chore(pr): address second round of review comments

- Fix malformed sed quoting in AWS_REGION derivation (ec2-strategy.ts)
- Remove unused blueprintConfig destructuring (ec2-strategy.ts)
- Scope EC2/SSM IAM permissions: condition ec2:CreateTags on fleet tag,
  scope ssm:SendCommand to fleet-tagged instances and AWS-RunShellScript
  document, separate DescribeInstances (requires resource '*')

Author: MichaelWalker-git

cdk/src/constructs/task-orchestrator.ts

@@ -281,17 +281,45 @@ export class TaskOrchestrator extends Construct {
 
     // EC2 fleet compute strategy permissions (only when EC2 is configured)
     if (props.ec2Config) {
+      // DescribeInstances does not support resource-level permissions
       this.fn.addToRolePolicy(new iam.PolicyStatement({
-        actions: [
-          'ec2:DescribeInstances',
-          'ec2:CreateTags',
-        ],
+        actions: ['ec2:DescribeInstances'],
+        resources: ['*'],
+      }));
+
+      // CreateTags/DeleteTags scoped to fleet instances only
+      this.fn.addToRolePolicy(new iam.PolicyStatement({
+        actions: ['ec2:CreateTags', 'ec2:DeleteTags'],
         resources: ['*'],
+        conditions: {
+          StringEquals: {
+            [`ec2:ResourceTag/${props.ec2Config.fleetTagKey}`]: props.ec2Config.fleetTagValue,
+          },
+        },
+      }));
+
+      // SSM SendCommand scoped to fleet-tagged instances; Get/Cancel scoped to all commands
+      this.fn.addToRolePolicy(new iam.PolicyStatement({
+        actions: ['ssm:SendCommand'],
+        resources: [
+          `arn:${Aws.PARTITION}:ec2:*:*:instance/*`,
+        ],
+        conditions: {
+          StringEquals: {
+            [`ssm:resourceTag/${props.ec2Config.fleetTagKey}`]: props.ec2Config.fleetTagValue,
+          },
+        },
+      }));
+
+      this.fn.addToRolePolicy(new iam.PolicyStatement({
+        actions: ['ssm:SendCommand'],
+        resources: [
+          `arn:${Aws.PARTITION}:ssm:*::document/AWS-RunShellScript`,
+        ],
       }));
 
       this.fn.addToRolePolicy(new iam.PolicyStatement({
         actions: [
-          'ssm:SendCommand',
           'ssm:GetCommandInvocation',
           'ssm:CancelCommand',
         ],

cdk/src/handlers/shared/strategies/ec2-strategy.ts

@@ -68,7 +68,7 @@ export class Ec2ComputeStrategy implements ComputeStrategy {
       );
     }
 
-    const { taskId, payload, blueprintConfig } = input;
+    const { taskId, payload } = input;
     const payloadJson = JSON.stringify(payload);
 
     // 1. Upload payload to S3
@@ -114,7 +114,7 @@ export class Ec2ComputeStrategy implements ComputeStrategy {
       'set -euo pipefail',
       '',
       '# Derive region from IMDS (SSM does not always set AWS_REGION)',
-      'export AWS_REGION=$(ec2-metadata --availability-zone | cut -d" " -f2 | sed \'s/.$/\'\'/)\'',
+      "export AWS_REGION=$(ec2-metadata --availability-zone | cut -d' ' -f2 | sed 's/.$//')",
       'export AWS_DEFAULT_REGION="$AWS_REGION"',
       '',
       '# Resolve instance ID for tag cleanup',