SSM support should be added

[dudymas]

Describe the Feature

SSM allows folks to connect to an instance without the need for ssh.

This is described here: https://aws.amazon.com/blogs/big-data/securing-access-to-emr-clusters-using-aws-systems-manager/

Expected Behavior

Users and roles with permission to start and attach to ssm sessions should be able to remotely manage emr clusters.

Use Case

Most emr clusters need some initial boot operations to set things up

Describe Ideal Solution

Not only is ssm a possible flag, but also adding more boot actions is supported via s3 objects or even plain text.

[nitrocode]

@dudymas couldn't that be done by attaching an ssm iam policy to the iam role created by this module?

[LawrenceWarren]

I use this module and can confirm that SSM can be configured on the cluster nodes, you need to:

• Attach the relevant IAM policies.
• Use an AMI that has the SSM agent installed OR install the SSM agent via user data.

[danjbh]

In the PR above, I've added a boolean flag to the module that controls the attachment of the SSM IAM policy to the EC2 instance profile role. I successfully tested this with the default EMR AMI, which appears to have the SSM agent already bundled. Per the AWS documentation, the following Linux-based AMIs come w/ SSM agent preinstalled...

• Amazon Linux Base AMIs dated 2017.09 and later
• Amazon Linux 2
• Amazon Linux 2 ECS-Optimized Base AMIs
• SUSE Linux Enterprise Server (SLES) 12 and 15
• Ubuntu Server 16.04, 18.04, and 20.04

For anyone using a custom AMI outside of this list, the module supports a custom bootstrap_action that can be used to install the agent (per the AWS document referenced in this issue above).