Researched the actual molecule-controlplane repo rather than guessing:
- Workspaces launch in a shared CP workspace VPC (p.VPCID), not per
tenant
- CP already tags instances with Role=workspace at ec2.go:1126 — my
prior IAM policy used molecule:role which doesn't match anything
- workspaceIngressRules() currently opens only 8000/tcp — no port 22
Corrected:
- IAM policy Condition now matches existing Role tag (no CP change
needed for the scope to work fleet-wide)
- Added OpenTunnel action so EIC Endpoint path works
- Dropped the \"open 22 in SG\" recommendation. Cross-VPC topology
makes SG CIDR rules awkward (would need peering + tenant-CIDR
bookkeeping). EIC Endpoint is one VPC resource + no SG changes.
- Simplified rollout to two items: add IAM policy, create EIC Endpoint
Kept direct-SG path as an explicit not-recommended alternative.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1e47f85495