Merge pull request #8402 from ministryofjustice/feature/7907-separate…

…-out-passrole Separate out `iam:PassRole` statements
ministryofjustice · Nov 1, 2024 · f9cf4c5 · f9cf4c5
2 parents 972d713 + 1296045
commit f9cf4c5
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/terraform/environments/bootstrap/member-bootstrap/iam.tf b/terraform/environments/bootstrap/member-bootstrap/iam.tf
@@ -522,7 +522,6 @@ data "aws_iam_policy_document" "policy" {
       "iam:listInstanceProfilesForRole",
       "iam:listRolePolicies",
       "iam:ListRoles",
-      "iam:PassRole",
       "kinesis:PutRecord",
       "kms:DescribeKey",
       "kms:Decrypt",
@@ -564,6 +563,13 @@ data "aws_iam_policy_document" "policy" {
     ]
     resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097
   }
+
+  statement {
+    actions   = ["iam:PassRole"]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+
   statement {
     effect = "Allow"
     actions = [

diff --git a/terraform/environments/bootstrap/single-sign-on/policies.tf b/terraform/environments/bootstrap/single-sign-on/policies.tf
@@ -328,9 +328,7 @@ data "aws_iam_policy_document" "developer_additional" {
   statement {
     sid    = "iamForECSAllow"
     effect = "Allow"
-    actions = [
-      "iam:PassRole"
-    ]
+    actions = ["iam:PassRole"]
     resources = ["*"]
     condition {
       test     = "StringEquals"
@@ -1166,7 +1164,6 @@ data "aws_iam_policy_document" "reporting-operations" {
       "dynamodb:Get*",
       "dynamodb:Query",
       "dynamodb:Scan",
-      "iam:PassRole",
       "redshift:*",
       "redshift-data:*",
       "redshift-serverless:*",
@@ -1192,6 +1189,13 @@ data "aws_iam_policy_document" "reporting-operations" {
     ]
     resources = ["*"] #tfsec:ignore:AWS099 tfsec:ignore:AWS097
   }
+
+  statement {
+    actions   = ["iam:PassRole"]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+
 }
 
 #tfsec:ignore:aws-iam-no-policy-wildcards