From cf3ecdf8a0cf0724d488a31d990206cb2743f38e Mon Sep 17 00:00:00 2001
From: Niek Palm <niek.palm@philips.com>
Date: Tue, 3 Feb 2026 19:08:59 +0100
Subject: [PATCH 1/2] fix: add SSM AMI parameter permissions and
 environment-based naming

- Add missing SSM GetParameter and GetParameters permissions for AMI parameter ARN in scale-up lambda policy
- Use environment variable prefix for SSM parameter name to ensure unique naming per environment
---
 examples/multi-runner/main.tf                 | 2 +-
 modules/runners/policies/lambda-scale-up.json | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf
index acbcdb8081..6fd1e648f0 100644
--- a/examples/multi-runner/main.tf
+++ b/examples/multi-runner/main.tf
@@ -28,7 +28,7 @@ locals {
   aws_region  = var.aws_region
 
   # create map only with amazon linux 2023 x64 and arm64 to overwrite the default
-  al2023_arm64_name = "/examples/multi-runner/aws-github-runners/ami/amazon-linux-2023-arm64"
+  al2023_arm64_name = "/${var.environment}/examples/multi-runner/aws-github-runners/ami/amazon-linux-2023-arm64"
   ssm_ami_arns = {
     "linux-x64" = data.aws_ssm_parameter.al2023_x64.arn
     # construct the arn to avoid terraform count errors
diff --git a/modules/runners/policies/lambda-scale-up.json b/modules/runners/policies/lambda-scale-up.json
index 1c6946b945..3b16e710d5 100644
--- a/modules/runners/policies/lambda-scale-up.json
+++ b/modules/runners/policies/lambda-scale-up.json
@@ -35,7 +35,8 @@
             "Resource": [
                 "${github_app_key_base64_arn}",
                 "${github_app_id_arn}",
-                "${ssm_config_path}/*"
+                "${ssm_config_path}/*",
+                "${ssm_ami_id_parameter_arn}"
             ]
         },
         {

From 900278f909713f19565434b05b026b4f35c45064 Mon Sep 17 00:00:00 2001
From: Niek Palm <niek.palm@philips.com>
Date: Tue, 3 Feb 2026 19:14:03 +0100
Subject: [PATCH 2/2] fix: use local.environment instead of var.environment to
 avoid null in string template

The tflint validation was failing because var.environment can be null, and null values cannot be included in string templates. Changed to use local.environment which has a fallback value.

Fixes the tflint error: Invalid template interpolation value. The expression result is null.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 examples/multi-runner/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf
index 6fd1e648f0..13df82a0bb 100644
--- a/examples/multi-runner/main.tf
+++ b/examples/multi-runner/main.tf
@@ -28,7 +28,7 @@ locals {
   aws_region  = var.aws_region
 
   # create map only with amazon linux 2023 x64 and arm64 to overwrite the default
-  al2023_arm64_name = "/${var.environment}/examples/multi-runner/aws-github-runners/ami/amazon-linux-2023-arm64"
+  al2023_arm64_name = "/${local.environment}/examples/multi-runner/aws-github-runners/ami/amazon-linux-2023-arm64"
   ssm_ami_arns = {
     "linux-x64" = data.aws_ssm_parameter.al2023_x64.arn
     # construct the arn to avoid terraform count errors