From caaee9eccbaa97783f0d86136322e9ce6df84df5 Mon Sep 17 00:00:00 2001
From: Mate GABRI <mate.gabri@gameonsports.com.au>
Date: Thu, 4 Jul 2019 10:27:46 +1000
Subject: [PATCH] fix(ecs): ECS drain hook can't change instance state to
 draining (#3190)

The UpdateContainerInstancesState permission was scoped to the ECS cluster
while it should be scoped to the container instance.

fixes #3190
---
 .../aws-ecs/lib/drain-hook/instance-drain-hook.ts      | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts b/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts
index 8553aefe6de0e..e938b7d68bb15 100644
--- a/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts
+++ b/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts
@@ -97,11 +97,17 @@ export class InstanceDrainHook extends cdk.Construct {
       actions: [
         'ecs:ListContainerInstances',
         'ecs:SubmitContainerStateChange',
-        'ecs:SubmitTaskStateChange',
+        'ecs:SubmitTaskStateChange'
+      ],
+      resources: [props.cluster.clusterArn]
+    }));
+
+    fn.addToRolePolicy(new iam.PolicyStatement({
+      actions: [
         'ecs:UpdateContainerInstancesState',
         'ecs:ListTasks'
       ],
-      resources: [props.cluster.clusterArn]
+      resources: [`arn:aws:ecs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:container-instance/*`]
     }));
   }
 }