From eaa61abae53002aac8914dcf5400c704545ce746 Mon Sep 17 00:00:00 2001
From: Evan Stohlmann <evmann@amazon.com>
Date: Tue, 12 Nov 2024 15:52:21 -0700
Subject: [PATCH] Update permissions on execution role

---
 lib/models/docker-image-builder.ts | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/models/docker-image-builder.ts b/lib/models/docker-image-builder.ts
index da2174d9..14b186b4 100644
--- a/lib/models/docker-image-builder.ts
+++ b/lib/models/docker-image-builder.ts
@@ -16,7 +16,15 @@
 
 import { Construct } from 'constructs';
 import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
-import { Role, InstanceProfile, ServicePrincipal, ManagedPolicy, Policy, PolicyStatement } from 'aws-cdk-lib/aws-iam';
+import {
+    Role,
+    InstanceProfile,
+    ServicePrincipal,
+    ManagedPolicy,
+    Policy,
+    PolicyStatement,
+    Effect
+} from 'aws-cdk-lib/aws-iam';
 import { Stack, Duration } from 'aws-cdk-lib';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { BucketDeployment, Source } from 'aws-cdk-lib/aws-s3-deployment';
@@ -91,7 +99,13 @@ export class DockerImageBuilder extends Construct {
                 new PolicyStatement({
                     actions: [
                         'ec2:RunInstances',
-                        'ec2:CreateTags'
+                        'ec2:CreateTags',
+                        'ec2:CreateNetworkInterface',
+                        'ec2:DescribeNetworkInterfaces',
+                        'ec2:DescribeSubnets',
+                        'ec2:DeleteNetworkInterface',
+                        'ec2:AssignPrivateIpAddresses',
+                        'ec2:UnassignPrivateIpAddresses'
                     ],
                     resources: ['*']
                 }),