automated terminal push

terraform/main.tf

@@ -57,20 +57,13 @@ resource "aws_route_table_association" "public" {
   route_table_id = aws_route_table.public.id
 }
 
-# Security Group
+# Security Group - Updated for SSM (removed SSH, kept application access)
 resource "aws_security_group" "ecs_sg" {
   name        = "${var.cluster_name}-sg"
-  description = "Allow SSH & HTTP to ECS"
+  description = "Allow HTTP to ECS and HTTPS outbound for SSM/ECR"
   vpc_id      = aws_vpc.main.id
 
-  ingress {
-    description = "SSH from Jenkins"
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = [var.jenkins_ip_cidr]
-  }
-
+  # HTTP access for application
   ingress {
     description = "HTTP from anywhere"
     from_port   = 8080
@@ -79,11 +72,30 @@ resource "aws_security_group" "ecs_sg" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
+  # HTTPS outbound for SSM, ECR, and AWS services
   egress {
-    description = "All outbound traffic"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
+    description = "HTTPS outbound for AWS services"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # HTTP outbound for package updates
+  egress {
+    description = "HTTP outbound for package updates"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # DNS resolution
+  egress {
+    description = "DNS resolution"
+    from_port   = 53
+    to_port     = 53
+    protocol    = "udp"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
@@ -92,7 +104,7 @@ resource "aws_security_group" "ecs_sg" {
   }
 }
 
-# Key Pair
+# Key Pair (keeping for compatibility, but not needed for SSM)
 resource "aws_key_pair" "deployer" {
   key_name   = var.key_pair_name
   public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDDFBAOogBj/GHKXQs6FLROGQfXkZe2uKbRron0We7ZOLgt6e1bI7U8IMe+DIH250CHSi4R5DBYFQF5Bk1TkS5cgMtPIAb87vRUGI3sLs29DQA/kllYiZlQi9ejxcEz2+TRWn10Q/Kltlb6ESNLnnnTsIUUxKUeY3MKFFd+V13FleSVLGYondwPWYwD/XJ6a3VwSTJ1wFKO+lpKknSjDl2ZOgYpWFALPH+EwMlRGVMrUXAB604zqR1XOzYXAAWnhmmC9IGgCzU/5JnEgFyhfZbR3kpEH8SmSXahvdFZERp+3j9d3ROjchqnf0Z0zZ7vzX+G+jvzT/jGOkzH9tx0/OqIO9f47OFF8iUfZgUtJU1QGbepdsmQqognhxfJQfMZbVtKUw7zt+mzJz3A0XcRp7IwVHaqJ2QW2dpXi4UbWtejtZqROg6byWq2FpvFGNIT3eiKTf+EpCoOec6YGSrRQlj73Ob0+FhmsyQ6e8KKncaRYx38PqtnWsI3UnLtdKmEJmDBPI0ipxJzmKJKtb0vtJPVYvFEpgiXSwnDX883rAUQrXR/EhOMmbMwk7JSes6/GXH9rWN10JHh1/i1LLpl+rg6VyktFgVBHzVw++y29QSfFixeTvFkkTS5kl//CpKd1GDQb9ZBH6SPgkgOjmASPUo+p5e/NiN/SIBSpYpMjOKs7Q== jacques@Xochiquetzal"
@@ -140,12 +152,18 @@ resource "aws_iam_role" "ecs_instance_role" {
   }
 }
 
-# IAM Role Policy Attachment
+# IAM Role Policy Attachment for ECS
 resource "aws_iam_role_policy_attachment" "ecs_instance_role_policy" {
   role       = aws_iam_role.ecs_instance_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
 }
 
+# IAM Role Policy Attachment for SSM
+resource "aws_iam_role_policy_attachment" "ecs_instance_ssm_policy" {
+  role       = aws_iam_role.ecs_instance_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
 # IAM Instance Profile
 resource "aws_iam_instance_profile" "ecs_instance_profile" {
   name = "${var.cluster_name}-ecs-instance-profile"
@@ -170,17 +188,11 @@ resource "aws_ecs_cluster" "main" {
   }
 }
 
-# User data script for ECS instance
+# User data script for ECS instance with SSM
 locals {
-  user_data = base64encode(<<-EOF
-    #!/bin/bash
-    yum update -y
-    yum install -y ecs-init
-    echo ECS_CLUSTER=${var.cluster_name} >> /etc/ecs/ecs.config
-    service docker start
-    start ecs
-    EOF
-  )
+  user_data = base64encode(templatefile("${path.module}/user_data.sh", {
+    cluster_name = var.cluster_name
+  }))
 }
 
 # EC2 Instance for ECS
@@ -241,6 +253,11 @@ output "ecs_instance_public_ip" {
   value       = aws_instance.ecs_instance.public_ip
 }
 
+output "ecs_instance_id" {
+  description = "Instance ID for SSM access"
+  value       = aws_instance.ecs_instance.id
+}
+
 output "ecs_cluster_name" {
   description = "Name of the ECS cluster"
   value       = aws_ecs_cluster.main.name