Feature/skinny eliza/feb10

[jmikedupont2]

rebase

[jmikedupont2]

denied: User: arn:aws:sts::767503528736:assumed-role/github-runner-codebuild-eliza-build/AWSCodeBuild-7648967c-1148-459f-aab8-2f1e5d6915f5 is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-2:767503528736:repository/agent/eliza because no identity-based policy allows the ecr:InitiateLayerUpload action
--
3378 |  
3379 | [Container] 2025/02/12 15:51:29.745949 Command did not exit successfully docker push 767503528736.dkr.ecr.us-east-2.amazonaws.com/agent/eliza:feb10 exit status 1
3380 | [Container] 2025/02/12 15:51:29.751544 Phase complete: POST_BUILD State: FAILED
3381 | [Container] 2025/02/12 15:51:29.751566 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: docker push 767503528736.dkr.ecr.us-east-2.amazonaws.com/agent/eliza:feb10. Reason: exit status 1

[jmikedupont2]

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"ecr:GetDownloadUrlForLayer",
				"ecr:BatchGetImage",
				"ecr:CompleteLayerUpload",
				"ecr:DescribeImages",
				"ecr:DescribeRepositories",
				"ecr:UploadLayerPart",
				"ecr:InitiateLayerUpload",
				"ecr:BatchCheckLayerAvailability",
				"ecr:PutImage"
			],
			"Resource": "arn:aws:ecr:us-east-2:767503528736:repository/agent/eliza"
		}
	]
}

[jmikedupont2]

suceeded

[jmikedupont2]

> @elizaos/agent@0.1.7 start /app/agent
> node --loader ts-node/esm src/index.ts "--isRoot" "--characters=characters/tine-test.character.json"

(node:173) ExperimentalWarning: `--experimental-loader` may be removed in the future; instead use `register()`:
--import 'data:text/javascript,import { register } from "node:module"; import { pathToFileURL } from "node:url"; register("ts-node/esm", pathToFileURL("./"));'
(Use `node --trace-warnings ...` to show where the warning was created)
(node:173) [DEP0180] DeprecationWarning: fs.Stats constructor is deprecated.
(Use `node --trace-deprecation ...` to show where the warning was created)

node:internal/modules/run_main:122
    triggerUncaughtException(
    ^
[Object: null prototype] {
  [Symbol(nodejs.util.inspect.custom)]: [Function: [nodejs.util.inspect.custom]]
}

Node.js v23.3.0
/app/agent:
 ERR_PNPM_RECURSIVE_RUN_FIRST_FAIL  @elizaos/agent@0.1.7 start: `node --loader ts-node/esm src/index.ts "--isRoot" "--characters=characters/tine-test.character.json"`
Exit status 1
 ELIFECYCLE  Command failed with exit code 1.

[jmikedupont2]

[2025-02-14 13:22:22] ERROR: Failed to load sqlite-vec extensions:
[2025-02-14 13:22:22] ERROR: Error starting agent for character TINE-CloudAssistent:
[2025-02-14 13:22:22] ERROR:
    err: {
      "type": "Error",
      "message": "Loadble extension for sqlite-vec not found. Was the sqlite-vec-linux-arm64 package installed?",
      "stack":
          Error: Loadble extension for sqlite-vec not found. Was the sqlite-vec-linux-arm64 package installed?
              at getLoadablePath (file:///app/node_modules/sqlite-vec/index.mjs:48:11)
              at Module.load (file:///app/node_modules/sqlite-vec/index.mjs:55:20)
              at loadVecExtensions (file:///app/packages/adapter-sqlite/dist/index.js:140:19)
              at load2 (file:///app/packages/adapter-sqlite/dist/index.js:149:5)
              at new SqliteDatabaseAdapter (file:///app/packages/adapter-sqlite/dist/index.js:187:9)
              at Object.init (file:///app/packages/adapter-sqlite/dist/index.js:798:20)
              at findDatabaseAdapter (file:///app/agent/src/index.ts:518:39)
              at async startAgent (file:///app/agent/src/index.ts:530:14)
              at async startAgents (file:///app/agent/src/index.ts:583:13)
    }
[2025-02-14 13:22:22] ERROR: Error starting agents:
[2025-02-14 13:22:22] INFO: Run `pnpm start:client` to start the client and visit the outputted URL (http://localhost:5173) to chat with your agents. When running multiple agents, use client with different port `SERVER_PORT=3001 pnpm start:client`
root@ip-10-0-4-201:/opt/agent#

easy to fix

[jmikedupont2]

<html>
<body>
<!--StartFragment-->
15 12.75 @elizaos-plugins/adapter-sqlite:build: > @elizaos-plugins/adapter-sqlite@0.25.6-alpha.1 build /app/packages/adapter-sqlite
--
3128 | #15 12.75 @elizaos-plugins/adapter-sqlite:build: > tsup --format esm --dts
3129 | #15 12.75 @elizaos-plugins/adapter-sqlite:build:
3130 | #15 12.89 client:build:
3131 | #15 12.89 client:build: > client@ build /app/client
3132 | #15 12.89 client:build: > pnpm run extract-version && tsc -b && vite build
3133 | #15 12.89 client:build:
3134 | #15 13.18 @elizaos/plugin-bootstrap:build: CLI Building entry: src/index.ts
3135 | #15 13.19 @elizaos/plugin-bootstrap:build: CLI Using tsconfig: tsconfig.json
3136 | #15 13.19 @elizaos/plugin-bootstrap:build: CLI tsup v8.3.5
3137 | #15 13.19 @elizaos/plugin-bootstrap:build: CLI Using tsup config: /app/packages/plugin-bootstrap/tsup.config.ts
3138 | #15 13.20 @elizaos/plugin-bootstrap:build: CLI Target: esnext
3139 | #15 13.21 @elizaos/plugin-bootstrap:build: CLI Cleaning output folder
3140 | #15 13.21 @elizaos/plugin-bootstrap:build: ESM Build start
3141 | #15 13.25 @elizaos/plugin-bootstrap:build: ESM dist/index.js     72.61 KB
3142 | #15 13.25 @elizaos/plugin-bootstrap:build: ESM dist/index.js.map 135.11 KB
3143 | #15 13.26 @elizaos/plugin-bootstrap:build: ESM ⚡️ Build success in 45ms
3144 | #15 13.33 @elizaos-plugins/adapter-sqlite:build: CLI Building entry: src/index.ts
3145 | #15 13.33 @elizaos-plugins/adapter-sqlite:build: CLI Using tsconfig: tsconfig.json
3146 | #15 13.33 @elizaos-plugins/adapter-sqlite:build: CLI tsup v8.3.5
3147 | #15 13.33 @elizaos-plugins/adapter-sqlite:build: CLI Using tsup config: /app/packages/adapter-sqlite/tsup.config.ts
3148 | #15 13.34 @elizaos-plugins/adapter-sqlite:build: CLI Target: esnext
3149 | #15 13.35 @elizaos-plugins/adapter-sqlite:build: CLI Cleaning output folder
3150 | #15 13.35 @elizaos-plugins/adapter-sqlite:build: ESM Build start
3151 | #15 13.37 @elizaos-plugins/adapter-sqlite:build: ✘ [ERROR] Could not resolve "sqlite-vec"
3152 | #15 13.37 @elizaos-plugins/adapter-sqlite:build:
3153 | #15 13.37 @elizaos-plugins/adapter-sqlite:build:     src/sqlite_vec.ts:1:27:
3154 | #15 13.37 @elizaos-plugins/adapter-sqlite:build:       1 │ import * as sqliteVec from "sqlite-vec";
3155 | #15 13.37 @elizaos-plugins/adapter-sqlite:build:         ╵                            ~~~~~~~~~~~~
3156 | #15 13.37 @elizaos-plugins/adapter-sqlite:build:
3157 | #15 13.37 @elizaos-plugins/adapter-sqlite:build:   You can mark the path "sqlite-vec" as external to exclude it from the bundle, which will remove this error and leave the unresolved path in the bundle.
3158 | #15 13.37 @elizaos-plugins/adapter-sqlite:build:
3159 | #15 13.37 @elizaos-plugins/adapter-sqlite:build: ESM Build failed
3160 | #15 13.37 @elizaos-plugins/adapter-sqlite:build: Error: Build failed with 1 error:
3161 | #15 13.38 @elizaos-plugins/adapter-sqlite:build: src/sqlite_vec.ts:1:27: ERROR: Could not resolve "sqlite-vec"
3162 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at failureErrorWithLog (/app/node_modules/esbuild/lib/main.js:1476:15)
3163 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at /app/node_modules/esbuild/lib/main.js:945:25
3164 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at runOnEndCallbacks (/app/node_modules/esbuild/lib/main.js:1316:45)
3165 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at buildResponseToResult (/app/node_modules/esbuild/lib/main.js:943:7)
3166 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at /app/node_modules/esbuild/lib/main.js:970:16
3167 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at responseCallbacks.<computed> (/app/node_modules/esbuild/lib/main.js:622:9)
3168 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at handleIncomingPacket (/app/node_modules/esbuild/lib/main.js:677:12)
3169 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at Socket.readFromStdout (/app/node_modules/esbuild/lib/main.js:600:7)
3170 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at Socket.emit (node:events:507:28)
3171 | #15 13.38 @elizaos-plugins/adapter-sqlite:build:     at addChunk (node:internal/streams/readable:559:12)
3172 | #15 13.64 client:build:
3173 | #15 13.64 client:build: > client@ extract-version /app/client
3174 | #15 13.64 client:build: > bash ./version.sh
3175 | #15 13.64 client:build:
3176 | #15 13.65 @elizaos/plugin-bootstrap:build: DTS Build start
3177 | #15 13.68 client:build: info.json created with version: 0.25.6-alpha.1
3178 | #15 13.85 @elizaos-plugins/adapter-sqlite:build: DTS Build start
3179 | #15 23.00 @elizaos/plugin-bootstrap:build: DTS ⚡️ Build success in 9347ms
3180 | #15 23.00 @elizaos/plugin-bootstrap:build: DTS dist/index.d.ts 3.00 KB
3181 | #15 24.98 @elizaos-plugins/adapter-sqlite:build: src/sqlite_vec.ts(1,28): error TS2307: Cannot find module 'sqlite-vec' or its corresponding type declarations.
3182 | #15 24.98 @elizaos-plugins/adapter-sqlite:build:
3183 | #15 25.04 @elizaos-plugins/adapter-sqlite:build: ·ELIFECYCLE· Command failed with exit code 1.
3184 | #15 25.07 @elizaos-plugins/adapter-sqlite:build: ERROR: command finished with error: command (/app/packages/adapter-sqlite) /app/node_modules/.bin/pnpm run build exited (1)
3185 | #15 25.09 @elizaos-plugins/adapter-sqlite#build: command (/app/packages/adapter-sqlite) /app/node_modules/.bin/pnpm run build exited (1)
3186 | #15 25.09
3187 | #15 25.09  Tasks:    3 successful, 5 total
3188 | #15 25.09 Cached:    0 cached, 5 total
3189 | #15 25.09   Time:    23.985s
3190 | #15 25.09 Failed:    @elizaos-plugins/adapter-sqlite#build
3191 | #15 25.09
3192 | #15 25.10  ERROR  run failed: command  exited (1)
3193 | #15 25.18 ·ELIFECYCLE· Command failed with exit code 1.
3194 | #15 ERROR: process "/bin/sh -c pnpm run build && pnpm prune --prod" did not complete successfully: exit code: 1
3195 | ------

<!--EndFragment-->
</body>
</html>

[jmikedupont2]

[Container] 2025/02/16 17:24:31.738691 Phase context status code: Decrypted Variables Error Message: AccessDeniedException: User: arn:aws:sts::767503528736:assumed-role/github-runner-codebuild-eliza-build/AWSCodeBuild-6b1a8659-f132-4c5c-87d6-0315f3bc2677 is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:us-east-2:767503528736:parameter/tine_agent_2_agent_image because no identity-based policy allows the ssm:GetParameters action

This response might contain information related to security, a nuanced topic. You should verify the response using informed human judgement. Visit Security in Amazon Q Developer for more details.

Based on the error message you're encountering, it appears that your CodeBuild project is trying to access a parameter in AWS Systems Manager Parameter Store, but the IAM role associated with your build doesn't have the necessary permissions. Let's address this issue step by step:

1. Identify the problem:
   The error indicates that the CodeBuild role lacks the 'ssm:GetParameters' permission for the specific SSM parameter you're trying to access.

2. Solution:
   We need to update the IAM role used by your CodeBuild project to include the required SSM permissions. Here's how to do it:

   a. Navigate to the IAM console.
   b. Find the role used by your CodeBuild project. It should be named something like "github-runner-codebuild-eliza-build".
   c. Edit the role's permissions by adding an inline policy or attaching a managed policy.
   d. Add the following permissions, adhering to the principle of least privilege:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": "ssm:GetParameters",
               "Resource": "arn:aws:ssm:us-east-2:767503528736:parameter/tine_agent_2_agent_image"
           }
       ]
   }

   This policy grants the minimum required permission to access only the specific parameter your build needs.

3. Implementation steps:
   a. Go to the IAM console.
   b. Select "Roles" from the left navigation pane.
   c. Search for and select the role used by your CodeBuild project.
   d. Click on "Add inline policy" or "Attach policies" depending on your preference.
   e. If adding an inline policy, paste the JSON provided above and give it a descriptive name.
   f. Save the changes.

4. Verification:
   After updating the role, retry your CodeBuild project. The error should no longer occur, and your build should be able to access the SSM parameter.

5. Best practices:

   • Always follow the principle of least privilege when granting permissions.
   • Regularly review and audit your IAM roles and policies.
   • Consider using AWS-managed policies where appropriate, but be cautious of overly broad permissions.

6. Additional considerations:

   • If you need to access multiple SSM parameters, you might want to use a naming convention and grant access using a wildcard in the resource ARN. For example:
     "Resource": "arn:aws:ssm:us-east-2:767503528736:parameter/tine_agent_*"
   • Remember to adjust the region and account ID in the policy if you're working across multiple environments.

If you continue to experience issues after implementing these changes, please review your CodeBuild project configuration and ensure that it's using the correct IAM role. If problems persist, consider checking AWS CloudTrail logs for more detailed information about the access attempts.
Sources
[1] [Unable to extract SSM parameters, AccessDeniedException | AWS re:Post] (https://repost.aws/questions/QUOLCd663ATGuA6WL6lDSprw/unable-to-extract-ssm-parameters-accessdeniedexception)
[3] [Troubleshooting AWS CodeBuild - AWS CodeBuild] (https://docs.aws.amazon.com/codebuild/latest/userguide/troubleshooting.html)
[6] [Using SSM Parameters Directly in CF template | AWS re:Post] (https://repost.aws/questions/QUMCw76YWUSlqDwaoAjT8rqg/using-ssm-parameters-directly-in-cf-template)

[jmikedupont2]

generated from aws for the new role

Metadata:
  AWSToolsMetrics:
    IaC_Generator: arn:aws:cloudformation:us-east-2:767503528736:generatedTemplate/71683111-d977-4a22-85bf-1a72f8d27a64
Resources:
  IAMManagedPolicy00policyserviceroleCodeBuildCodeConnectionsSourceCredentialsPolicygithubrunnercodebuildelizabuilduseast200oolEl:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::ManagedPolicy
    DeletionPolicy: Retain
    Properties:
      ManagedPolicyName: CodeBuildCodeConnectionsSourceCredentialsPolicy-github-runner-codebuild-eliza-build-us-east-2
      Path: /service-role/
      Description: Policy used in trust relationship with CodeBuild
      Groups: []
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Resource:
              - arn:aws:codestar-connections:us-east-2:767503528736:connection/3f4c6e77-52d9-4d46-a496-b95d31e2674f
              - arn:aws:codeconnections:us-east-2:767503528736:connection/3f4c6e77-52d9-4d46-a496-b95d31e2674f
            Action:
              - codestar-connections:GetConnectionToken
              - codestar-connections:GetConnection
              - codeconnections:GetConnectionToken
              - codeconnections:GetConnection
              - codeconnections:UseConnection
            Effect: Allow
      Roles:
        - github-runner-codebuild-eliza-build
      Users: []
  IAMRole00github00Fjaie:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::Role
    DeletionPolicy: Retain
    Properties:
      Path: /
      ManagedPolicyArns:
        - !Ref IAMManagedPolicy00policyterraformpike2025011002341548720000000200yi4Z6
        - !Ref IAMManagedPolicy00policyterraformpike2025011002341548660000000100x4KjD
        - !Ref IAMManagedPolicy00policyGitHubSSMPolicy00EjtJg
        - !Ref IAMManagedPolicy00policyterraformpike2025011002341548830000000300WNHBA
        - arn:aws:iam::aws:policy/ReadOnlyAccess
      MaxSessionDuration: 3600
      RoleName: github
      Description: Role assumed by the GitHub OIDC provider.
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Condition:
              StringEquals:
                token.actions.githubusercontent.com:aud: sts.amazonaws.com
              StringLike:
                token.actions.githubusercontent.com:sub:
                  - repo:jmikedupont2/ai-agent-terraform:*
                  - repo:jmikedupont2/terraform-aws-oidc-github:*
                  - repo:meta-introspector/cloud-deployment-eliza:*
                  - repo:meta-introspector/eliza-fastify:*
                  - repo:meta-introspector/eliza-starter:*
                  - repo:meta-introspector/fastembed-js:*
                  - repo:meta-introspector/arm64-tokenizers:*
            Action: sts:AssumeRoleWithWebIdentity
            Effect: Allow
            Principal:
              Federated: arn:aws:iam::767503528736:oidc-provider/token.actions.githubusercontent.com
  IAMManagedPolicy00policyserviceroleCodeBuildCloudWatchLogsPolicygithubrunnercodebuildelizabuilduseast200bxyYg:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::ManagedPolicy
    DeletionPolicy: Retain
    Properties:
      ManagedPolicyName: CodeBuildCloudWatchLogsPolicy-github-runner-codebuild-eliza-build-us-east-2
      Path: /service-role/
      Description: Policy used in trust relationship with CodeBuild
      Groups: []
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Resource:
              - arn:aws:logs:us-east-2:767503528736:log-group:/aws/codebuild/github-runner-codebuild-eliza-build
              - arn:aws:logs:us-east-2:767503528736:log-group:/aws/codebuild/github-runner-codebuild-eliza-build:*
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Effect: Allow
      Roles:
        - github-runner-codebuild-eliza-build
      Users: []
  IAMManagedPolicy00policyterraformpike2025011002341548830000000300WNHBA:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::ManagedPolicy
    DeletionPolicy: Retain
    Properties:
      ManagedPolicyName: terraform_pike20250110023415488300000003
      Path: /
      Description: Pike Autogenerated policy from IAC
      Groups: []
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Resource:
              - '*'
            Action:
              - iam:AddRoleToInstanceProfile
              - iam:AttachRolePolicy
              - iam:CreateInstanceProfile
              - iam:CreatePolicy
              - iam:CreateRole
              - iam:CreateServiceLinkedRole
              - iam:DeleteInstanceProfile
              - iam:DeletePolicy
              - iam:DeleteRole
              - iam:DeleteRolePermissionsBoundary
              - iam:DetachRolePolicy
              - iam:GetInstanceProfile
              - iam:GetPolicy
              - iam:GetPolicyVersion
              - iam:GetRole
              - iam:ListAttachedRolePolicies
              - iam:ListInstanceProfilesForRole
              - iam:ListPolicyVersions
              - iam:ListRolePolicies
              - iam:PassRole
              - iam:PutRolePermissionsBoundary
              - iam:RemoveRoleFromInstanceProfile
              - iam:TagInstanceProfile
              - iam:TagPolicy
              - iam:TagRole
              - iam:UntagInstanceProfile
              - iam:UntagPolicy
              - iam:UntagRole
              - iam:UpdateRoleDescription
            Effect: Allow
            Sid: VisualEditor0010
          - Resource:
              - '*'
            Action:
              - lambda:AddPermission
              - lambda:GetPolicy
              - lambda:RemovePermission
            Effect: Allow
            Sid: VisualEditor0011
          - Resource:
              - '*'
            Action:
              - logs:AssociateKmsKey
              - logs:CreateLogDelivery
              - logs:CreateLogGroup
              - logs:DeleteLogGroup
              - logs:DeleteRetentionPolicy
              - logs:DescribeLogGroups
              - logs:DisassociateKmsKey
              - logs:ListTagsLogGroup
              - logs:PutRetentionPolicy
              - logs:TagLogGroup
              - logs:UntagLogGroup
            Effect: Allow
            Sid: VisualEditor0012
          - Resource:
              - '*'
            Action:
              - managed-fleets:DeleteAutoScalingGroup
              - managed-fleets:DeregisterAutoScalingGroup
              - managed-fleets:Get*
              - managed-fleets:RegisterAutoScalingGroup
              - managed-fleets:UpdateAutoScalingGroup
            Effect: Allow
            Sid: VisualEditor0013
          - Resource:
              - '*'
            Action:
              - rds:AddTagsToResource
              - rds:CreateDBSubnetGroup
              - rds:DeleteDBSubnetGroup
              - rds:DescribeDBSubnetGroups
              - rds:ListTagsForResource
              - rds:ModifyDBSubnetGroup
              - rds:RemoveTagsFromResource
            Effect: Allow
            Sid: VisualEditor0014
          - Resource:
              - '*'
            Action:
              - redshift:CreateClusterSubnetGroup
              - redshift:CreateTags
              - redshift:DeleteClusterSubnetGroup
              - redshift:DeleteTags
              - redshift:DescribeClusterSubnetGroups
              - redshift:ModifyClusterSubnetGroup
            Effect: Allow
            Sid: VisualEditor0015
          - Resource:
              - '*'
            Action:
              - route53:ChangeResourceRecordSets
              - route53:GetChange
              - route53:GetHostedZone
              - route53:ListResourceRecordSets
            Effect: Allow
            Sid: VisualEditor0016
          - Resource:
              - '*'
            Action:
              - ssm:Get*
            Effect: Allow
            Sid: VisualEditor0017
          - Resource:
              - '*'
            Action:
              - wafv2:AssociateWebACL
              - wafv2:DisassociateWebACL
              - wafv2:GetWebACLForResource
            Effect: Allow
            Sid: VisualEditor0018
          - Resource:
              - '*'
            Action:
              - ec2:CreateKeyPair
              - ec2:CreateLaunchTemplate
              - ec2:CreateLaunchTemplateVersion
              - ec2:DeleteKeyPair
              - ec2:DeleteLaunchTemplate
              - ec2:DescribeInstanceTypes
              - ec2:DescribeKeyPairs
              - ec2:DescribeLaunchTemplateVersions
              - ec2:DescribeLaunchTemplates
              - ec2:ImportKeyPair
            Effect: Allow
            Sid: VisualEditor0000
          - Resource:
              - '*'
            Action:
              - iam:AddRoleToInstanceProfile
              - iam:AttachRolePolicy
              - iam:CreateInstanceProfile
              - iam:CreatePolicy
              - iam:CreateRole
              - iam:DeleteInstanceProfile
              - iam:DeletePolicy
              - iam:DeleteRole
              - iam:DetachRolePolicy
              - iam:GetInstanceProfile
              - iam:GetPolicy
              - iam:GetPolicyVersion
              - iam:GetRole
              - iam:ListAttachedRolePolicies
              - iam:ListInstanceProfilesForRole
              - iam:ListPolicies
              - iam:ListPolicyVersions
              - iam:ListRolePolicies
              - iam:PassRole
              - iam:RemoveRoleFromInstanceProfile
              - iam:TagInstanceProfile
              - iam:TagRole
              - iam:UntagInstanceProfile
              - iam:UntagRole
            Effect: Allow
            Sid: VisualEditor001
          - Resource:
              - '*'
            Action:
              - ssm:DeleteParameter
              - ssm:PutParameter
            Effect: Allow
            Sid: VisualEditor002
      Roles:
        - github
      Users: []
  IAMManagedPolicy00policyserviceroleCodeBuildBasePolicygithubrunnercodebuildelizabuilduseast200VUUiL:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::ManagedPolicy
    DeletionPolicy: Retain
    Properties:
      ManagedPolicyName: CodeBuildBasePolicy-github-runner-codebuild-eliza-build-us-east-2
      Path: /service-role/
      Description: ''
      Groups: []
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Resource:
              - arn:aws:logs:us-east-2:767503528736:log-group:/aws/codebuild/github-runner-codebuild-eliza-build
              - arn:aws:logs:us-east-2:767503528736:log-group:/aws/codebuild/github-runner-codebuild-eliza-build:*
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Effect: Allow
          - Resource:
              - arn:aws:s3:::codepipeline-us-east-2-*
            Action:
              - s3:PutObject
              - s3:GetObject
              - s3:GetObjectVersion
              - s3:GetBucketAcl
              - s3:GetBucketLocation
            Effect: Allow
          - Resource:
              - arn:aws:codebuild:us-east-2:767503528736:report-group/github-runner-codebuild-eliza-build-*
            Action:
              - codebuild:CreateReportGroup
              - codebuild:CreateReport
              - codebuild:UpdateReport
              - codebuild:BatchPutTestCases
              - codebuild:BatchPutCodeCoverages
            Effect: Allow
      Roles:
        - github-runner-codebuild-eliza-build
      Users: []
  IAMManagedPolicy00policyterraformpike2025011002341548660000000100x4KjD:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::ManagedPolicy
    DeletionPolicy: Retain
    Properties:
      ManagedPolicyName: terraform_pike20250110023415486600000001
      Path: /
      Description: Pike Autogenerated policy from IAC
      Groups: []
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Resource:
              - '*'
            Action:
              - acm:AddTagsToCertificate
              - acm:DeleteCertificate
              - acm:DescribeCertificate
              - acm:ListTagsForCertificate
              - acm:RemoveTagsFromCertificate
              - acm:RequestCertificate
            Effect: Allow
            Sid: VisualEditor0
          - Resource:
              - '*'
            Action:
              - apigateway:SetWebACL
            Effect: Allow
            Sid: VisualEditor100
          - Resource:
              - '*'
            Action:
              - apprunner:AssociateWebAcl
              - apprunner:DescribeWebAclForService
              - apprunner:DisassociateWebAcl
              - apprunner:ListAssociatedServicesForWebAcl
            Effect: Allow
            Sid: VisualEditor200
          - Resource:
              - '*'
            Action:
              - appsync:SetWebACL
            Effect: Allow
            Sid: VisualEditor003
          - Resource:
              - '*'
            Action:
              - autoscaling:AttachTrafficSources
              - autoscaling:CreateAutoScalingGroup
              - autoscaling:CreateOrUpdateTags
              - autoscaling:DeleteAutoScalingGroup
              - autoscaling:DeleteLifecycleHook
              - autoscaling:DeletePolicy
              - autoscaling:DeleteScheduledAction
              - autoscaling:DeleteTags
              - autoscaling:Describe*
              - autoscaling:DescribeAdjustmentTypes
              - autoscaling:DescribeAutoScalingGroups
              - autoscaling:DescribePolicies
              - autoscaling:DescribeScalingActivities
              - autoscaling:DescribeScheduledActions
              - autoscaling:DescribeTerminationPolicyTypes
              - autoscaling:DescribeTrafficSources
              - autoscaling:DetachTrafficSources
              - autoscaling:DisableMetricsCollection
              - autoscaling:EnableMetricsCollection
              - autoscaling:ExecutePolicy
              - autoscaling:PutLifecycleHook
              - autoscaling:PutScalingPolicy
              - autoscaling:PutScheduledUpdateGroupAction
              - autoscaling:UpdateAutoScalingGroup
            Effect: Allow
            Sid: VisualEditor004
          - Resource:
              - '*'
            Action:
              - cloudwatch:GetMetricData
            Effect: Allow
            Sid: VisualEditor005
          - Resource:
              - arn:aws:ecr:us-east-2:767503528736:repository/*
            Action:
              - ecr:CompleteLayerUpload
              - ecr:UploadLayerPart
              - ecr:InitiateLayerUpload
              - ecr:BatchCheckLayerAvailability
              - ecr:PutImage
              - ecr:BatchGetImage
              - ecr:CreateRepository
            Effect: Allow
          - Resource: '*'
            Action: ecr:GetAuthorizationToken
            Effect: Allow
      Roles:
        - github
      Users: []
  IAMManagedPolicy00policyGitHubSSMPolicy00EjtJg:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::ManagedPolicy
    DeletionPolicy: Retain
    Properties:
      ManagedPolicyName: GitHubSSMPolicy
      Path: /
      Description: Policy to allow SSM commands for GitHub role
      Groups: []
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Resource: '*'
            Action:
              - ssm:SendCommand
              - ssm:ListCommands
              - ssm:GetCommandInvocation
            Effect: Allow
          - Resource: '*'
            Action:
              - ec2:DescribeInstances
            Effect: Allow
      Roles:
        - github
      Users: []
  IAMManagedPolicy00policyserviceroleCodeBuildAutoRetryPolicygithubrunnercodebuildelizabuilduseast200Tjoa5:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::ManagedPolicy
    DeletionPolicy: Retain
    Properties:
      ManagedPolicyName: CodeBuildAutoRetryPolicy-github-runner-codebuild-eliza-build-us-east-2
      Path: /service-role/
      Description: Policy used in trust relationship with CodeBuild
      Groups: []
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Resource:
              - arn:aws:codebuild:us-east-2:767503528736:project/github-runner-codebuild-eliza-build
            Action:
              - codebuild:RetryBuild
            Effect: Allow
      Roles:
        - github-runner-codebuild-eliza-build
      Users: []
  IAMManagedPolicy00policyterraformpike2025011002341548720000000200yi4Z6:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::ManagedPolicy
    DeletionPolicy: Retain
    Properties:
      ManagedPolicyName: terraform_pike20250110023415487200000002
      Path: /
      Description: Pike Autogenerated policy from IAC
      Groups: []
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Resource:
              - '*'
            Action:
              - cognito-idp:AssociateWebACL
              - cognito-idp:DisassociateWebACL
              - cognito-idp:GetWebACLForResource
              - cognito-idp:ListResourcesForWebACL
            Effect: Allow
            Sid: VisualEditor006
          - Resource:
              - '*'
            Action:
              - ec2:AllocateAddress
              - ec2:AssignPrivateNatGatewayAddress
              - ec2:AssociateAddress
              - ec2:AssociateDhcpOptions
              - ec2:AssociateNatGatewayAddress
              - ec2:AssociateRouteTable
              - ec2:AssociateSubnetCidrBlock
              - ec2:AssociateVpcCidrBlock
              - ec2:AttachInternetGateway
              - ec2:AttachVpnGateway
              - ec2:AuthorizeSecurityGroupEgress
              - ec2:AuthorizeSecurityGroupIngress
              - ec2:CreateCustomerGateway
              - ec2:CreateDefaultVpc
              - ec2:CreateDhcpOptions
              - ec2:CreateEgressOnlyInternetGateway
              - ec2:CreateFlowLogs
              - ec2:CreateInternetGateway
              - ec2:CreateLaunchTemplate
              - ec2:CreateLaunchTemplateVersion
              - ec2:CreateNatGateway
              - ec2:CreateNetworkAcl
              - ec2:CreateNetworkAclEntry
              - ec2:CreateRoute
              - ec2:CreateRouteTable
              - ec2:CreateSecurityGroup
              - ec2:CreateSubnet
              - ec2:CreateTags
              - ec2:CreateVPC
              - ec2:CreateVpnGateway
              - ec2:DeleteCustomerGateway
              - ec2:DeleteDhcpOptions
              - ec2:DeleteEgressOnlyInternetGateway
              - ec2:DeleteFlowLogs
              - ec2:DeleteInternetGateway
              - ec2:DeleteLaunchTemplate
              - ec2:DeleteNatGateway
              - ec2:DeleteNetworkAcl
              - ec2:DeleteNetworkAclEntry
              - ec2:DeleteNetworkInterface
              - ec2:DeleteRoute
              - ec2:DeleteRouteTable
              - ec2:DeleteSecurityGroup
              - ec2:DeleteSubnet
              - ec2:DeleteTags
              - ec2:DeleteVPC
              - ec2:DeleteVpnGateway
              - ec2:Describe*
              - ec2:DescribeAccountAttributes
              - ec2:DescribeAddresses
              - ec2:DescribeCustomerGateways
              - ec2:DescribeDhcpOptions
              - ec2:DescribeEgressOnlyInternetGateways
              - ec2:DescribeFlowLogs
              - ec2:DescribeImages
              - ec2:DescribeInstanceTypes
              - ec2:DescribeInternetGateways
              - ec2:DescribeLaunchTemplateVersions
              - ec2:DescribeLaunchTemplates
              - ec2:DescribeNatGateways
              - ec2:DescribeNetworkAcls
              - ec2:DescribeNetworkInterfaces
              - ec2:DescribeRouteTables
              - ec2:DescribeSecurityGroupRules
              - ec2:DescribeSecurityGroups
              - ec2:DescribeSubnets
              - ec2:DescribeVpcAttribute
              - ec2:DescribeVpcs
              - ec2:DescribeVpnGateways
              - ec2:DetachInternetGateway
              - ec2:DetachNetworkInterface
              - ec2:DetachVpnGateway
              - ec2:DisableVgwRoutePropagation
              - ec2:DisassociateAddress
              - ec2:DisassociateNatGatewayAddress
              - ec2:DisassociateRouteTable
              - ec2:DisassociateSubnetCidrBlock
              - ec2:DisassociateVpcCidrBlock
              - ec2:EnableVgwRoutePropagation
              - ec2:Get*
              - ec2:ModifySubnetAttribute
              - ec2:ModifyVpcAttribute
              - ec2:ModifyVpcTenancy
              - ec2:ReleaseAddress
              - ec2:ReplaceNetworkAclEntry
              - ec2:ReplaceRoute
              - ec2:ReplaceRouteTableAssociation
              - ec2:RevokeSecurityGroupEgress
              - ec2:RevokeSecurityGroupIngress
              - ec2:RunInstances
              - ec2:UnassignPrivateNatGatewayAddress
            Effect: Allow
            Sid: VisualEditor007
          - Resource:
              - '*'
            Action:
              - elasticache:AddTagsToResource
              - elasticache:CreateCacheSubnetGroup
              - elasticache:DeleteCacheSubnetGroup
              - elasticache:DescribeCacheSubnetGroups
              - elasticache:ListTagsForResource
              - elasticache:ModifyCacheSubnetGroup
              - elasticache:RemoveTagsFromResource
            Effect: Allow
            Sid: VisualEditor008
          - Resource:
              - '*'
            Action:
              - elasticloadbalancing:AddListenerCertificates
              - elasticloadbalancing:AddTags
              - elasticloadbalancing:AttachLoadBalancerToSubnets
              - elasticloadbalancing:CreateListener
              - elasticloadbalancing:CreateLoadBalancer
              - elasticloadbalancing:CreateLoadBalancerListeners
              - elasticloadbalancing:CreateRule
              - elasticloadbalancing:CreateTargetGroup
              - elasticloadbalancing:DeleteListener
              - elasticloadbalancing:DeleteLoadBalancer
              - elasticloadbalancing:DeleteRule
              - elasticloadbalancing:DeleteTargetGroup
              - elasticloadbalancing:DeregisterTargets
              - elasticloadbalancing:DescribeListenerCertificates
              - elasticloadbalancing:DescribeListeners
              - elasticloadbalancing:DescribeLoadBalancerAttributes
              - elasticloadbalancing:DescribeLoadBalancers
              - elasticloadbalancing:DescribeRules
              - elasticloadbalancing:DescribeTags
              - elasticloadbalancing:DescribeTargetGroupAttributes
              - elasticloadbalancing:DescribeTargetGroups
              - elasticloadbalancing:DescribeTargetHealth
              - elasticloadbalancing:ModifyListener
              - elasticloadbalancing:ModifyLoadBalancerAttributes
              - elasticloadbalancing:ModifyRule
              - elasticloadbalancing:ModifyTargetGroupAttributes
              - elasticloadbalancing:RegisterTargets
              - elasticloadbalancing:RemoveListenerCertificates
              - elasticloadbalancing:RemoveTags
              - elasticloadbalancing:SetRulePriorities
              - elasticloadbalancing:SetSecurityGroups
              - elasticloadbalancing:SetWebAcl
            Effect: Allow
            Sid: VisualEditor009
      Roles:
        - github
      Users: []
  IAMRole00githubrunnercodebuildelizabuild008pR47:
    UpdateReplacePolicy: Retain
    Type: AWS::IAM::Role
    DeletionPolicy: Retain
    Properties:
      Path: /
      ManagedPolicyArns:
        - !Ref IAMManagedPolicy00policyserviceroleCodeBuildCloudWatchLogsPolicygithubrunnercodebuildelizabuilduseast200bxyYg
        - !Ref IAMManagedPolicy00policyserviceroleCodeBuildCodeConnectionsSourceCredentialsPolicygithubrunnercodebuildelizabuilduseast200oolEl
        - !Ref IAMManagedPolicy00policyserviceroleCodeBuildBasePolicygithubrunnercodebuildelizabuilduseast200VUUiL
        - !Ref IAMManagedPolicy00policyserviceroleCodeBuildAutoRetryPolicygithubrunnercodebuildelizabuilduseast200Tjoa5
      MaxSessionDuration: 3600
      RoleName: github-runner-codebuild-eliza-build
      Policies:
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Resource: arn:aws:ecr:us-east-2:767503528736:repository/agent/eliza
                Action:
                  - ecr:GetDownloadUrlForLayer
                  - ecr:BatchGetImage
                  - ecr:CompleteLayerUpload
                  - ecr:DescribeImages
                  - ecr:DescribeRepositories
                  - ecr:UploadLayerPart
                  - ecr:InitiateLayerUpload
                  - ecr:BatchCheckLayerAvailability
                  - ecr:PutImage
                Effect: Allow
                Sid: VisualEditor0
          PolicyName: ecr
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Resource: '*'
                Action: ecr:GetAuthorizationToken
                Effect: Allow
                Sid: VisualEditor0
          PolicyName: gettoken
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Resource: arn:aws:codeconnections:us-east-2:767503528736:connection/3f4c6e77-52d9-4d46-a496-b95d31e2674f
                Action:
                  - codeconnections:GetConnection
                  - codeconnections:GetConnectionToken
                  - codeconnections:ListConnections
                  - codeconnections:UseConnection
                Effect: Allow
                Sid: VisualEditor0
              - Resource: '*'
                Action:
                  - codeconnections:StartOAuthHandshake
                  - codeconnections:GetResourceSyncStatus
                  - codeconnections:GetIndividualAccessToken
                Effect: Allow
                Sid: VisualEditor1
          PolicyName: github
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Resource: arn:aws:logs:us-east-2:767503528736:log-group:/aws/codebuild/github-runner-codebuild-eliza-build
                Action: logs:CreateLogGroup
                Effect: Allow
                Sid: AllowCreateLogGroup
              - Resource: arn:aws:logs:us-east-2:767503528736:log-group:/aws/codebuild/github-runner-codebuild-eliza-build:log-stream:github-runner-codebuild-eliza-build/*
                Action:
                  - logs:PutLogEvents
                  - logs:CreateLogStream
                Effect: Allow
                Sid: AllowPutLogEvents
          PolicyName: github-runner-codebuild-eliza-build-cloudwatch-logs
        - PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Resource: arn:aws:ssm:us-east-2:767503528736:parameter/tine_agent_2_*
                Action: ssm:GetParameters
                Effect: Allow
          PolicyName: tine
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com