diff --git a/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts b/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts index 87fd362a0eccb..ed09fba344368 100644 --- a/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts +++ b/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts @@ -73,25 +73,35 @@ export class InstanceDrainHook extends cdk.Construct { // know how. fn.addToRolePolicy(new iam.PolicyStatement() .addActions( - 'autoscaling:CompleteLifecycleAction', 'ec2:DescribeInstances', 'ec2:DescribeInstanceAttribute', 'ec2:DescribeInstanceStatus', - 'ec2:DescribeHosts', + 'ec2:DescribeHosts' ) .addAllResources()); - // FIXME: These should be restricted to the ECS cluster probably, but I don't exactly - // know how. fn.addToRolePolicy(new iam.PolicyStatement() .addActions( - 'ecs:ListContainerInstances', + 'autoscaling:CompleteLifecycleAction' + ) + .addResource(props.autoScalingGroup.autoScalingGroupName)); + + fn.addToRolePolicy(new iam.PolicyStatement() + .addActions( 'ecs:SubmitContainerStateChange', 'ecs:SubmitTaskStateChange', 'ecs:DescribeContainerInstances', - 'ecs:UpdateContainerInstancesState', - 'ecs:ListTasks', - 'ecs:DescribeTasks') + 'ecs:DescribeTasks' + ) .addAllResources()); + + // Restricted to use the following ecs actions on the cluster + fn.addToRolePolicy(new iam.PolicyStatement() + .addActions( + 'ecs:ListContainerInstances', + 'ecs:ListTasks', + 'ecs:UpdateContainerInstancesState' + ) + .addResource(props.cluster.clusterArn)); } } diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json index 742246c78bff2..39914f916ac11 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json @@ -570,16 +570,27 @@ }, { "Action": [ - "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", "ecs:DescribeContainerInstances", - "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", "ecs:DescribeTasks" ], "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ecs:ListContainerInstances", + "ecs:ListTasks", + "ecs:UpdateContainerInstancesState" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json index 2b58e6a36f645..8f9d6811eb989 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json @@ -591,16 +591,27 @@ }, { "Action": [ - "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", "ecs:DescribeContainerInstances", - "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", "ecs:DescribeTasks" ], "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ecs:ListContainerInstances", + "ecs:ListTasks", + "ecs:UpdateContainerInstancesState" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json index 2f7fcd2493f68..e62e11133158f 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json @@ -570,16 +570,27 @@ }, { "Action": [ - "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", "ecs:DescribeContainerInstances", - "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", "ecs:DescribeTasks" ], "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ecs:ListContainerInstances", + "ecs:ListTasks", + "ecs:UpdateContainerInstancesState" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json index f72fce6092f55..e1088eafa285c 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json @@ -570,16 +570,27 @@ }, { "Action": [ - "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", "ecs:DescribeContainerInstances", - "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", "ecs:DescribeTasks" ], "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ecs:ListContainerInstances", + "ecs:ListTasks", + "ecs:UpdateContainerInstancesState" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17"