remove cloudwatch permission from task role (#1999)

Author: Tian-2017

terraform/modules/department/50-aws-iam-policies.tf

@@ -943,27 +943,12 @@ resource "aws_iam_policy" "department_ecs_passrole" {
 
 # Todo: departments should probably have their own log groups
 # but this is equivalent to the existing Glue set up
-data "aws_iam_policy_document" "ecs_cloudwatch" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "logs:PutLogEvents",
-      "logs:CreateLogStream",
-      "logs:CreateLogGroup",
-      "logs:AssociateKmsKey"
-    ]
-    resources = [
-      "arn:aws:logs:*:*:/ecs/*"
-    ]
-  }
-}
 
 data "aws_iam_policy_document" "ecs_department_policy" {
   source_policy_documents = [
     data.aws_iam_policy_document.s3_department_access.json,
     data.aws_iam_policy_document.secrets_manager_read_only.json,
     data.aws_iam_policy_document.read_glue_scripts_and_mwaa_and_athena.json,
-    data.aws_iam_policy_document.ecs_cloudwatch.json,
     data.aws_iam_policy_document.crawler_can_access_jdbc_connection.json
   ]
 }