xdr-terraform-modules/thirdparty/terraform-aws-github-runner/modules/runners/pool/policies/lambda-pool.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:RunInstances",
                "ec2:CreateFleet",
                "ec2:CreateTags"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "${arn_runner_instance_role}"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": [
                "${github_app_key_base64_arn}",
                "${github_app_id_arn}"
            ]
%{ if kms_key_arn != "" ~}
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "${kms_key_arn}"
%{ endif ~}
        }
    ]
}