirehoseDelivery"`
	`55`	`+ effect = "Allow"`
	`56`	`+`
	`57`	`+ actions = [`
	`58`	`+ "kms:GenerateDataKey",`
	`59`	`+ "kms:Decrypt",`
	`60`	`+ ]`
	`61`	`+`
	`62`	`+ resources = [`
	`63`	`+ var.kms_key_arn,`
	`64`	`+ ]`
	`65`	`+ }`
`52`	`66`	`}`