Fix: [AEA-4386] - add permissions to delete cnames to dev (#434)

## Summary - Routine Change ### Details - add permissions to delete CNAMES in dev
NHSDigital · Aug 28, 2024 · c49a617 · c49a617
1 parent b125d09
commit c49a617
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 5 deletions.
diff --git a/cloudformation/ci_resources.yml b/cloudformation/ci_resources.yml
@@ -35,6 +35,14 @@ Parameters:
     Description: >
       Subject claim filter for valid tokens for the proxygen prod role.
     Default: ""
+  EnableDeleteCNAME:
+    Type: String
+    Description: Whether to allow delete CNAME permissions
+    Default: false
+    AllowedValues: [true, false]
+
+Conditions:
+  ShouldCreateDeleteCNAMEpermissions: !Equals [true, !Ref EnableDeleteCNAME]
 
 Resources:
   ##################################################
@@ -171,6 +179,22 @@ Resources:
               - ecr:GetAuthorizationToken
             Resource: "*"
 
+  RemoveOldCNAMERecordsPolicy:
+    Condition: ShouldCreateDeleteCNAMEpermissions
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Roles:
+        - Ref: CloudFormationDeployRole
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - route53:ChangeResourceRecordSets
+              - route53:ListHostedZonesByName
+              - route53:ListResourceRecordSets
+            Resource: !Sub "arn:aws::${AWS::Region}:${AWS::AccountId}:*"
+
   ##################################################
   # Cloudformation Execution Role
   ##################################################

diff --git a/cloudformation/env/dev.json b/cloudformation/env/dev.json
@@ -44,7 +44,8 @@
       ],
       "ProxygenProdClaimFilters": [
         "NONE"
-      ]
+      ],
+      "EnableDeleteCNAME": "true"
     },
     "account-resources": {},
     "lambda-resources": {

diff --git a/cloudformation/env/int.json b/cloudformation/env/int.json
@@ -36,7 +36,8 @@
       ],
       "ProxygenProdClaimFilters": [
         "NONE"
-      ]
+      ],
+      "EnableDeleteCNAME": "false"
     },
     "account-resources": {},
     "lambda-resources": {

diff --git a/cloudformation/env/prod.json b/cloudformation/env/prod.json
@@ -37,7 +37,8 @@
       "ProxygenProdClaimFilters": [
         "repo:NHSDigital/eps-prescription-status-update-api:environment:int",
         "repo:NHSDigital/eps-prescription-status-update-api:environment:prod"
-      ]
+      ],
+      "EnableDeleteCNAME": "false"
     },
     "account-resources": {},
     "lambda-resources": {

diff --git a/cloudformation/env/qa.json b/cloudformation/env/qa.json
@@ -35,7 +35,8 @@
       ],
       "ProxygenProdClaimFilters": [
         "NONE"
-      ]
+      ],
+      "EnableDeleteCNAME": "false"
     },
     "account-resources": {},
     "lambda-resources": {

diff --git a/cloudformation/env/ref.json b/cloudformation/env/ref.json
@@ -38,7 +38,8 @@
       ],
       "ProxygenProdClaimFilters": [
         "NONE"
-      ]
+      ],
+      "EnableDeleteCNAME": "false"
     },
     "account-resources": {},
     "lambda-resources": {