CloudFormation - iam.yaml

Resources:
  Demo:
    Type: 'AWS::IAM::Group'
    Properties:
      GroupName: DemoGroup

Pass Role Policy

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "iam:PassRole"
        ],
        "Resource": "arn:aws:iam::<account-id>:role/EC2-roles-for-XYZ-*"
    }]
}