From f7094b554a3ee19f6a8631b2a105d4ba49d76c57 Mon Sep 17 00:00:00 2001
From: Your Name <user@example.com>
Date: Thu, 19 Mar 2026 14:20:31 -0400
Subject: [PATCH] Enable Lambda token refresh to prevent runner recovery
 deadlocks

- Set enable_lambda_token_refresh = true in default.auto.tfvars
- Add ec2:CreateNetworkInterface/DescribeNetworkInterfaces/DeleteNetworkInterface
  to Lambda IAM policy (required for VPC-attached Lambda functions)

Lambda refreshes GitHub Actions registration token every 30 minutes.
Prevents deadlock when all runners die simultaneously and token expires
before ECS can restart tasks.
---
 default.auto.tfvars     |  4 ++++
 lambda_token_refresh.tf | 10 ++++++++++
 2 files changed, 14 insertions(+)

diff --git a/default.auto.tfvars b/default.auto.tfvars
index f90b566..4770c59 100644
--- a/default.auto.tfvars
+++ b/default.auto.tfvars
@@ -33,3 +33,7 @@ desired_count = 1
 
 # Monitoring Configuration
 alert_email = "david.j.arnold.jr@census.gov"
+
+# Enable Lambda token refresh to prevent runner recovery deadlocks
+# Runs every 30 minutes to keep Secrets Manager token fresh (tokens expire in 1 hour)
+enable_lambda_token_refresh = true
diff --git a/lambda_token_refresh.tf b/lambda_token_refresh.tf
index a6ddcd8..ed1d4cb 100644
--- a/lambda_token_refresh.tf
+++ b/lambda_token_refresh.tf
@@ -168,6 +168,16 @@ resource "aws_iam_role_policy" "lambda_refresh_policy" {
           "logs:PutLogEvents"
         ]
         Resource = "arn:${data.aws_partition.current.partition}:logs:*:*:log-group:/aws/lambda/${local.lambda_function_name}:*"
+      },
+      {
+        # Required for Lambda functions deployed into a VPC
+        Effect = "Allow"
+        Action = [
+          "ec2:CreateNetworkInterface",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DeleteNetworkInterface"
+        ]
+        Resource = "*"
       }
     ]
   })