fix: Limit iam:PassRole to the role passed (#376)

* Limit policy iam:PassRole to the role passed

Co-authored-by: kayma <[email protected]>

Author: kayman-mk

main.tf

@@ -350,8 +350,11 @@ resource "aws_iam_policy" "instance_docker_machine_policy" {
   name        = "${local.name_iam_objects}-docker-machine"
   path        = "/"
   description = "Policy for docker machine."
-  policy      = templatefile("${path.module}/policies/instance-docker-machine-policy.json", {})
-  tags        = local.tags
+  policy = templatefile("${path.module}/policies/instance-docker-machine-policy.json",
+    {
+      docker_machine_role_arn = aws_iam_role.docker_machine.arn
+  })
+  tags = local.tags
 }
 
 resource "aws_iam_role_policy_attachment" "instance_docker_machine_policy" {

policies/instance-docker-machine-policy.json

@@ -17,11 +17,17 @@
           "ec2:RequestSpotInstances",
           "ec2:CancelSpotInstanceRequests",
           "ec2:DescribeSubnets",
-          "ec2:AssociateIamInstanceProfile",
-          "iam:PassRole"
+          "ec2:AssociateIamInstanceProfile"
         ],
         "Effect": "Allow",
         "Resource": "*"
+      },
+      {
+        "Action": [
+          "iam:PassRole"
+        ],
+        "Effect": "Allow",
+        "Resource": "${docker_machine_role_arn}"
       }
     ]
   }