feat: Use ECS task protection instead of EC2 instance protection for auto-scaling

This will let tasks complete and not be force-terminated by ECS

fixes #23

Author: sashasimkin

modules/processing/autoscaling.tf

@@ -101,7 +101,7 @@ resource "aws_ecs_capacity_provider" "worker_lt_gpu_provider" {
 
     auto_scaling_group_provider {
         auto_scaling_group_arn         = aws_autoscaling_group.worker_lt_asg.arn
-        managed_termination_protection = "DISABLED"
+        managed_termination_protection = "ENABLED"
 
         managed_scaling {
             status         = "ENABLED"

modules/processing/ecs_task_roles.tf

@@ -64,16 +64,16 @@ resource "aws_iam_role" "processing_worker_role" {
 
 resource "aws_iam_policy" "processing_worker_policy" {
   name        = "processing-worker-task-policy${var.env}"
-  description = "Policy for ECS tasks to manage instance protection during Auto Scaling scale-in events and get CloudWatch metrics"
+  description = "Policy for ECS tasks to manage ecs task protection during Auto Scaling scale-in events and get CloudWatch metrics"
 
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
       {
         Effect = "Allow"
         Action = [
-          "autoscaling:SetInstanceProtection",
-          "autoscaling:DescribeAutoScalingInstances"
+          "ecs:GetTaskProtection",
+          "ecs:UpdateTaskProtection"
         ]
         Resource = "*"
       },