fix(scale-up): Add ec2:TerminateInstances permission to scale-up Lambda IAM policy (#5152)

Copilot · github-aws-runners-pr|bot · web-flow · commit 94c4e1237af8 · 2026-06-11T07:29:41.000Z
## Description

The scale-up Lambda calls `terminateRunner(instanceId)` when JIT
configuration fails, but lacks the `ec2:TerminateInstances` IAM
permission. This leaves orphaned EC2 instances running when JIT setup
errors occur.

Adds `ec2:TerminateInstances` to
`modules/runners/policies/lambda-scale-up.json`, scoped with two
condition statements matching the pattern used in the scale-down Lambda
policy:

1. Scoped by `ghr:Application` tag (hardcoded value applied at instance
creation):
```json
{
    "Effect": "Allow",
    "Action": ["ec2:TerminateInstances"],
    "Resource": ["*"],
    "Condition": {
        "StringEquals": {
            "ec2:ResourceTag/ghr:Application": "github-action-runner"
        }
    }
}
```

2. Scoped by `gh:environment` tag (environment-specific):
```json
{
    "Effect": "Allow",
    "Action": ["ec2:TerminateInstances"],
    "Resource": ["*"],
    "Condition": {
        "StringEquals": {
            "ec2:ResourceTag/gh:environment": "${environment}"
        }
    }
}
```

Also passes the `environment` variable (`var.prefix`) to the policy
template in `scale-up.tf`.

## Test Plan

- Verified the policy JSON is valid and follows the existing conditional
scoping pattern from `lambda-scale-down.json`
- Both tag-based conditions (`ghr:Application` and `gh:environment`)
match the scale-down policy exactly
- The `environment` template variable is passed as `var.prefix`,
consistent with how scale-down passes it

## Related Issues

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: github-aws-runners-pr|bot &lt;github-aws-runners-pr[bot]@users.noreply.github.com&gt;
diff --git a/modules/runners/policies/lambda-scale-up.json b/modules/runners/policies/lambda-scale-up.json
@@ -14,6 +14,34 @@
                 "*"
             ]
         },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:TerminateInstances"
+            ],
+            "Resource": [
+                "*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "ec2:ResourceTag/ghr:Application": "github-action-runner"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:TerminateInstances"
+            ],
+            "Resource": [
+                "*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "ec2:ResourceTag/gh:environment": "${environment}"
+                }
+            }
+        },
         {
             "Effect": "Allow",
             "Action": "iam:PassRole",
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
@@ -121,6 +121,7 @@ resource "aws_iam_role_policy" "scale_up" {
   role = aws_iam_role.scale_up.name
   policy = templatefile("${path.module}/policies/lambda-scale-up.json", {
     arn_runner_instance_role  = var.iam_overrides["override_runner_role"] ? var.iam_overrides["runner_role_arn"] : aws_iam_role.runner[0].arn
+    environment               = var.prefix
     sqs_arn                   = var.sqs_build_queue.arn
     github_app_id_arn         = var.github_app_parameters.id.arn
     github_app_key_base64_arn = var.github_app_parameters.key_base64.arn
