From eb354d05b62dbb09b0663387a19bac419d91b33b Mon Sep 17 00:00:00 2001
From: Matthias Kay <github@matthiaskay.de>
Date: Wed, 6 Oct 2021 22:24:34 +0200
Subject: [PATCH] fix: Limit iam:PassRole to the role passed (#376)

* Limit policy iam:PassRole to the role passed

Co-authored-by: kayma <kayma@hlag.com>
---
 main.tf                                      |  7 +++++--
 policies/instance-docker-machine-policy.json | 10 ++++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/main.tf b/main.tf
index 3c79e360c..25c3e17ec 100644
--- a/main.tf
+++ b/main.tf
@@ -350,8 +350,11 @@ resource "aws_iam_policy" "instance_docker_machine_policy" {
   name        = "${local.name_iam_objects}-docker-machine"
   path        = "/"
   description = "Policy for docker machine."
-  policy      = templatefile("${path.module}/policies/instance-docker-machine-policy.json", {})
-  tags        = local.tags
+  policy = templatefile("${path.module}/policies/instance-docker-machine-policy.json",
+    {
+      docker_machine_role_arn = aws_iam_role.docker_machine.arn
+  })
+  tags = local.tags
 }
 
 resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" {
diff --git a/policies/instance-docker-machine-policy.json b/policies/instance-docker-machine-policy.json
index 35e90ee61..1ca44687e 100644
--- a/policies/instance-docker-machine-policy.json
+++ b/policies/instance-docker-machine-policy.json
@@ -17,11 +17,17 @@
           "ec2:RequestSpotInstances",
           "ec2:CancelSpotInstanceRequests",
           "ec2:DescribeSubnets",
-          "ec2:AssociateIamInstanceProfile",
-          "iam:PassRole"
+          "ec2:AssociateIamInstanceProfile"
         ],
         "Effect": "Allow",
         "Resource": "*"
+      },
+      {
+        "Action": [
+          "iam:PassRole"
+        ],
+        "Effect": "Allow",
+        "Resource": "${docker_machine_role_arn}"
       }
     ]
   }