runners: make ssm policy an array (#6858)

seemethere · web-flow · commit 0758ff27a1d2 · 2025-06-27T13:05:54.000-07:00
Fixes an issue where the SSM parameter policies were not being set
correctly.

Resulted in errors like:

ValidationException: Invalid policies input:
{"Type":"Expiration","Version":"1.0","Attributes":{"Timestamp":"2025-06-27T19:11:55.437Z"}}.

Signed-off-by: Eli Uriegas &lt;eliuriegas@meta.com&gt;
diff --git a/terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/runners.test.ts b/terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/runners.test.ts
@@ -1346,16 +1346,16 @@ describe('createRunner', () => {
       // Verify the Policies parameter contains the correct expiration policy structure
       const putParameterCall = mockSSM.putParameter.mock.calls[0][0];
       const policies = JSON.parse(putParameterCall.Policies);
-      expect(policies).toEqual({
+      expect(policies).toEqual([{
         Type: 'Expiration',
         Version: '1.0',
         Attributes: {
           Timestamp: expect.any(String),
         },
-      });
+      }]);
 
       // Verify the timestamp is approximately 30 minutes in the future
-      const expirationTime = new Date(policies.Attributes.Timestamp);
+      const expirationTime = new Date(policies[0].Attributes.Timestamp);
       const now = Date.now();
       const timeDiff = expirationTime.getTime() - now;
       expect(timeDiff).toBeGreaterThan(25 * 60 * 1000); // at least 25 minutes (allowing for test execution time)
diff --git a/terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/runners.ts b/terraform-aws-github-runner/modules/runners/lambdas/runners/src/scale-runners/runners.ts
@@ -536,13 +536,14 @@ async function addSSMParameterRunnerConfig(
                 Type: 'SecureString',
                 // NOTE: This does need to be a string, check docs at:
                 // https://docs.aws.amazon.com/systems-manager/latest/userguide/example_ssm_PutParameter_section.html
-                Policies: JSON.stringify({
+                // Policies must be an array, even for a single policy
+                Policies: JSON.stringify([{
                   Type: 'Expiration',
                   Version: '1.0',
                   Attributes: {
                     Timestamp: new Date(Date.now() + 30 * 60 * 1000).toISOString(),
                   },
-                }),
+                }]),
               })
               .promise();
             return parameterName;
