Add ssm:GetParameter to runner-ssm-parameters (#446)

* Add ssm:GetParameter to runner-ssm-parameters

Fixes #445 

Currently, instances are failing to launch, with the error message logged in `/var/log/cloud-init.log`:

```
Fail to fetch/remove json config: AccessDeniedException: User: arn:aws:sts::<account-number>:assumed-role/github-runners-github-action-runners-runner-role/<instance-id> is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-west-2:<account-number>:parameter/github-runners-cloudwatch_agent_config_runner
```

Add the `ssm:GetParameter` to runner-ssm-parameters

* Update CHANGELOG.md

Author: bennettp123

CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+- Fix missing permissions for CloudWatch Agent #445 @bennettp123
+
 ## [0.8.1] - 2020-12-08
 ### Changed
 - Policy is missing for streaming logs to cloudwatch #388

modules/runners/policies/instance-ssm-parameters-policy.json

@@ -8,7 +8,10 @@
     },
     {
       "Effect": "Allow",
-      "Action": ["ssm:GetParameters"],
+      "Action": [
+        "ssm:GetParameters",
+        "ssm:GetParameter"
+      ],
       "Resource": "${arn_ssm_parameters}"
     }
   ]