From 9f3c537b60bb732b1c7c58abab13e23c45c840ff Mon Sep 17 00:00:00 2001
From: Amir Szekely <kichik@gmail.com>
Date: Fri, 9 Dec 2022 09:03:04 -0800
Subject: [PATCH] fix: The provided credentials do not have permission to
 create the service-linked role for EC2 Spot Instances (#183)

Fixes #182
---
 src/providers/ec2.ts                                   | 10 ++++++++++
 .../github-runners-test.assets.json                    |  4 ++--
 .../github-runners-test.template.json                  | 10 ++++++++++
 test/default.integ.snapshot/manifest.json              |  2 +-
 test/default.integ.snapshot/tree.json                  | 10 ++++++++++
 5 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/src/providers/ec2.ts b/src/providers/ec2.ts
index 62922425..397cb68a 100644
--- a/src/providers/ec2.ts
+++ b/src/providers/ec2.ts
@@ -383,6 +383,16 @@ export class Ec2Runner extends BaseProvider implements IRunnerProvider {
         resource: '*',
       })],
     }));
+
+    stateMachineRole.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
+      actions: ['iam:CreateServiceLinkedRole'],
+      resources: ['*'],
+      conditions: {
+        StringEquals: {
+          'iam:AWSServiceName': 'spot.amazonaws.com',
+        },
+      },
+    }));
   }
 
   status(statusFunctionRole: iam.IGrantable): IRunnerProviderStatus {
diff --git a/test/default.integ.snapshot/github-runners-test.assets.json b/test/default.integ.snapshot/github-runners-test.assets.json
index e5f0182f..4114af27 100644
--- a/test/default.integ.snapshot/github-runners-test.assets.json
+++ b/test/default.integ.snapshot/github-runners-test.assets.json
@@ -222,7 +222,7 @@
         }
       }
     },
-    "cb8b028063cbb5d802bc47dc5ba6314eaf9e718d1c9f0f62decd46320644f7a3": {
+    "1a0f45935e02a2424625930ad31932af8f58e40cd46546b8f0a367ae34ee2539": {
       "source": {
         "path": "github-runners-test.template.json",
         "packaging": "file"
@@ -230,7 +230,7 @@
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "cb8b028063cbb5d802bc47dc5ba6314eaf9e718d1c9f0f62decd46320644f7a3.json",
+          "objectKey": "1a0f45935e02a2424625930ad31932af8f58e40cd46546b8f0a367ae34ee2539.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/test/default.integ.snapshot/github-runners-test.template.json b/test/default.integ.snapshot/github-runners-test.template.json
index dd1df42c..25831c8d 100644
--- a/test/default.integ.snapshot/github-runners-test.template.json
+++ b/test/default.integ.snapshot/github-runners-test.template.json
@@ -11044,6 +11044,16 @@
         ]
        }
       },
+      {
+       "Action": "iam:CreateServiceLinkedRole",
+       "Condition": {
+        "StringEquals": {
+         "iam:AWSServiceName": "spot.amazonaws.com"
+        }
+       },
+       "Effect": "Allow",
+       "Resource": "*"
+      },
       {
        "Action": "iam:PassRole",
        "Condition": {
diff --git a/test/default.integ.snapshot/manifest.json b/test/default.integ.snapshot/manifest.json
index 6131004b..b93363eb 100644
--- a/test/default.integ.snapshot/manifest.json
+++ b/test/default.integ.snapshot/manifest.json
@@ -23,7 +23,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/cb8b028063cbb5d802bc47dc5ba6314eaf9e718d1c9f0f62decd46320644f7a3.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/1a0f45935e02a2424625930ad31932af8f58e40cd46546b8f0a367ae34ee2539.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
diff --git a/test/default.integ.snapshot/tree.json b/test/default.integ.snapshot/tree.json
index 6c6a1208..1aef4078 100644
--- a/test/default.integ.snapshot/tree.json
+++ b/test/default.integ.snapshot/tree.json
@@ -14904,6 +14904,16 @@
                                         ]
                                       }
                                     },
+                                    {
+                                      "Action": "iam:CreateServiceLinkedRole",
+                                      "Condition": {
+                                        "StringEquals": {
+                                          "iam:AWSServiceName": "spot.amazonaws.com"
+                                        }
+                                      },
+                                      "Effect": "Allow",
+                                      "Resource": "*"
+                                    },
                                     {
                                       "Action": "iam:PassRole",
                                       "Condition": {