From e0819f616c3208835afc20187b8c28478cd0c5ff Mon Sep 17 00:00:00 2001
From: Marko Fabry <marko.fabry@vertice.one>
Date: Fri, 17 Mar 2023 10:07:31 +0100
Subject: [PATCH] fix: add missing IAM permissions for runners from encrypted
 AMI (#3049)

This should fix missing IAM permissions when running from encrypted AMI.
See [this
issue](https://github.com/philips-labs/terraform-aws-github-runner/issues/2927)
---
 modules/runners/policies/lambda-scale-up.json  | 12 ++++++++++++
 modules/runners/pool/policies/lambda-pool.json | 12 ++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/modules/runners/policies/lambda-scale-up.json b/modules/runners/policies/lambda-scale-up.json
index ee54da6164..d6ec6d8561 100644
--- a/modules/runners/policies/lambda-scale-up.json
+++ b/modules/runners/policies/lambda-scale-up.json
@@ -63,6 +63,18 @@
                 "kms:Decrypt"
             ],
             "Resource": "${ami_kms_key_arn}"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateGrant"
+            ],
+            "Resource": "${ami_kms_key_arn}",
+            "Condition": {
+                "Bool": {
+                    "aws:ViaAWSService": "true"
+                }
+            }
 %{ endif ~}
         }
     ]
diff --git a/modules/runners/pool/policies/lambda-pool.json b/modules/runners/pool/policies/lambda-pool.json
index cf2f056006..3306892f8c 100644
--- a/modules/runners/pool/policies/lambda-pool.json
+++ b/modules/runners/pool/policies/lambda-pool.json
@@ -54,6 +54,18 @@
                 "kms:Decrypt"
             ],
             "Resource": "${ami_kms_key_arn}"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateGrant"
+            ],
+            "Resource": "${ami_kms_key_arn}",
+            "Condition": {
+                "Bool": {
+                    "aws:ViaAWSService": "true"
+                }
+            }
 %{ endif ~}
         }
     ]