20489: Fixes privileges escalation issue on installer's terraform code.

author Lucas Di Pentima <lucas.dipentima@curii.com>

Tue, 9 May 2023 15:03:24 +0000 (12:03 -0300)

committer Lucas Di Pentima <lucas.dipentima@curii.com>

Tue, 9 May 2023 15:03:24 +0000 (12:03 -0300)
author Lucas Di Pentima <lucas.dipentima@curii.com>
Tue, 9 May 2023 15:03:24 +0000 (12:03 -0300)
committer Lucas Di Pentima <lucas.dipentima@curii.com>
Tue, 9 May 2023 15:03:24 +0000 (12:03 -0300)
diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf

index 7ec3b954eedd8dd75b14dbb465f402698a507050..68ffaf42de8bcf2e8047723c3e513498e112fc26 100644 (file)
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -82,7 +82,6 @@ resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
      Statement: [{
        Effect: "Allow",
        Action: [
-        "iam:PassRole",
          "ec2:DescribeKeyPairs",
          "ec2:ImportKeyPair",
          "ec2:RunInstances",
@@ -91,6 +90,13 @@ resource "aws_iam_policy" "cloud_dispatcher_ec2_access" {
          "ec2:TerminateInstances"
        ],
        Resource: "*"
+    },
+    {
+      Effect: "Allow",
+      Action: [
+        "iam:PassRole",
+      ],
+      Resource: "arn:aws:iam::*:role/${aws_iam_instance_profile.keepstore_instance_profile.name}"
      }]
    })
  }
author	Lucas Di Pentima <lucas.dipentima@curii.com>
	Tue, 9 May 2023 15:03:24 +0000 (12:03 -0300)
committer	Lucas Di Pentima <lucas.dipentima@curii.com>
	Tue, 9 May 2023 15:03:24 +0000 (12:03 -0300)