From b667ca5dbc65324bba10f1001f574cc36eb5f7ee Mon Sep 17 00:00:00 2001 From: Brian McMahon Date: Wed, 20 May 2026 15:09:54 -0700 Subject: [PATCH] feat(iam): grant github-actions-lambda-deploy ssm:SendCommand on dashboard instance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two new statements: - DashboardDeployViaSSM: ssm:SendCommand scoped to the dashboard instance (i-09b539c844515d549) + the AWS-RunShellScript document. - DashboardDeployPollCommand: ssm:GetCommandInvocation + ListCommandInvocations on `*` (no resource-level scoping available for these APIs). Enables alpha-engine-dashboard PR auto-deploy (separate PR opens once this lands). Mirrors the existing lambda-deploy pattern: PR merge → GHA workflow → SSM → instance pulls + restarts streamlit services → health check. OIDC trust already permits cipher813/alpha-engine-dashboard:main, so no trust-policy edit needed. Applied via infrastructure/iam/apply.sh pre-merge per the add-grant-PR-needs-apply-first discipline (drift check would block merge otherwise). Live drift check passes. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../iam/github-actions-lambda-deploy.json | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/infrastructure/iam/github-actions-lambda-deploy.json b/infrastructure/iam/github-actions-lambda-deploy.json index 95f6513..a872f39 100644 --- a/infrastructure/iam/github-actions-lambda-deploy.json +++ b/infrastructure/iam/github-actions-lambda-deploy.json @@ -250,6 +250,26 @@ ] } } + }, + { + "Sid": "DashboardDeployViaSSM", + "Effect": "Allow", + "Action": [ + "ssm:SendCommand" + ], + "Resource": [ + "arn:aws:ec2:us-east-1:711398986525:instance/i-09b539c844515d549", + "arn:aws:ssm:us-east-1::document/AWS-RunShellScript" + ] + }, + { + "Sid": "DashboardDeployPollCommand", + "Effect": "Allow", + "Action": [ + "ssm:GetCommandInvocation", + "ssm:ListCommandInvocations" + ], + "Resource": "*" } ] }