chor: Only allow termination of runner instances (#201)

jpalomaki · web-flow · commit 4c08f9fdc649 · 2020-09-14T22:00:10.000+02:00
diff --git a/modules/runners/policies/lambda-scale-down.json b/modules/runners/policies/lambda-scale-down.json
@@ -5,11 +5,21 @@
       "Effect": "Allow",
       "Action": [
         "ec2:DescribeInstances*",
-        "ec2:DescribeTags",
-        "ec2:DeleteTags",
-        "ec2:TerminateInstances"
+        "ec2:DescribeTags"
       ],
       "Resource": ["*"]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:TerminateInstances"
+      ],
+      "Resource": ["*"],
+      "Condition": {
+        "StringEquals": {
+          "ec2:ResourceTag/Application": "github-action-runner"
+        }
+      }
     }
   ]
 }
diff --git a/modules/runners/policies/lambda-scale-up.json b/modules/runners/policies/lambda-scale-up.json
@@ -6,11 +6,22 @@
       "Action": [
         "ec2:DescribeInstances",
         "ec2:DescribeTags",
-        "ec2:CreateTags",
         "ec2:RunInstances"
       ],
       "Resource": ["*"]
     },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags"
+      ],
+      "Resource": ["*"],
+      "Condition": {
+        "StringEquals": {
+          "ec2:CreateAction" : "RunInstances"
+        }
+      }
+    },
     {
       "Effect": "Allow",
       "Action": "iam:PassRole",
