Skip to content

CCM-18334: Firehose Delivery Stream Permissions Update#220

Open
jamesthompson26-nhs wants to merge 1 commit into
mainfrom
feature/CCM-18334_Firehose_Delivery_Stream_Perms_Update
Open

CCM-18334: Firehose Delivery Stream Permissions Update#220
jamesthompson26-nhs wants to merge 1 commit into
mainfrom
feature/CCM-18334_Firehose_Delivery_Stream_Perms_Update

Conversation

@jamesthompson26-nhs

@jamesthompson26-nhs jamesthompson26-nhs commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Added kms:GenerateDataKey and kms:Decrypt to the IAM policy for the SNS delivery role in infrastructure/terraform/modules/eventpub/iam_role_sns.tf, so the principal that calls Firehose PutRecord/PutRecordBatch can write to the SSE-CMK-encrypted delivery stream.

Context

AWS now requires callers of Firehose PutRecord and PutRecordBatch to have KMS data key and decrypt permissions when the delivery stream uses a customer-managed KMS key. Without this change, the shared eventpub module’s Firehose-backed delivery path would fail for encrypted streams.

image

Will require bumps of the version in the below:

  • nhs-notify-digital-letters/infrastructure/terraform/components/dl/modules_eventpub.tf - 3.0.6
  • nhs-notify-supplier-api/infrastructure/terraform/components/api/modules_eventpub.tf - 3.0.6
  • nhs-notify-web-template-management/infrastructure/terraform/components/sbx/module_eventpub.tf - 3.0.6
  • nhs-notify-web-template-management/infrastructure/terraform/components/app/module_eventpub.tf - 3.0.6
  • comms-mgr/comms/terraform/components/api/module_eventpub.tf - 4.0.0

Type of changes

  • Refactoring (non-breaking change)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I am familiar with the contributing guidelines
  • I have followed the code style of the project
  • I have added tests to cover my changes
  • I have updated the documentation accordingly
  • This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

@jamesthompson26-nhs jamesthompson26-nhs requested a review from a team as a code owner June 22, 2026 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aidenvaines-cgi aidenvaines-cgi Awaiting requested review from aidenvaines-cgi

@sidnhs sidnhs Awaiting requested review from sidnhs

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jamesthompson26-nhs