From 2c4132b1935edce5763baeed6fc6d61d803fd898 Mon Sep 17 00:00:00 2001
From: hdavey-gds <129174608+hdavey-gds@users.noreply.github.com>
Date: Fri, 10 May 2024 13:21:49 +0100
Subject: [PATCH] Fix deployment in test (#775)

* Fix deployment in test

Move cloudfront and shield permissions from quicksight stack to main stack

* PR Fixes

Change condition on new policy from IsSecurePipelinesEnvironment to IsQuicksightEnvironment
---
 iac/main/resources/pipeline.yml              | 42 ++++++++++++++++++++
 iac/quicksight-access/resources/pipeline.yml |  4 --
 2 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/iac/main/resources/pipeline.yml b/iac/main/resources/pipeline.yml
index d637d2e8e..04d768696 100644
--- a/iac/main/resources/pipeline.yml
+++ b/iac/main/resources/pipeline.yml
@@ -321,3 +321,45 @@ CloudTrailPolicy:
           - IsProduction
           - PL-dap-production-deploy-DeployRole-068116bf8a2e
           - Ref: 'AWS::NoValue'
+
+CDNPolicy:
+  # checkov:skip=CKV_AWS_111: "Allowing write access without constraints"
+  Type: 'AWS::IAM::ManagedPolicy'
+  Condition: IsQuicksightEnvironment
+  Properties:
+    Description: 'Managed policy for CDN'
+    PolicyDocument:
+      Version: '2012-10-17'
+      Statement:
+        - Effect: 'Allow'
+          Action:
+            - 'shield:CreateProtection'
+            - 'shield:DeleteProtection'
+            - 'shield:DescribeProtection'
+            - 'cloudfront:CreateOriginAccessControl'
+          Resource: '*'
+    Roles:
+      - Fn::If:
+          - IsDev
+          - PL-secure-pipelines-pipeline-DeployRole-0ac4f1a0d400
+          - Ref: 'AWS::NoValue'
+      - Fn::If:
+          - IsTest
+          - PL-dap-test-deploy-DeployRole-022c55851b0a
+          - Ref: 'AWS::NoValue'
+      - Fn::If:
+          - IsBuild
+          - PL-dap-build-deploy-DeployRole-02569a5d3e58
+          - Ref: 'AWS::NoValue'
+      - Fn::If:
+          - IsIntegration
+          - PL-dap-integration-deploy-DeployRole-023e422e7530
+          - Ref: 'AWS::NoValue'
+      - Fn::If:
+          - IsStaging
+          - PL-dap-staging-deploy-DeployRole-02e7fac29d94
+          - Ref: 'AWS::NoValue'
+      - Fn::If:
+          - IsProduction
+          - PL-dap-production-deploy-DeployRole-068116bf8a2e
+          - Ref: 'AWS::NoValue'
diff --git a/iac/quicksight-access/resources/pipeline.yml b/iac/quicksight-access/resources/pipeline.yml
index 92db2a75e..4788994a1 100644
--- a/iac/quicksight-access/resources/pipeline.yml
+++ b/iac/quicksight-access/resources/pipeline.yml
@@ -42,10 +42,6 @@ WAFCognitoPolicy:
             - 'logs:PutResourcePolicy'
             - 'logs:DescribeResourcePolicies'
             - 'logs:DescribeLogGroups'
-            - 'shield:CreateProtection'
-            - 'shield:DeleteProtection'
-            - 'shield:DescribeProtection'
-            - 'cloudfront:CreateOriginAccessControl'
           Resource: '*'
     Roles:
       - Fn::If: