From cb793ef5e11edfca95149320d3724cb1b9c6b48d Mon Sep 17 00:00:00 2001
From: Stefano <stefano@fiorinis.com>
Date: Wed, 21 May 2025 16:29:34 -0500
Subject: [PATCH] Add SendCommand permissions

---
 .gitea/workflows/aws_deploy_on_push.yml | 1 +
 infrastructure/stack.py                 | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/.gitea/workflows/aws_deploy_on_push.yml b/.gitea/workflows/aws_deploy_on_push.yml
index 77820bb..cb40cdd 100644
--- a/.gitea/workflows/aws_deploy_on_push.yml
+++ b/.gitea/workflows/aws_deploy_on_push.yml
@@ -65,6 +65,7 @@ jobs:
           
           for INSTANCE_ID in $INSTANCE_IDS; do
             aws ssm send-command \
+              --region us-east-2 \
               --instance-ids "$INSTANCE_ID" \
               --document-name "AWS-RunShellScript" \
               --parameters 'commands=[
diff --git a/infrastructure/stack.py b/infrastructure/stack.py
index 1238207..c27c36b 100644
--- a/infrastructure/stack.py
+++ b/infrastructure/stack.py
@@ -92,6 +92,15 @@ class IptvUpdaterStack(Stack):
             resources=["*"]
         ))
 
+        # Add SSM SendCommand permissions
+        role.add_to_policy(iam.PolicyStatement(
+            actions=["ssm:SendCommand"],
+            resources=[
+                f"arn:aws:ec2:{self.region}:{self.account}:instance/*",  # Allow on all EC2 instances
+                f"arn:aws:ssm:{self.region}:{self.account}:document/AWS-RunShellScript"  # Required for the RunShellScript document
+            ]
+        ))
+
         # Add Cognito permissions to instance role
         role.add_managed_policy(
             iam.ManagedPolicy.from_aws_managed_policy_name(