fix(ecs): ECS drain hook can't change instance state to draining (aws…

…#3190) The UpdateContainerInstancesState permission was scoped to the ECS cluster while it should be scoped to the container instance. fixes aws#3190
ScOut3R · Jul 4, 2019 · caaee9e · caaee9e
1 parent 3a9fa64
commit caaee9e
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts b/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts
@@ -97,11 +97,17 @@ export class InstanceDrainHook extends cdk.Construct {
       actions: [
         'ecs:ListContainerInstances',
         'ecs:SubmitContainerStateChange',
-        'ecs:SubmitTaskStateChange',
+        'ecs:SubmitTaskStateChange'
+      ],
+      resources: [props.cluster.clusterArn]
+    }));
+
+    fn.addToRolePolicy(new iam.PolicyStatement({
+      actions: [
         'ecs:UpdateContainerInstancesState',
         'ecs:ListTasks'
       ],
-      resources: [props.cluster.clusterArn]
+      resources: [`arn:aws:ecs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:container-instance/*`]
     }));
   }
 }