Add SendCommand permissions

.gitea/workflows/aws_deploy_on_push.yml

@@ -65,6 +65,7 @@ jobs:
           
           for INSTANCE_ID in $INSTANCE_IDS; do
             aws ssm send-command \
+              --region us-east-2 \
               --instance-ids "$INSTANCE_ID" \
               --document-name "AWS-RunShellScript" \
               --parameters 'commands=[

infrastructure/stack.py

@@ -92,6 +92,15 @@ class IptvUpdaterStack(Stack):
             resources=["*"]
         ))
 
+        # Add SSM SendCommand permissions
+        role.add_to_policy(iam.PolicyStatement(
+            actions=["ssm:SendCommand"],
+            resources=[
+                f"arn:aws:ec2:{self.region}:{self.account}:instance/*",  # Allow on all EC2 instances
+                f"arn:aws:ssm:{self.region}:{self.account}:document/AWS-RunShellScript"  # Required for the RunShellScript document
+            ]
+        ))
+
         # Add Cognito permissions to instance role
         role.add_managed_policy(
             iam.ManagedPolicy.from_aws_managed_policy_name(