Update to use an Amazon Linux 2 image - WISCALERTS-2

• In order to increase disk space allocated for Docker container utilize Amazon Linux 2. By default Amazon Linux 2 uses overlay2 storage driver, which gives the base storage size of the space left on the disk.
• Removed SSM agent as it's shipped with all Amazon Linux 2 AMIs.
• Utilized SSM param store for storing IICS user credentials.
• Increased EBS volume size to allocate more disk space.

@JARED.KOSANOVIC @ERIC.SCHOVILLE @jont

terraform/ecs.tf

-locals {
-  informatica_username = format("arn:aws:ssm:%s:%s:parameter/%s", var.aws_region, var.aws_account_id[0], "/iics/cicd_username")
-  informatica_password = format("arn:aws:ssm:%s:%s:parameter/%s", var.aws_region, var.aws_account_id[0], "/iics/cicd_password")
+data "aws_ssm_parameter" "informatica-username" {
+  name = "/iics/cicd_username"
+}
+
+data "aws_ssm_parameter" "informatica-password" {
+  name = "/iics/cicd_password"
 }
 
 data "template_file" "container" {
@@ -13,19 +16,69 @@ data "template_file" "container" {
     app_port1               = var.container_app_port[0]
     app_port2               = var.container_app_port[1]
     app_port3               = var.container_app_port[2]
-    informatica_username    = local.informatica_username
-    informatica_password    = local.informatica_password
+    informatica_username    = data.aws_ssm_parameter.informatica-username.arn
+    informatica_password    = data.aws_ssm_parameter.informatica-password.arn
     secure_agent_mount_path = var.secure_agent_mount_path
   }
 }
 
-data "aws_iam_role" "ecs-task-execution" {
-  name = "ecsTaskExecutionRole"
+resource "aws_iam_role" "ecs-task-execution" {
+  name               = var.ecs_execution_role
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Effect":"Allow"
+    }
+  ]
+}
+EOF
+  tags = {
+    Name = "iics-ecs-execution-role"
+  }
+}
+
+# grant role permission for ECS task execution
+resource "aws_iam_role_policy_attachment" "ecs-task-execution" {
+  role       = aws_iam_role.ecs-task-execution.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# grant access for SSM for credentails look up
+resource "aws_iam_policy" "iics-ssm-policy" {
+  name   = var.iics_secret_access_policy
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters"
+      ],
+      "Resource": [
+          "${data.aws_ssm_parameter.informatica-username.arn}",
+          "${data.aws_ssm_parameter.informatica-password.arn}"
+      ]
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "credentails" {
+  role       = aws_iam_role.ecs-task-execution.name
+  policy_arn = aws_iam_policy.iics-ssm-policy.arn
 }
 
 resource "aws_ecs_task_definition" "task" {
   family             = var.ecs_task_name
-  execution_role_arn = data.aws_iam_role.ecs-task-execution.arn
+  execution_role_arn = aws_iam_role.ecs-task-execution.arn
   network_mode       = var.container_network_mode
   requires_compatibilities = [
   "EC2"]