From c4695f92bda4eee0e6c63f2d2fd93185a4120fe3 Mon Sep 17 00:00:00 2001
From: jamesthompson26-nhs <james.thompson26@nhs.net>
Date: Tue, 23 Jun 2026 14:31:18 +0100
Subject: [PATCH] CCM-18334: Eventsub KMS Perms Addition

---
 .../terraform/modules/eventsub/iam_role_sns.tf      | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/infrastructure/terraform/modules/eventsub/iam_role_sns.tf b/infrastructure/terraform/modules/eventsub/iam_role_sns.tf
index 97bdc99a..294e392f 100644
--- a/infrastructure/terraform/modules/eventsub/iam_role_sns.tf
+++ b/infrastructure/terraform/modules/eventsub/iam_role_sns.tf
@@ -48,4 +48,17 @@ data "aws_iam_policy_document" "firehose_delivery" {
       "${aws_kinesis_firehose_delivery_stream.main[0].arn}",
     ]
   }
+  statement {
+    sid    = "AllowKmsAccessForFirehoseDelivery"
+    effect = "Allow"
+
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      var.kms_key_arn,
+    ]
+  }
 }