fix: pre-create EC2 Spot SLR and grant Lambda permission to create it

- Add aws_iam_service_linked_role for spot.amazonaws.com in ec2.tf so the
  AWSServiceRoleForEC2Spot role exists before any Spot launch attempt
- Grant lambda_process iam:CreateServiceLinkedRole as a runtime fallback
- Fix MessageGroupId=None error in submit_build Lambda (non-FIFO queue)

Author: fok666

infrastructure/infra.md

@@ -0,0 +1,11 @@
+```shell
+api_url = "https://9nij0o9osa.execute-api.eu-central-1.amazonaws.com"
+check_status_lambda = "lambda-layer-builder-prod-check-status"
+dynamodb_table_name = "lambda-layer-builder-prod-builds"
+github_pages_config = "API URL: https://9nij0o9osa.execute-api.eu-central-1.amazonaws.com"
+process_build_lambda = "lambda-layer-builder-prod-process-build"
+s3_bucket_name = "lambda-layer-builder-prod-artifacts-4b4dd9b4"
+sqs_queue_url = "https://sqs.eu-central-1.amazonaws.com/511637446646/lambda-layer-builder-prod-build-queue"
+submit_build_lambda = "lambda-layer-builder-prod-submit-build"
+vpc_id = "vpc-06d62836cc88378ad"
+```

infrastructure/terraform/ec2.tf

@@ -6,6 +6,19 @@
 # Each instance self-terminates after build completion or timeout.
 # =============================================================================
 
+# Pre-create the EC2 Spot service-linked role so Lambda doesn't need to create it at runtime.
+# This role is account-global and only needs to exist once.
+# Terraform will silently import it if it already exists.
+resource "aws_iam_service_linked_role" "ec2_spot" {
+  aws_service_name = "spot.amazonaws.com"
+  description      = "Service-linked role for EC2 Spot Instances"
+
+  # Ignore if this role already exists in the account
+  lifecycle {
+    ignore_changes = [description]
+  }
+}
+
 # Latest Amazon Linux 2023 AMI
 data "aws_ami" "al2023" {
   most_recent = true

infrastructure/terraform/iam.tf

@@ -105,6 +105,17 @@ resource "aws_iam_role_policy" "lambda_process" {
         ]
         Resource = "*"
       },
+      {
+        # Required to create AWSServiceRoleForEC2Spot on first Spot usage
+        Effect = "Allow"
+        Action = "iam:CreateServiceLinkedRole"
+        Resource = "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
+        Condition = {
+          StringLike = {
+            "iam:AWSServiceName" = "spot.amazonaws.com"
+          }
+        }
+      },
       {
         Effect   = "Allow"
         Action   = "iam:PassRole"

infrastructure/terraform/prod.tfvars

@@ -0,0 +1,43 @@
+# =============================================================================
+# Lambda Python Layer Builder - Terraform Configuration
+# =============================================================================
+# Copy this file to terraform.tfvars and customize for your environment.
+# =============================================================================
+
+# AWS region for all resources
+aws_region = "eu-central-1"
+
+# Environment name
+environment = "prod"
+
+# Project name (used as prefix for all resources)
+project_name = "lambda-layer-builder"
+
+# Hours to keep build artifacts in S3 (1-168)
+artifact_ttl_hours = 24
+
+# Docker image prefix for pre-built images
+# docker_image_prefix = "ghcr.io/fok666/lambda-python-layer"
+
+# GitHub repo URL (fallback for local Docker builds)
+# github_repo_url = "https://github.com/fok666/lambda-python-layer.git"
+
+# EC2 Spot instance type for builds
+# c5.xlarge  = 4 vCPU, 8GB  (~$0.04/hr spot) - Recommended
+# c5.2xlarge = 8 vCPU, 16GB (~$0.08/hr spot) - Heavy builds
+# m5.large   = 2 vCPU, 8GB  (~$0.02/hr spot) - Light builds
+ec2_instance_type = "c5.xlarge"
+
+# EBS volume size in GB (30-200)
+ec2_volume_size = 50
+
+# Max build time before instance self-terminates (safety net)
+ec2_max_build_time_minutes = 30
+
+# CORS origins - restrict to your GitHub Pages URL in production
+# Example: ["https://yourusername.github.io"]
+allowed_origins = ["*"]
+
+# API request limits
+# api_throttle_rate  = 10
+# api_throttle_burst = 20