Skip to content

Commit 7796cd7

Browse files
piradeepkrix0rrr
piradeepk
authored and
rix0rrr
committedJul 4, 2019
fix(ecs): grant drain-hook policy container-instance permissions (#3199)
UpdateContainerInstanceState and ListTask APIs require permissions on a container-instance resource, rather than a cluster resource. This change updates the policy to: 1. remove the cluster as the resource restriction 2. add the cluster as a resource condition More info on ECS Resource-Level permissions can be found here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-supported-iam-actions-resources.html Fixes #3190
1 parent b5997c3 commit 7796cd7

File tree

8 files changed

+159
-37
lines changed

8 files changed

+159
-37
lines changed
 

‎packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json

+19-3
Original file line numberDiff line numberDiff line change
@@ -449,9 +449,7 @@
449449
"Action": [
450450
"ecs:ListContainerInstances",
451451
"ecs:SubmitContainerStateChange",
452-
"ecs:SubmitTaskStateChange",
453-
"ecs:UpdateContainerInstancesState",
454-
"ecs:ListTasks"
452+
"ecs:SubmitTaskStateChange"
455453
],
456454
"Effect": "Allow",
457455
"Resource": {
@@ -460,6 +458,24 @@
460458
"Arn"
461459
]
462460
}
461+
},
462+
{
463+
"Action": [
464+
"ecs:UpdateContainerInstancesState",
465+
"ecs:ListTasks"
466+
],
467+
"Condition": {
468+
"ArnEquals": {
469+
"ecs:cluster": {
470+
"Fn::GetAtt": [
471+
"EcsCluster97242B84",
472+
"Arn"
473+
]
474+
}
475+
}
476+
},
477+
"Effect": "Allow",
478+
"Resource": "*"
463479
}
464480
],
465481
"Version": "2012-10-17"

‎packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts

+13-3
Original file line numberDiff line numberDiff line change
@@ -97,11 +97,21 @@ export class InstanceDrainHook extends cdk.Construct {
9797
actions: [
9898
'ecs:ListContainerInstances',
9999
'ecs:SubmitContainerStateChange',
100-
'ecs:SubmitTaskStateChange',
101-
'ecs:UpdateContainerInstancesState',
102-
'ecs:ListTasks'
100+
'ecs:SubmitTaskStateChange'
103101
],
104102
resources: [props.cluster.clusterArn]
105103
}));
104+
105+
// Restrict the container-instance operations to the ECS Cluster
106+
fn.addToRolePolicy(new iam.PolicyStatement({
107+
actions: [
108+
'ecs:UpdateContainerInstancesState',
109+
'ecs:ListTasks'
110+
],
111+
conditions: {
112+
ArnEquals: {'ecs:cluster': props.cluster.clusterArn}
113+
},
114+
resources: ['*']
115+
}));
106116
}
107117
}

‎packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json

+19-3
Original file line numberDiff line numberDiff line change
@@ -605,9 +605,7 @@
605605
"Action": [
606606
"ecs:ListContainerInstances",
607607
"ecs:SubmitContainerStateChange",
608-
"ecs:SubmitTaskStateChange",
609-
"ecs:UpdateContainerInstancesState",
610-
"ecs:ListTasks"
608+
"ecs:SubmitTaskStateChange"
611609
],
612610
"Effect": "Allow",
613611
"Resource": {
@@ -616,6 +614,24 @@
616614
"Arn"
617615
]
618616
}
617+
},
618+
{
619+
"Action": [
620+
"ecs:UpdateContainerInstancesState",
621+
"ecs:ListTasks"
622+
],
623+
"Condition": {
624+
"ArnEquals": {
625+
"ecs:cluster": {
626+
"Fn::GetAtt": [
627+
"EcsCluster97242B84",
628+
"Arn"
629+
]
630+
}
631+
}
632+
},
633+
"Effect": "Allow",
634+
"Resource": "*"
619635
}
620636
],
621637
"Version": "2012-10-17"

‎packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json

+19-3
Original file line numberDiff line numberDiff line change
@@ -626,9 +626,7 @@
626626
"Action": [
627627
"ecs:ListContainerInstances",
628628
"ecs:SubmitContainerStateChange",
629-
"ecs:SubmitTaskStateChange",
630-
"ecs:UpdateContainerInstancesState",
631-
"ecs:ListTasks"
629+
"ecs:SubmitTaskStateChange"
632630
],
633631
"Effect": "Allow",
634632
"Resource": {
@@ -637,6 +635,24 @@
637635
"Arn"
638636
]
639637
}
638+
},
639+
{
640+
"Action": [
641+
"ecs:UpdateContainerInstancesState",
642+
"ecs:ListTasks"
643+
],
644+
"Condition": {
645+
"ArnEquals": {
646+
"ecs:cluster": {
647+
"Fn::GetAtt": [
648+
"EcsCluster97242B84",
649+
"Arn"
650+
]
651+
}
652+
}
653+
},
654+
"Effect": "Allow",
655+
"Resource": "*"
640656
}
641657
],
642658
"Version": "2012-10-17"

‎packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json

+19-3
Original file line numberDiff line numberDiff line change
@@ -605,9 +605,7 @@
605605
"Action": [
606606
"ecs:ListContainerInstances",
607607
"ecs:SubmitContainerStateChange",
608-
"ecs:SubmitTaskStateChange",
609-
"ecs:UpdateContainerInstancesState",
610-
"ecs:ListTasks"
608+
"ecs:SubmitTaskStateChange"
611609
],
612610
"Effect": "Allow",
613611
"Resource": {
@@ -616,6 +614,24 @@
616614
"Arn"
617615
]
618616
}
617+
},
618+
{
619+
"Action": [
620+
"ecs:UpdateContainerInstancesState",
621+
"ecs:ListTasks"
622+
],
623+
"Condition": {
624+
"ArnEquals": {
625+
"ecs:cluster": {
626+
"Fn::GetAtt": [
627+
"EcsCluster97242B84",
628+
"Arn"
629+
]
630+
}
631+
}
632+
},
633+
"Effect": "Allow",
634+
"Resource": "*"
619635
}
620636
],
621637
"Version": "2012-10-17"

‎packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json

+19-3
Original file line numberDiff line numberDiff line change
@@ -605,9 +605,7 @@
605605
"Action": [
606606
"ecs:ListContainerInstances",
607607
"ecs:SubmitContainerStateChange",
608-
"ecs:SubmitTaskStateChange",
609-
"ecs:UpdateContainerInstancesState",
610-
"ecs:ListTasks"
608+
"ecs:SubmitTaskStateChange"
611609
],
612610
"Effect": "Allow",
613611
"Resource": {
@@ -616,6 +614,24 @@
616614
"Arn"
617615
]
618616
}
617+
},
618+
{
619+
"Action": [
620+
"ecs:UpdateContainerInstancesState",
621+
"ecs:ListTasks"
622+
],
623+
"Condition": {
624+
"ArnEquals": {
625+
"ecs:cluster": {
626+
"Fn::GetAtt": [
627+
"EcsCluster97242B84",
628+
"Arn"
629+
]
630+
}
631+
}
632+
},
633+
"Effect": "Allow",
634+
"Resource": "*"
619635
}
620636
],
621637
"Version": "2012-10-17"

‎packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json

+31-15
Original file line numberDiff line numberDiff line change
@@ -446,21 +446,37 @@
446446
"Resource": "*"
447447
},
448448
{
449-
"Action": [
450-
"ecs:ListContainerInstances",
451-
"ecs:SubmitContainerStateChange",
452-
"ecs:SubmitTaskStateChange",
453-
"ecs:UpdateContainerInstancesState",
454-
"ecs:ListTasks"
455-
],
456-
"Effect": "Allow",
457-
"Resource": {
458-
"Fn::GetAtt": [
459-
"EcsCluster97242B84",
460-
"Arn"
461-
]
449+
"Action": [
450+
"ecs:ListContainerInstances",
451+
"ecs:SubmitContainerStateChange",
452+
"ecs:SubmitTaskStateChange"
453+
],
454+
"Effect": "Allow",
455+
"Resource": {
456+
"Fn::GetAtt": [
457+
"EcsCluster97242B84",
458+
"Arn"
459+
]
460+
}
461+
},
462+
{
463+
"Action": [
464+
"ecs:UpdateContainerInstancesState",
465+
"ecs:ListTasks"
466+
],
467+
"Condition": {
468+
"ArnEquals": {
469+
"ecs:cluster": {
470+
"Fn::GetAtt": [
471+
"EcsCluster97242B84",
472+
"Arn"
473+
]
474+
}
475+
}
476+
},
477+
"Effect": "Allow",
478+
"Resource": "*"
462479
}
463-
}
464480
],
465481
"Version": "2012-10-17"
466482
},
@@ -1197,4 +1213,4 @@
11971213
"Description": "Artifact hash for asset \"aws-ecs-integ-ecs/AdoptEcrRepositorydbc60defc59544bcaa5c28c95d68f62c/Code\""
11981214
}
11991215
}
1200-
}
1216+
}

‎packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.ec2-task.expected.json

+20-4
Original file line numberDiff line numberDiff line change
@@ -249,9 +249,7 @@
249249
"Action": [
250250
"ecs:ListContainerInstances",
251251
"ecs:SubmitContainerStateChange",
252-
"ecs:SubmitTaskStateChange",
253-
"ecs:UpdateContainerInstancesState",
254-
"ecs:ListTasks"
252+
"ecs:SubmitTaskStateChange"
255253
],
256254
"Effect": "Allow",
257255
"Resource": {
@@ -260,6 +258,24 @@
260258
"Arn"
261259
]
262260
}
261+
},
262+
{
263+
"Action": [
264+
"ecs:UpdateContainerInstancesState",
265+
"ecs:ListTasks"
266+
],
267+
"Condition": {
268+
"ArnEquals": {
269+
"ecs:cluster": {
270+
"Fn::GetAtt": [
271+
"FargateCluster7CCD5F93",
272+
"Arn"
273+
]
274+
}
275+
}
276+
},
277+
"Effect": "Allow",
278+
"Resource": "*"
263279
}
264280
],
265281
"Version": "2012-10-17"
@@ -978,4 +994,4 @@
978994
"Description": "Artifact hash for asset \"aws-ecs-integ2/AdoptEcrRepositorydbc60defc59544bcaa5c28c95d68f62c/Code\""
979995
}
980996
}
981-
}
997+
}

0 commit comments

Comments
 (0)