Scale-up Lambda lacks `ec2:TerminateInstances` permission for JIT error cleanup

[edersonbrilhante]

Problem

The scale-up Lambda has an error-handling path that attempts to terminate an EC2 runner instance when JIT configuration fails, but the Lambda IAM policy does not allow ec2:TerminateInstances.

This causes the cleanup path itself to fail with an authorization error.

Error

You are not authorized to perform this operation. User: arn:aws:sts::<account-id>:assumed-role/<scale-up-lambda-role>/<scale-up-lambda-session> is not authorized to perform: ec2:TerminateInstances on resource: arn:aws:ec2:<region>:<account-id>:instance/<instance-id> because no identity-based policy allows the ec2:TerminateInstances action.

Relevant code path

await terminateRunner(instanceId);
} catch (error) {
  logger.error('Failed to terminate instance', {
    instanceId,
    error: error instanceof Error ? error.message : String(error),
  });
}

Expected behavior

If scale-up creates an instance and then fails during JIT setup, the Lambda should be able to terminate that instance as part of cleanup.

Actual behavior

The Lambda attempts to terminate the instance but fails because its IAM role does not include ec2:TerminateInstances.

Suggested fix

Add ec2:TerminateInstances to the scale-up Lambda IAM policy, scoped to the runner instances/resources managed by the module where possible.

Impact

Failed JIT setup can leave runner EC2 instances running when cleanup is expected to terminate them.