Skip to content

Commit

Permalink
Downscope permissions required by instance draining hook
Browse files Browse the repository at this point in the history
  • Loading branch information
piradeepk committed Jun 7, 2019
1 parent e4fb811 commit 0fbb063
Show file tree
Hide file tree
Showing 5 changed files with 111 additions and 33 deletions.
28 changes: 19 additions & 9 deletions packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts
Original file line number Diff line number Diff line change
Expand Up @@ -73,25 +73,35 @@ export class InstanceDrainHook extends cdk.Construct {
// know how.
fn.addToRolePolicy(new iam.PolicyStatement()
.addActions(
'autoscaling:CompleteLifecycleAction',
'ec2:DescribeInstances',
'ec2:DescribeInstanceAttribute',
'ec2:DescribeInstanceStatus',
'ec2:DescribeHosts',
'ec2:DescribeHosts'
)
.addAllResources());

// FIXME: These should be restricted to the ECS cluster probably, but I don't exactly
// know how.
fn.addToRolePolicy(new iam.PolicyStatement()
.addActions(
'autoscaling:CompleteLifecycleAction'
)
.addResource(props.autoScalingGroup.autoScalingGroupName));

fn.addToRolePolicy(new iam.PolicyStatement()
.addActions(
'ecs:DescribeContainerInstances',
'ecs:DescribeTasks'
)
.addAllResources());

// Restricted to use the following ecs actions on the cluster
fn.addToRolePolicy(new iam.PolicyStatement()
.addActions(
'ecs:ListContainerInstances',
'ecs:ListTasks',
'ecs:SubmitContainerStateChange',
'ecs:SubmitTaskStateChange',
'ecs:DescribeContainerInstances',
'ecs:UpdateContainerInstancesState',
'ecs:ListTasks',
'ecs:DescribeTasks')
.addAllResources());
'ecs:UpdateContainerInstancesState'
)
.addResource(props.cluster.clusterArn));
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -559,7 +559,6 @@
"Statement": [
{
"Action": [
"autoscaling:CompleteLifecycleAction",
"ec2:DescribeInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
Expand All @@ -568,18 +567,36 @@
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:CompleteLifecycleAction",
"Effect": "Allow",
"Resource": {
"Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB"
}
},
{
"Action": [
"ecs:ListContainerInstances",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:DescribeContainerInstances",
"ecs:UpdateContainerInstancesState",
"ecs:ListTasks",
"ecs:DescribeTasks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:ListContainerInstances",
"ecs:ListTasks",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:UpdateContainerInstancesState"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"EcsCluster97242B84",
"Arn"
]
}
}
],
"Version": "2012-10-17"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -580,7 +580,6 @@
"Statement": [
{
"Action": [
"autoscaling:CompleteLifecycleAction",
"ec2:DescribeInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
Expand All @@ -589,18 +588,36 @@
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:CompleteLifecycleAction",
"Effect": "Allow",
"Resource": {
"Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB"
}
},
{
"Action": [
"ecs:ListContainerInstances",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:DescribeContainerInstances",
"ecs:UpdateContainerInstancesState",
"ecs:ListTasks",
"ecs:DescribeTasks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:ListContainerInstances",
"ecs:ListTasks",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:UpdateContainerInstancesState"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"EcsCluster97242B84",
"Arn"
]
}
}
],
"Version": "2012-10-17"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -559,7 +559,6 @@
"Statement": [
{
"Action": [
"autoscaling:CompleteLifecycleAction",
"ec2:DescribeInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
Expand All @@ -568,18 +567,36 @@
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:CompleteLifecycleAction",
"Effect": "Allow",
"Resource": {
"Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB"
}
},
{
"Action": [
"ecs:ListContainerInstances",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:DescribeContainerInstances",
"ecs:UpdateContainerInstancesState",
"ecs:ListTasks",
"ecs:DescribeTasks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:ListContainerInstances",
"ecs:ListTasks",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:UpdateContainerInstancesState"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"EcsCluster97242B84",
"Arn"
]
}
}
],
"Version": "2012-10-17"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -559,7 +559,6 @@
"Statement": [
{
"Action": [
"autoscaling:CompleteLifecycleAction",
"ec2:DescribeInstances",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
Expand All @@ -568,18 +567,36 @@
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "autoscaling:CompleteLifecycleAction",
"Effect": "Allow",
"Resource": {
"Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB"
}
},
{
"Action": [
"ecs:ListContainerInstances",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:DescribeContainerInstances",
"ecs:UpdateContainerInstancesState",
"ecs:ListTasks",
"ecs:DescribeTasks"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ecs:ListContainerInstances",
"ecs:ListTasks",
"ecs:SubmitContainerStateChange",
"ecs:SubmitTaskStateChange",
"ecs:UpdateContainerInstancesState"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"EcsCluster97242B84",
"Arn"
]
}
}
],
"Version": "2012-10-17"
Expand Down

0 comments on commit 0fbb063

Please sign in to comment.