diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml
index b2d4a0530c..5ca9f0e064 100644
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -32,16 +32,50 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           persist-credentials: true
 
-      # use an app to ensure CI is triggered
       - name: Generate TF docs
         if: github.repository_owner == 'github-aws-runners'
         uses: terraform-docs/gh-actions@6de6da0cefcc6b4b7a5cbea4d79d97060733093c # v1.4.1
         with:
           find-dir: .
-          git-commit-message: "docs: auto update terraform docs"
-          git-push: ${{ github.ref != 'refs/heads/main' || github.repository_owner != 'github-aws-runners' }}
-          git-push-user-name: github-aws-runners-pr|bot
-          git-push-user-email: "github-aws-runners-pr[bot]@users.noreply.github.com"
+          git-push: false
+
+      # commit via the GitHub API so commits are signed by GitHub and show as verified
+      - name: Commit and push docs changes (branches only)
+        if: github.ref != 'refs/heads/main' && github.repository_owner == 'github-aws-runners'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COMMIT_MESSAGE: "docs: auto update terraform docs"
+        run: |
+          set -o pipefail
+          # diff against HEAD because terraform-docs stages the files it updates
+          if git diff --quiet HEAD; then
+            echo "No documentation changes to commit."
+            exit 0
+          fi
+          echo "Committing documentation changes:"
+          git diff --name-only HEAD
+          # pass file contents through a temp file to avoid the kernel's argument size limit
+          additions=$(mktemp)
+          git diff --name-only HEAD | while IFS= read -r file; do
+            jq -n --arg path "$file" --rawfile contents <(base64 -w0 "$file") '{path: $path, contents: $contents}'
+          done | jq -s '.' > "$additions"
+          jq -n \
+            --arg repository "$GITHUB_REPOSITORY" \
+            --arg branch "$GITHUB_REF_NAME" \
+            --arg expectedHeadOid "$(git rev-parse HEAD)" \
+            --arg message "$COMMIT_MESSAGE" \
+            --slurpfile additions "$additions" \
+            '{
+              query: "mutation ($input: CreateCommitOnBranchInput!) { createCommitOnBranch(input: $input) { commit { oid } } }",
+              variables: {
+                input: {
+                  branch: { repositoryNameWithOwner: $repository, branchName: $branch },
+                  expectedHeadOid: $expectedHeadOid,
+                  message: { headline: $message },
+                  fileChanges: { additions: $additions[0] }
+                }
+              }
+            }' | gh api graphql --input -
 
       - name: Generate TF docs (forks)
         if: github.repository_owner != 'github-aws-runners'
@@ -57,6 +91,7 @@ jobs:
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          sign-commits: true
           commit-message: "docs: auto update terraform docs"
           title: "docs: Update Terraform docs"
           branch: update-docs
diff --git a/README.md b/README.md
index fa697d8dcd..cf8546637f 100644
--- a/README.md
+++ b/README.md
@@ -138,6 +138,7 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh)
 | <a name="input_ghes_ssl_verify"></a> [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no |
 | <a name="input_ghes_url"></a> [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB. However if you are using GitHub Enterprise Cloud with data-residency (ghe.com), set the endpoint here. Example - https://companyname.ghe.com | `string` | `null` | no |
 | <a name="input_github_app"></a> [github\_app](#input\_github\_app) | GitHub app parameters, see your github app.<br/>  You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.<br/>  If you chose to provide the configuration values directly here,<br/>  please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).<br/>  Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc). | <pre>object({<br/>    key_base64 = optional(string)<br/>    key_base64_ssm = optional(object({<br/>      arn  = string<br/>      name = string<br/>    }))<br/>    id = optional(string)<br/>    id_ssm = optional(object({<br/>      arn  = string<br/>      name = string<br/>    }))<br/>    webhook_secret = optional(string)<br/>    webhook_secret_ssm = optional(object({<br/>      arn  = string<br/>      name = string<br/>    }))<br/>  })</pre> | n/a | yes |
+| <a name="input_iam_overrides"></a> [iam\_overrides](#input\_iam\_overrides) | This map provides the possibility to override some IAM defaults. Note that when using this variable, you are responsible for ensuring the role has necessary permissions to access required resources. `override_instance_profile`: When set to true, uses the instance profile name specified in `instance_profile_name` instead of creating a new instance profile. `override_runner_role`: When set to true, uses the role ARN specified in `runner_role_arn` instead of creating a new IAM role. | <pre>object({<br/>    override_instance_profile = optional(bool, null)<br/>    instance_profile_name     = optional(string, null)<br/>    override_runner_role      = optional(bool, null)<br/>    runner_role_arn           = optional(string, null)<br/>  })</pre> | <pre>{<br/>  "instance_profile_name": null,<br/>  "override_instance_profile": false,<br/>  "override_runner_role": false,<br/>  "runner_role_arn": null<br/>}</pre> | no |
 | <a name="input_idle_config"></a> [idle\_config](#input\_idle\_config) | List of time periods, defined as a cron expression, to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | <pre>list(object({<br/>    cron             = string<br/>    timeZone         = string<br/>    idleCount        = number<br/>    evictionStrategy = optional(string, "oldest_first")<br/>  }))</pre> | `[]` | no |
 | <a name="input_instance_allocation_strategy"></a> [instance\_allocation\_strategy](#input\_instance\_allocation\_strategy) | The allocation strategy for spot instances. AWS recommends using `price-capacity-optimized` however the AWS default is `lowest-price`. | `string` | `"lowest-price"` | no |
 | <a name="input_instance_max_spot_price"></a> [instance\_max\_spot\_price](#input\_instance\_max\_spot\_price) | Max price price for spot instances per hour. This variable will be passed to the create fleet as max spot price for the fleet. | `string` | `null` | no |
diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md
index caa7993dee..65cb4e5359 100644
--- a/modules/multi-runner/README.md
+++ b/modules/multi-runner/README.md
@@ -133,6 +133,7 @@ module "multi-runner" {
 | <a name="input_ghes_ssl_verify"></a> [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no |
 | <a name="input_ghes_url"></a> [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. Example: https://github.internal.co - DO NOT SET IF USING PUBLIC GITHUB. .However if you are using GitHub Enterprise Cloud with data-residency (ghe.com), set the endpoint here. Example - https://companyname.ghe.com\| | `string` | `null` | no |
 | <a name="input_github_app"></a> [github\_app](#input\_github\_app) | GitHub app parameters, see your github app.<br/>  You can optionally create the SSM parameters yourself and provide the ARN and name here, through the `*_ssm` attributes.<br/>  If you chose to provide the configuration values directly here,<br/>  please ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`).<br/>  Note: the provided SSM parameters arn and name have a precedence over the actual value (i.e `key_base64_ssm` has a precedence over `key_base64` etc). | <pre>object({<br/>    key_base64 = optional(string)<br/>    key_base64_ssm = optional(object({<br/>      arn  = string<br/>      name = string<br/>    }))<br/>    id = optional(string)<br/>    id_ssm = optional(object({<br/>      arn  = string<br/>      name = string<br/>    }))<br/>    webhook_secret = optional(string)<br/>    webhook_secret_ssm = optional(object({<br/>      arn  = string<br/>      name = string<br/>    }))<br/>  })</pre> | n/a | yes |
+| <a name="input_iam_overrides"></a> [iam\_overrides](#input\_iam\_overrides) | This map provides the possibility to override some IAM defaults. The following attributes are supported: `instance_profile_name` overrides the instance profile name used in the launch template. `runner_role_arn` overrides the IAM role ARN used for the runner instances. | <pre>object({<br/>    override_instance_profile = optional(bool, null)<br/>    instance_profile_name     = optional(string, null)<br/>    override_runner_role      = optional(bool, null)<br/>    runner_role_arn           = optional(string, null)<br/>  })</pre> | <pre>{<br/>  "instance_profile_name": null,<br/>  "override_instance_profile": false,<br/>  "override_runner_role": false,<br/>  "runner_role_arn": null<br/>}</pre> | no |
 | <a name="input_instance_profile_path"></a> [instance\_profile\_path](#input\_instance\_profile\_path) | The path that will be added to the instance\_profile, if not set the environment name will be used. | `string` | `null` | no |
 | <a name="input_instance_termination_watcher"></a> [instance\_termination\_watcher](#input\_instance\_termination\_watcher) | Configuration for the spot termination watcher lambda function. This feature is Beta, changes will not trigger a major release as long in beta.<br/><br/>`enable`: Enable or disable the spot termination watcher.<br/>`memory_size`: Memory size limit in MB of the lambda.<br/>`s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.<br/>`s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.<br/>`timeout`: Time out of the lambda in seconds.<br/>`zip`: File location of the lambda zip file. | <pre>object({<br/>    enable = optional(bool, false)<br/>    features = optional(object({<br/>      enable_spot_termination_handler              = optional(bool, true)<br/>      enable_spot_termination_notification_watcher = optional(bool, true)<br/>    }), {})<br/>    memory_size       = optional(number, null)<br/>    s3_key            = optional(string, null)<br/>    s3_object_version = optional(string, null)<br/>    timeout           = optional(number, null)<br/>    zip               = optional(string, null)<br/>  })</pre> | `{}` | no |
 | <a name="input_key_name"></a> [key\_name](#input\_key\_name) | Key pair name | `string` | `null` | no |
@@ -152,7 +153,7 @@ module "multi-runner" {
 | <a name="input_logging_retention_in_days"></a> [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no |
 | <a name="input_matcher_config_parameter_store_tier"></a> [matcher\_config\_parameter\_store\_tier](#input\_matcher\_config\_parameter\_store\_tier) | The tier of the parameter store for the matcher configuration. Valid values are `Standard`, and `Advanced`. | `string` | `"Standard"` | no |
 | <a name="input_metrics"></a> [metrics](#input\_metrics) | Configuration for metrics created by the module, by default metrics are disabled to avoid additional costs. When metrics are enable all metrics are created unless explicit configured otherwise. | <pre>object({<br/>    enable    = optional(bool, false)<br/>    namespace = optional(string, "GitHub Runners")<br/>    metric = optional(object({<br/>      enable_github_app_rate_limit    = optional(bool, true)<br/>      enable_job_retry                = optional(bool, true)<br/>      enable_spot_termination_warning = optional(bool, true)<br/>    }), {})<br/>  })</pre> | `{}` | no |
-| <a name="input_multi_runner_config"></a> [multi\_runner\_config](#input\_multi\_runner\_config) | multi\_runner\_config = {<br/>      runner\_config: {<br/>        runner\_os: "The EC2 Operating System type to use for action runner instances (linux, osx, windows)."<br/>        runner\_architecture: "The platform architecture of the runner instance\_type."<br/>        runner\_metadata\_options: "(Optional) Metadata options for the ec2 runner instances."<br/>        ami: "(Optional) AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place."<br/>        create\_service\_linked\_role\_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda.<br/>        credit\_specification: "(Optional) The credit specification of the runner instance\_type. Can be unset, `standard` or `unlimited`.<br/>        delay\_webhook\_event: "The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event."<br/>        disable\_runner\_autoupdate: "Disable the auto update of the github runner agent. Be aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"<br/>        ebs\_optimized: "The EC2 EBS optimized configuration."<br/>        enable\_ephemeral\_runners: "Enable ephemeral runners, runners will only be used once."<br/>        enable\_dynamic\_labels: "Experimental! Can be removed / changed without trigger a major release. Enable dynamic labels with 'ghr-' prefix. When enabled, jobs can use 'ghr-ec2-<config>:<value>' labels to dynamically configure EC2 instances (e.g., 'ghr-ec2-instance-type:t3.large') and 'ghr-run-<label>' to add unique labels dynamically to runners."<br/>        enable\_job\_queued\_check: Enables JIT configuration for creating runners instead of registration token based registraton. JIT configuration will only be applied for ephemeral runners. By default JIT configuration is enabled for ephemeral runners an can be disabled via this override. When running on GHES without support for JIT configuration this variable should be set to true for ephemeral runners."<br/>        enable\_on\_demand\_failover\_for\_errors: "Enable on-demand failover. For example to fall back to on demand when no spot capacity is available the variable can be set to `InsufficientInstanceCapacity`. When not defined the default behavior is to retry later."<br/>        scale\_errors: "List of aws error codes that should trigger retry during scale up. This list will replace the default errors defined in the variable `defaultScaleErrors` in https://github.com/github-aws-runners/terraform-aws-github-runner/blob/main/lambdas/functions/control-plane/src/aws/runners.ts"<br/>        enable\_organization\_runners: "Register runners to organization, instead of repo level"<br/>        enable\_runner\_binaries\_syncer: "Option to disable the lambda to sync GitHub runner distribution, useful when using a pre-build AMI."<br/>        enable\_ssm\_on\_runners: "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."<br/>        enable\_userdata: "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI."<br/>        instance\_allocation\_strategy: "The allocation strategy for spot instances. AWS recommends to use `capacity-optimized` however the AWS default is `lowest-price`."<br/>        instance\_max\_spot\_price: "Max price price for spot instances per hour. This variable will be passed to the create fleet as max spot price for the fleet."<br/>        instance\_target\_capacity\_type: "Default lifecycle used for runner instances, can be either `spot` or `on-demand`."<br/>        instance\_types: "List of instance types for the action runner. Defaults are based on runner\_os (al2023 for linux, macOS Sequoia for osx, Windows Server Core for win)."<br/>        job\_queue\_retention\_in\_seconds: "The number of seconds the job is held in the queue before it is purged"<br/>        minimum\_running\_time\_in\_minutes: "The time an ec2 action runner should be running at minimum before terminated if not busy."<br/>        pool\_runner\_owner: "The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported."<br/>        runner\_additional\_security\_group\_ids: "List of additional security groups IDs to apply to the runner. If added outside the multi\_runner\_config block, the additional security group(s) will be applied to all runner configs. If added inside the multi\_runner\_config, the additional security group(s) will be applied to the individual runner."<br/>        runner\_as\_root: "Run the action runner under the root user. Variable `runner_run_as` will be ignored."<br/>        runner\_boot\_time\_in\_minutes: "The minimum time for an EC2 runner to boot and register as a runner."<br/>        runner\_disable\_default\_labels: "Disable default labels for the runners (os, architecture and `self-hosted`). If enabled, the runner will only have the extra labels provided in `runner_extra_labels`. In case you on own start script is used, this configuration parameter needs to be parsed via SSM."<br/>        runner\_extra\_labels: "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `multi_runner_config.matcherConfig.exactMatch`. GitHub read-only labels should not be provided."<br/>        runner\_group\_name: "Name of the runner group."<br/>        runner\_name\_prefix: "Prefix for the GitHub runner name."<br/>        runner\_run\_as: "Run the GitHub actions agent as user."<br/>        runners\_maximum\_count: "The maximum number of runners that will be created. Setting the variable to `-1` desiables the maximum check."<br/>        scale\_down\_schedule\_expression: "Scheduler expression to check every x for scale down."<br/>        scale\_up\_reserved\_concurrent\_executions: "Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations."<br/>        userdata\_template: "Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored."<br/>        enable\_jit\_config "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is available. In case you are upgrading from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."<br/>        enable\_runner\_detailed\_monitoring: "Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details."<br/>        enable\_cloudwatch\_agent: "Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`."<br/>        cloudwatch\_config: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."<br/>        userdata\_pre\_install: "Script to be ran before the GitHub Actions runner is installed on the EC2 instances"<br/>        userdata\_post\_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"<br/>        runner\_hook\_job\_started: "Script to be ran in the runner environment at the beginning of every job"<br/>        runner\_hook\_job\_completed: "Script to be ran in the runner environment at the end of every job"<br/>        runner\_ec2\_tags: "Map of tags that will be added to the launch template instance tag specifications."<br/>        runner\_iam\_role\_managed\_policy\_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"<br/>        vpc\_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`."<br/>        subnet\_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`."<br/>        idle\_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle."<br/>        license\_specifications: "Optional EC2 License Manager license configuration ARNs for the runner launch template. Required for macOS dedicated-host runners when the host resource group uses a Mac dedicated host license configuration."<br/>        use\_dedicated\_host: "Experimental! Can be removed / changed without trigger a major release. Whether to use EC2 dedicated hosts for the runners. Needed for macos runners Note that using dedicated hosts can increase cost significantly."<br/>        runner\_log\_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."<br/>        block\_device\_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."<br/>        job\_retry: "Experimental! Can be removed / changed without trigger a major release. Configure job retries. The configuration enables job retries (for ephemeral runners). After creating the instances a message will be published to a job retry queue. The job retry check lambda is checking after a delay if the job is queued. If not the message will be published again on the scale-up (build queue). Using this feature can impact the rate limit of the GitHub app."<br/>        pool\_config: "The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. Use `schedule_expression_timezone` to override the schedule time zone (defaults to UTC)."<br/>      }<br/>      matcherConfig: {<br/>        labelMatchers: "The list of list of labels supported by the runner configuration. `[[self-hosted, linux, x64, example]]`"<br/>        exactMatch: "If set to true all labels in the workflow job must match the GitHub labels (os, architecture and `self-hosted`). When false if __any__ workflow label matches it will trigger the webhook."<br/>        priority: "If set it defines the priority of the matcher, the matcher with the lowest priority will be evaluated first. Default is 999, allowed values 0-999."<br/>      }<br/>      redrive\_build\_queue: "Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries."<br/>    } | <pre>map(object({<br/>    runner_config = object({<br/>      runner_os           = string<br/>      runner_architecture = string<br/>      runner_metadata_options = optional(map(any), {<br/>        instance_metadata_tags      = "enabled"<br/>        http_endpoint               = "enabled"<br/>        http_tokens                 = "required"<br/>        http_put_response_hop_limit = 1<br/>      })<br/>      ami = optional(object({<br/>        filter               = optional(map(list(string)), { state = ["available"] })<br/>        owners               = optional(list(string), ["amazon"])<br/>        id_ssm_parameter_arn = optional(string, null)<br/>        kms_key_arn          = optional(string, null)<br/>      }), null)<br/>      create_service_linked_role_spot      = optional(bool, false)<br/>      credit_specification                 = optional(string, null)<br/>      delay_webhook_event                  = optional(number, 30)<br/>      disable_runner_autoupdate            = optional(bool, false)<br/>      ebs_optimized                        = optional(bool, false)<br/>      enable_ephemeral_runners             = optional(bool, false)<br/>      enable_job_queued_check              = optional(bool, null)<br/>      enable_on_demand_failover_for_errors = optional(list(string), [])<br/>      scale_errors = optional(list(string), [<br/>        "UnfulfillableCapacity",<br/>        "MaxSpotInstanceCountExceeded",<br/>        "TargetCapacityLimitExceededException",<br/>        "RequestLimitExceeded",<br/>        "ResourceLimitExceeded",<br/>        "MaxSpotInstanceCountExceeded",<br/>        "MaxSpotFleetRequestCountExceeded",<br/>        "InsufficientInstanceCapacity",<br/>        "InsufficientCapacityOnHost",<br/>      ])<br/>      enable_organization_runners             = optional(bool, false)<br/>      enable_runner_binaries_syncer           = optional(bool, true)<br/>      enable_ssm_on_runners                   = optional(bool, false)<br/>      enable_userdata                         = optional(bool, true)<br/>      instance_allocation_strategy            = optional(string, "lowest-price")<br/>      instance_max_spot_price                 = optional(string, null)<br/>      instance_target_capacity_type           = optional(string, "spot")<br/>      instance_types                          = list(string)<br/>      job_queue_retention_in_seconds          = optional(number, 86400)<br/>      minimum_running_time_in_minutes         = optional(number, null)<br/>      pool_runner_owner                       = optional(string, null)<br/>      runner_as_root                          = optional(bool, false)<br/>      runner_boot_time_in_minutes             = optional(number, 5)<br/>      runner_disable_default_labels           = optional(bool, false)<br/>      runner_extra_labels                     = optional(list(string), [])<br/>      runner_group_name                       = optional(string, "Default")<br/>      runner_name_prefix                      = optional(string, "")<br/>      runner_run_as                           = optional(string, "ec2-user")<br/>      runners_maximum_count                   = number<br/>      runner_additional_security_group_ids    = optional(list(string), [])<br/>      scale_down_schedule_expression          = optional(string, "cron(*/5 * * * ? *)")<br/>      scale_up_reserved_concurrent_executions = optional(number, 1)<br/>      userdata_template                       = optional(string, null)<br/>      userdata_content                        = optional(string, null)<br/>      enable_jit_config                       = optional(bool, null)<br/>      enable_runner_detailed_monitoring       = optional(bool, false)<br/>      enable_cloudwatch_agent                 = optional(bool, true)<br/>      cloudwatch_config                       = optional(string, null)<br/>      userdata_pre_install                    = optional(string, "")<br/>      userdata_post_install                   = optional(string, "")<br/>      runner_hook_job_started                 = optional(string, "")<br/>      runner_hook_job_completed               = optional(string, "")<br/>      runner_ec2_tags                         = optional(map(string), {})<br/>      runner_iam_role_managed_policy_arns     = optional(list(string), [])<br/>      vpc_id                                  = optional(string, null)<br/>      subnet_ids                              = optional(list(string), null)<br/>      idle_config = optional(list(object({<br/>        cron             = string<br/>        timeZone         = string<br/>        idleCount        = number<br/>        evictionStrategy = optional(string, "oldest_first")<br/>      })), [])<br/>      cpu_options = optional(object({<br/>        core_count            = optional(number)<br/>        threads_per_core      = optional(number)<br/>        amd_sev_snp           = optional(string)<br/>        nested_virtualization = optional(string)<br/>      }), null)<br/>      placement = optional(object({<br/>        affinity                = optional(string)<br/>        availability_zone       = optional(string)<br/>        group_id                = optional(string)<br/>        group_name              = optional(string)<br/>        host_id                 = optional(string)<br/>        host_resource_group_arn = optional(string)<br/>        spread_domain           = optional(string)<br/>        tenancy                 = optional(string)<br/>        partition_number        = optional(number)<br/>      }), null)<br/>      license_specifications = optional(list(object({<br/>        license_configuration_arn = string<br/>      })), [])<br/>      use_dedicated_host = optional(bool, false)<br/>      runner_log_files = optional(list(object({<br/>        log_group_name   = string<br/>        prefix_log_group = bool<br/>        file_path        = string<br/>        log_stream_name  = string<br/>        log_class        = optional(string, "STANDARD")<br/>      })), null)<br/>      block_device_mappings = optional(list(object({<br/>        delete_on_termination = optional(bool, true)<br/>        device_name           = optional(string, "/dev/xvda")<br/>        encrypted             = optional(bool, true)<br/>        iops                  = optional(number)<br/>        kms_key_id            = optional(string)<br/>        snapshot_id           = optional(string)<br/>        throughput            = optional(number)<br/>        volume_size           = number<br/>        volume_type           = optional(string, "gp3")<br/>        })), [{<br/>        volume_size = 30<br/>      }])<br/>      pool_config = optional(list(object({<br/>        schedule_expression          = string<br/>        schedule_expression_timezone = optional(string)<br/>        size                         = number<br/>      })), [])<br/>      job_retry = optional(object({<br/>        enable             = optional(bool, false)<br/>        delay_in_seconds   = optional(number, 300)<br/>        delay_backoff      = optional(number, 2)<br/>        lambda_memory_size = optional(number, 256)<br/>        lambda_timeout     = optional(number, 30)<br/>        max_attempts       = optional(number, 1)<br/>      }), {})<br/>    })<br/>    matcherConfig = object({<br/>      labelMatchers = list(list(string))<br/>      exactMatch    = optional(bool, false)<br/>      priority      = optional(number, 999)<br/>    })<br/>    redrive_build_queue = optional(object({<br/>      enabled         = bool<br/>      maxReceiveCount = number<br/>      }), {<br/>      enabled         = false<br/>      maxReceiveCount = null<br/>    })<br/>  }))</pre> | n/a | yes |
+| <a name="input_multi_runner_config"></a> [multi\_runner\_config](#input\_multi\_runner\_config) | multi\_runner\_config = {<br/>      runner\_config: {<br/>        runner\_os: "The EC2 Operating System type to use for action runner instances (linux, osx, windows)."<br/>        runner\_architecture: "The platform architecture of the runner instance\_type."<br/>        runner\_metadata\_options: "(Optional) Metadata options for the ec2 runner instances."<br/>        ami: "(Optional) AMI configuration for the action runner instances. This object allows you to specify all AMI-related settings in one place."<br/>        create\_service\_linked\_role\_spot: (Optional) create the serviced linked role for spot instances that is required by the scale-up lambda.<br/>        credit\_specification: "(Optional) The credit specification of the runner instance\_type. Can be unset, `standard` or `unlimited`.<br/>        delay\_webhook\_event: "The number of seconds the event accepted by the webhook is invisible on the queue before the scale up lambda will receive the event."<br/>        disable\_runner\_autoupdate: "Disable the auto update of the github runner agent. Be aware there is a grace period of 30 days, see also the [GitHub article](https://github.blog/changelog/2022-02-01-github-actions-self-hosted-runners-can-now-disable-automatic-updates/)"<br/>        ebs\_optimized: "The EC2 EBS optimized configuration."<br/>        enable\_ephemeral\_runners: "Enable ephemeral runners, runners will only be used once."<br/>        enable\_dynamic\_labels: "Experimental! Can be removed / changed without trigger a major release. Enable dynamic labels with 'ghr-' prefix. When enabled, jobs can use 'ghr-ec2-<config>:<value>' labels to dynamically configure EC2 instances (e.g., 'ghr-ec2-instance-type:t3.large') and 'ghr-run-<label>' to add unique labels dynamically to runners."<br/>        enable\_job\_queued\_check: Enables JIT configuration for creating runners instead of registration token based registraton. JIT configuration will only be applied for ephemeral runners. By default JIT configuration is enabled for ephemeral runners an can be disabled via this override. When running on GHES without support for JIT configuration this variable should be set to true for ephemeral runners."<br/>        enable\_on\_demand\_failover\_for\_errors: "Enable on-demand failover. For example to fall back to on demand when no spot capacity is available the variable can be set to `InsufficientInstanceCapacity`. When not defined the default behavior is to retry later."<br/>        scale\_errors: "List of aws error codes that should trigger retry during scale up. This list will replace the default errors defined in the variable `defaultScaleErrors` in https://github.com/github-aws-runners/terraform-aws-github-runner/blob/main/lambdas/functions/control-plane/src/aws/runners.ts"<br/>        enable\_organization\_runners: "Register runners to organization, instead of repo level"<br/>        enable\_runner\_binaries\_syncer: "Option to disable the lambda to sync GitHub runner distribution, useful when using a pre-build AMI."<br/>        enable\_ssm\_on\_runners: "Enable to allow access the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."<br/>        enable\_userdata: "Should the userdata script be enabled for the runner. Set this to false if you are using your own prebuilt AMI."<br/>        instance\_allocation\_strategy: "The allocation strategy for spot instances. AWS recommends to use `capacity-optimized` however the AWS default is `lowest-price`."<br/>        instance\_max\_spot\_price: "Max price price for spot instances per hour. This variable will be passed to the create fleet as max spot price for the fleet."<br/>        instance\_target\_capacity\_type: "Default lifecycle used for runner instances, can be either `spot` or `on-demand`."<br/>        instance\_types: "List of instance types for the action runner. Defaults are based on runner\_os (al2023 for linux, macOS Sequoia for osx, Windows Server Core for win)."<br/>        job\_queue\_retention\_in\_seconds: "The number of seconds the job is held in the queue before it is purged"<br/>        minimum\_running\_time\_in\_minutes: "The time an ec2 action runner should be running at minimum before terminated if not busy."<br/>        pool\_runner\_owner: "The pool will deploy runners to the GitHub org ID, set this value to the org to which you want the runners deployed. Repo level is not supported."<br/>        runner\_additional\_security\_group\_ids: "List of additional security groups IDs to apply to the runner. If added outside the multi\_runner\_config block, the additional security group(s) will be applied to all runner configs. If added inside the multi\_runner\_config, the additional security group(s) will be applied to the individual runner."<br/>        runner\_as\_root: "Run the action runner under the root user. Variable `runner_run_as` will be ignored."<br/>        runner\_boot\_time\_in\_minutes: "The minimum time for an EC2 runner to boot and register as a runner."<br/>        runner\_disable\_default\_labels: "Disable default labels for the runners (os, architecture and `self-hosted`). If enabled, the runner will only have the extra labels provided in `runner_extra_labels`. In case you on own start script is used, this configuration parameter needs to be parsed via SSM."<br/>        runner\_extra\_labels: "Extra (custom) labels for the runners (GitHub). Separate each label by a comma. Labels checks on the webhook can be enforced by setting `multi_runner_config.matcherConfig.exactMatch`. GitHub read-only labels should not be provided."<br/>        runner\_group\_name: "Name of the runner group."<br/>        runner\_name\_prefix: "Prefix for the GitHub runner name."<br/>        runner\_run\_as: "Run the GitHub actions agent as user."<br/>        runners\_maximum\_count: "The maximum number of runners that will be created. Setting the variable to `-1` desiables the maximum check."<br/>        scale\_down\_schedule\_expression: "Scheduler expression to check every x for scale down."<br/>        scale\_up\_reserved\_concurrent\_executions: "Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations."<br/>        userdata\_template: "Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored."<br/>        enable\_jit\_config "Overwrite the default behavior for JIT configuration. By default JIT configuration is enabled for ephemeral runners and disabled for non-ephemeral runners. In case of GHES check first if the JIT config API is available. In case you are upgrading from 3.x to 4.x you can set `enable_jit_config` to `false` to avoid a breaking change when having your own AMI."<br/>        enable\_runner\_detailed\_monitoring: "Should detailed monitoring be enabled for the runner. Set this to true if you want to use detailed monitoring. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html for details."<br/>        enable\_cloudwatch\_agent: "Enabling the cloudwatch agent on the ec2 runner instances, the runner contains default config. Configuration can be overridden via `cloudwatch_config`."<br/>        cloudwatch\_config: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."<br/>        userdata\_pre\_install: "Script to be ran before the GitHub Actions runner is installed on the EC2 instances"<br/>        userdata\_post\_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"<br/>        runner\_hook\_job\_started: "Script to be ran in the runner environment at the beginning of every job"<br/>        runner\_hook\_job\_completed: "Script to be ran in the runner environment at the end of every job"<br/>        runner\_ec2\_tags: "Map of tags that will be added to the launch template instance tag specifications."<br/>        runner\_iam\_role\_managed\_policy\_arns: "Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role"<br/>        vpc\_id: "The VPC for security groups of the action runners. If not set uses the value of `var.vpc_id`."<br/>        subnet\_ids: "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. If not set, uses the value of `var.subnet_ids`."<br/>        idle\_config: "List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle."<br/>        license\_specifications: "Optional EC2 License Manager license configuration ARNs for the runner launch template. Required for macOS dedicated-host runners when the host resource group uses a Mac dedicated host license configuration."<br/>        use\_dedicated\_host: "Experimental! Can be removed / changed without trigger a major release. Whether to use EC2 dedicated hosts for the runners. Needed for macos runners Note that using dedicated hosts can increase cost significantly."<br/>        runner\_log\_files: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."<br/>        block\_device\_mappings: "The EC2 instance block device configuration. Takes the following keys: `device_name`, `delete_on_termination`, `volume_type`, `volume_size`, `encrypted`, `iops`, `throughput`, `kms_key_id`, `snapshot_id`."<br/>        job\_retry: "Experimental! Can be removed / changed without trigger a major release. Configure job retries. The configuration enables job retries (for ephemeral runners). After creating the instances a message will be published to a job retry queue. The job retry check lambda is checking after a delay if the job is queued. If not the message will be published again on the scale-up (build queue). Using this feature can impact the rate limit of the GitHub app."<br/>        pool\_config: "The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the `schedule_expression`. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1. Use `schedule_expression_timezone` to override the schedule time zone (defaults to UTC)."<br/>        iam\_overrides: "Allows to (optionally) override the instance profile and runner role created by the module. Set `override_instance_profile` to true and provide the `instance_profile_name` to use an existing instance profile. Set `override_runner_role` to true and provide the `runner_role_arn` to use an existing role for the runner instances."<br/>      }<br/>      matcherConfig: {<br/>        labelMatchers: "The list of list of labels supported by the runner configuration. `[[self-hosted, linux, x64, example]]`"<br/>        exactMatch: "If set to true all labels in the workflow job must match the GitHub labels (os, architecture and `self-hosted`). When false if __any__ workflow label matches it will trigger the webhook."<br/>        priority: "If set it defines the priority of the matcher, the matcher with the lowest priority will be evaluated first. Default is 999, allowed values 0-999."<br/>      }<br/>      redrive\_build\_queue: "Set options to attach (optional) a dead letter queue to the build queue, the queue between the webhook and the scale up lambda. You have the following options. 1. Disable by setting `enabled` to false. 2. Enable by setting `enabled` to `true`, `maxReceiveCount` to a number of max retries."<br/>    } | <pre>map(object({<br/>    runner_config = object({<br/>      runner_os           = string<br/>      runner_architecture = string<br/>      runner_metadata_options = optional(map(any), {<br/>        instance_metadata_tags      = "enabled"<br/>        http_endpoint               = "enabled"<br/>        http_tokens                 = "required"<br/>        http_put_response_hop_limit = 1<br/>      })<br/>      ami = optional(object({<br/>        filter               = optional(map(list(string)), { state = ["available"] })<br/>        owners               = optional(list(string), ["amazon"])<br/>        id_ssm_parameter_arn = optional(string, null)<br/>        kms_key_arn          = optional(string, null)<br/>      }), null)<br/>      create_service_linked_role_spot      = optional(bool, false)<br/>      credit_specification                 = optional(string, null)<br/>      delay_webhook_event                  = optional(number, 30)<br/>      disable_runner_autoupdate            = optional(bool, false)<br/>      ebs_optimized                        = optional(bool, false)<br/>      enable_ephemeral_runners             = optional(bool, false)<br/>      enable_job_queued_check              = optional(bool, null)<br/>      enable_on_demand_failover_for_errors = optional(list(string), [])<br/>      scale_errors = optional(list(string), [<br/>        "UnfulfillableCapacity",<br/>        "MaxSpotInstanceCountExceeded",<br/>        "TargetCapacityLimitExceededException",<br/>        "RequestLimitExceeded",<br/>        "ResourceLimitExceeded",<br/>        "MaxSpotInstanceCountExceeded",<br/>        "MaxSpotFleetRequestCountExceeded",<br/>        "InsufficientInstanceCapacity",<br/>        "InsufficientCapacityOnHost",<br/>      ])<br/>      enable_organization_runners             = optional(bool, false)<br/>      enable_runner_binaries_syncer           = optional(bool, true)<br/>      enable_ssm_on_runners                   = optional(bool, false)<br/>      enable_userdata                         = optional(bool, true)<br/>      instance_allocation_strategy            = optional(string, "lowest-price")<br/>      instance_max_spot_price                 = optional(string, null)<br/>      instance_target_capacity_type           = optional(string, "spot")<br/>      instance_types                          = list(string)<br/>      job_queue_retention_in_seconds          = optional(number, 86400)<br/>      minimum_running_time_in_minutes         = optional(number, null)<br/>      pool_runner_owner                       = optional(string, null)<br/>      runner_as_root                          = optional(bool, false)<br/>      runner_boot_time_in_minutes             = optional(number, 5)<br/>      runner_disable_default_labels           = optional(bool, false)<br/>      runner_extra_labels                     = optional(list(string), [])<br/>      runner_group_name                       = optional(string, "Default")<br/>      runner_name_prefix                      = optional(string, "")<br/>      runner_run_as                           = optional(string, "ec2-user")<br/>      runners_maximum_count                   = number<br/>      runner_additional_security_group_ids    = optional(list(string), [])<br/>      scale_down_schedule_expression          = optional(string, "cron(*/5 * * * ? *)")<br/>      scale_up_reserved_concurrent_executions = optional(number, 1)<br/>      userdata_template                       = optional(string, null)<br/>      userdata_content                        = optional(string, null)<br/>      enable_jit_config                       = optional(bool, null)<br/>      enable_runner_detailed_monitoring       = optional(bool, false)<br/>      enable_cloudwatch_agent                 = optional(bool, true)<br/>      cloudwatch_config                       = optional(string, null)<br/>      userdata_pre_install                    = optional(string, "")<br/>      userdata_post_install                   = optional(string, "")<br/>      runner_hook_job_started                 = optional(string, "")<br/>      runner_hook_job_completed               = optional(string, "")<br/>      runner_ec2_tags                         = optional(map(string), {})<br/>      runner_iam_role_managed_policy_arns     = optional(list(string), [])<br/>      vpc_id                                  = optional(string, null)<br/>      subnet_ids                              = optional(list(string), null)<br/>      idle_config = optional(list(object({<br/>        cron             = string<br/>        timeZone         = string<br/>        idleCount        = number<br/>        evictionStrategy = optional(string, "oldest_first")<br/>      })), [])<br/>      cpu_options = optional(object({<br/>        core_count            = optional(number)<br/>        threads_per_core      = optional(number)<br/>        amd_sev_snp           = optional(string)<br/>        nested_virtualization = optional(string)<br/>      }), null)<br/>      placement = optional(object({<br/>        affinity                = optional(string)<br/>        availability_zone       = optional(string)<br/>        group_id                = optional(string)<br/>        group_name              = optional(string)<br/>        host_id                 = optional(string)<br/>        host_resource_group_arn = optional(string)<br/>        spread_domain           = optional(string)<br/>        tenancy                 = optional(string)<br/>        partition_number        = optional(number)<br/>      }), null)<br/>      license_specifications = optional(list(object({<br/>        license_configuration_arn = string<br/>      })), [])<br/>      use_dedicated_host = optional(bool, false)<br/>      runner_log_files = optional(list(object({<br/>        log_group_name   = string<br/>        prefix_log_group = bool<br/>        file_path        = string<br/>        log_stream_name  = string<br/>        log_class        = optional(string, "STANDARD")<br/>      })), null)<br/>      block_device_mappings = optional(list(object({<br/>        delete_on_termination = optional(bool, true)<br/>        device_name           = optional(string, "/dev/xvda")<br/>        encrypted             = optional(bool, true)<br/>        iops                  = optional(number)<br/>        kms_key_id            = optional(string)<br/>        snapshot_id           = optional(string)<br/>        throughput            = optional(number)<br/>        volume_size           = number<br/>        volume_type           = optional(string, "gp3")<br/>        })), [{<br/>        volume_size = 30<br/>      }])<br/>      pool_config = optional(list(object({<br/>        schedule_expression          = string<br/>        schedule_expression_timezone = optional(string)<br/>        size                         = number<br/>      })), [])<br/>      job_retry = optional(object({<br/>        enable             = optional(bool, false)<br/>        delay_in_seconds   = optional(number, 300)<br/>        delay_backoff      = optional(number, 2)<br/>        lambda_memory_size = optional(number, 256)<br/>        lambda_timeout     = optional(number, 30)<br/>        max_attempts       = optional(number, 1)<br/>      }), {})<br/>      iam_overrides = optional(object({<br/>        override_instance_profile = optional(bool, null)<br/>        instance_profile_name     = optional(string, null)<br/>        override_runner_role      = optional(bool, null)<br/>        runner_role_arn           = optional(string, null)<br/>        }), {<br/>        override_instance_profile = false<br/>        instance_profile_name     = null<br/>        override_runner_role      = false<br/>        runner_role_arn           = null<br/>      })<br/>    })<br/>    matcherConfig = object({<br/>      labelMatchers = list(list(string))<br/>      exactMatch    = optional(bool, false)<br/>      priority      = optional(number, 999)<br/>    })<br/>    redrive_build_queue = optional(object({<br/>      enabled         = bool<br/>      maxReceiveCount = number<br/>      }), {<br/>      enabled         = false<br/>      maxReceiveCount = null<br/>    })<br/>  }))</pre> | n/a | yes |
 | <a name="input_parameter_store_tags"></a> [parameter\_store\_tags](#input\_parameter\_store\_tags) | Map of tags that will be added to all the SSM Parameter Store parameters created by the Lambda function. | `map(string)` | `{}` | no |
 | <a name="input_pool_lambda_reserved_concurrent_executions"></a> [pool\_lambda\_reserved\_concurrent\_executions](#input\_pool\_lambda\_reserved\_concurrent\_executions) | Amount of reserved concurrent executions for the scale-up lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. | `number` | `1` | no |
 | <a name="input_pool_lambda_timeout"></a> [pool\_lambda\_timeout](#input\_pool\_lambda\_timeout) | Time out for the pool lambda in seconds. | `number` | `60` | no |
diff --git a/modules/runners/README.md b/modules/runners/README.md
index e4e97efc66..54be68f0ab 100644
--- a/modules/runners/README.md
+++ b/modules/runners/README.md
@@ -164,6 +164,7 @@ yarn run dist
 | <a name="input_ghes_ssl_verify"></a> [ghes\_ssl\_verify](#input\_ghes\_ssl\_verify) | GitHub Enterprise SSL verification. Set to 'false' when custom certificate (chains) is used for GitHub Enterprise Server (insecure). | `bool` | `true` | no |
 | <a name="input_ghes_url"></a> [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. DO NOT SET IF USING PUBLIC GITHUB..However if you are using GitHub Enterprise Cloud with data-residency (ghe.com), set the endpoint here. Example - https://companyname.ghe.com\| | `string` | `null` | no |
 | <a name="input_github_app_parameters"></a> [github\_app\_parameters](#input\_github\_app\_parameters) | Parameter Store for GitHub App Parameters. | <pre>object({<br/>    key_base64 = map(string)<br/>    id         = map(string)<br/>  })</pre> | n/a | yes |
+| <a name="input_iam_overrides"></a> [iam\_overrides](#input\_iam\_overrides) | This map provides the possibility to override some IAM defaults. The following attributes are supported: `instance_profile_name` overrides the instance profile name used in the launch template. `runner_role_arn` overrides the IAM role ARN used for the runner instances. | <pre>object({<br/>    override_instance_profile = optional(bool, null)<br/>    instance_profile_name     = optional(string, null)<br/>    override_runner_role      = optional(bool, null)<br/>    runner_role_arn           = optional(string, null)<br/>  })</pre> | <pre>{<br/>  "instance_profile_name": null,<br/>  "override_instance_profile": false,<br/>  "override_runner_role": false,<br/>  "runner_role_arn": null<br/>}</pre> | no |
 | <a name="input_idle_config"></a> [idle\_config](#input\_idle\_config) | List of time period that can be defined as cron expression to keep a minimum amount of runners active instead of scaling down to 0. By defining this list you can ensure that in time periods that match the cron expression within 5 seconds a runner is kept idle. | <pre>list(object({<br/>    cron             = string<br/>    timeZone         = string<br/>    idleCount        = number<br/>    evictionStrategy = optional(string, "oldest_first")<br/>  }))</pre> | `[]` | no |
 | <a name="input_instance_allocation_strategy"></a> [instance\_allocation\_strategy](#input\_instance\_allocation\_strategy) | The allocation strategy for spot instances. AWS recommends to use `capacity-optimized` however the AWS default is `lowest-price`. | `string` | `"lowest-price"` | no |
 | <a name="input_instance_max_spot_price"></a> [instance\_max\_spot\_price](#input\_instance\_max\_spot\_price) | Max price price for spot instances per hour. This variable will be passed to the create fleet as max spot price for the fleet. | `string` | `null` | no |