From 9ea61483c40a9addfffacc986d34af3f56bc074a Mon Sep 17 00:00:00 2001 From: Piradeep Kandasamy Date: Wed, 12 Jun 2019 05:38:16 -0700 Subject: [PATCH] fix(ecs): downscope permissions required by instance draining hook (#2761) Minimize the IAM permissions required for the instance draining hook. --- .../aws-autoscaling/lib/auto-scaling-group.ts | 24 +++++++++- ...integ.scheduled-ecs-task.lit.expected.json | 47 +++++++++++++++++-- packages/@aws-cdk/aws-ecs/lib/cluster.ts | 8 +--- .../lib/drain-hook/instance-drain-hook.ts | 29 ++++++++---- .../test/ec2/integ.lb-awsvpc-nw.expected.json | 47 +++++++++++++++++-- .../test/ec2/integ.lb-bridge-nw.expected.json | 47 +++++++++++++++++-- .../test/ec2/integ.sd-awsvpc-nw.expected.json | 47 +++++++++++++++++-- .../test/ec2/integ.sd-bridge-nw.expected.json | 47 +++++++++++++++++-- .../integ.event-ec2-task.lit.expected.json | 47 +++++++++++++++++-- .../test/integ.ec2-task.expected.json | 47 +++++++++++++++++-- 10 files changed, 337 insertions(+), 53 deletions(-) diff --git a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts index ba8f4363fb12a..9b2c3e84857d1 100644 --- a/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts +++ b/packages/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.ts @@ -5,7 +5,7 @@ import elbv2 = require('@aws-cdk/aws-elasticloadbalancingv2'); import iam = require('@aws-cdk/aws-iam'); import sns = require('@aws-cdk/aws-sns'); -import { AutoScalingRollingUpdate, Construct, Fn, IResource, Lazy, Resource, Tag } from '@aws-cdk/cdk'; +import { AutoScalingRollingUpdate, Construct, Fn, IResource, Lazy, Resource, Stack, Tag } from '@aws-cdk/cdk'; import { CfnAutoScalingGroup, CfnAutoScalingGroupProps, CfnLaunchConfiguration } from './autoscaling.generated'; import { BasicLifecycleHookProps, LifecycleHook } from './lifecycle-hook'; import { BasicScheduledActionProps, ScheduledAction } from './scheduled-action'; @@ -196,6 +196,7 @@ export interface AutoScalingGroupProps extends CommonAutoScalingGroupProps { abstract class AutoScalingGroupBase extends Resource implements IAutoScalingGroup { public abstract autoScalingGroupName: string; + public abstract autoScalingGroupArn: string; protected albTargetGroup?: elbv2.ApplicationTargetGroup; /** @@ -318,6 +319,11 @@ export class AutoScalingGroup extends AutoScalingGroupBase implements public static fromAutoScalingGroupName(scope: Construct, id: string, autoScalingGroupName: string): IAutoScalingGroup { class Import extends AutoScalingGroupBase { public autoScalingGroupName = autoScalingGroupName; + public autoScalingGroupArn = Stack.of(this).formatArn({ + service: 'autoscaling', + resource: 'autoScalingGroup:*:autoScalingGroupName', + resourceName: this.autoScalingGroupName + }); } return new Import(scope, id); @@ -343,6 +349,11 @@ export class AutoScalingGroup extends AutoScalingGroupBase implements */ public readonly autoScalingGroupName: string; + /** + * Arn of the AutoScalingGroup + */ + public readonly autoScalingGroupArn: string; + private readonly userDataLines = new Array(); private readonly autoScalingGroup: CfnAutoScalingGroup; private readonly securityGroup: ec2.ISecurityGroup; @@ -432,6 +443,11 @@ export class AutoScalingGroup extends AutoScalingGroupBase implements this.autoScalingGroup = new CfnAutoScalingGroup(this, 'ASG', asgProps); this.osType = machineImage.os.type; this.autoScalingGroupName = this.autoScalingGroup.autoScalingGroupName; + this.autoScalingGroupArn = Stack.of(this).formatArn({ + service: 'autoscaling', + resource: 'autoScalingGroup:*:autoScalingGroupName', + resourceName: this.autoScalingGroupName + }); this.applyUpdatePolicies(props); } @@ -707,6 +723,12 @@ export interface IAutoScalingGroup extends IResource { */ readonly autoScalingGroupName: string; + /** + * The arn of the AutoScalingGroup + * @attribute + */ + readonly autoScalingGroupArn: string; + /** * Send a message to either an SQS queue or SNS topic when instances launch or terminate */ diff --git a/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json b/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json index 8087e2fd4413c..df6ad15d15295 100644 --- a/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json +++ b/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json @@ -403,7 +403,6 @@ "Statement": [ { "Action": [ - "autoscaling:CompleteLifecycleAction", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", @@ -412,18 +411,56 @@ "Effect": "Allow", "Resource": "*" }, + { + "Action": "autoscaling:CompleteLifecycleAction", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":autoscaling:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":autoScalingGroup:*:autoScalingGroupName/", + { + "Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB" + } + ] + ] + } + }, + { + "Action": [ + "ecs:DescribeContainerInstances", + "ecs:DescribeTasks" + ], + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", - "ecs:DescribeContainerInstances", "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", - "ecs:DescribeTasks" + "ecs:ListTasks" ], "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-ecs/lib/cluster.ts b/packages/@aws-cdk/aws-ecs/lib/cluster.ts index 37ed20215b144..b32591a7c958d 100644 --- a/packages/@aws-cdk/aws-ecs/lib/cluster.ts +++ b/packages/@aws-cdk/aws-ecs/lib/cluster.ts @@ -396,13 +396,7 @@ class ImportedCluster extends Resource implements ICluster { this.clusterArn = props.clusterArn !== undefined ? props.clusterArn : Stack.of(this).formatArn({ service: 'ecs', resource: 'cluster', - resourceName: props.clusterName, - }); - - this.clusterArn = props.clusterArn !== undefined ? props.clusterArn : Stack.of(this).formatArn({ - service: 'ecs', - resource: 'cluster', - resourceName: props.clusterName, + resourceName: props.clusterName }); let i = 1; diff --git a/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts b/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts index 87fd362a0eccb..4d7fbfc60b1a6 100644 --- a/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts +++ b/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts @@ -69,29 +69,38 @@ export class InstanceDrainHook extends cdk.Construct { heartbeatTimeoutSec: drainTimeSeconds, }); - // FIXME: These should probably be restricted usefully in some way, but I don't exactly - // know how. + // Describe actions cannot be restricted and restrict the CompleteLifecycleAction to the ASG arn + // https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html fn.addToRolePolicy(new iam.PolicyStatement() .addActions( - 'autoscaling:CompleteLifecycleAction', 'ec2:DescribeInstances', 'ec2:DescribeInstanceAttribute', 'ec2:DescribeInstanceStatus', - 'ec2:DescribeHosts', + 'ec2:DescribeHosts' ) .addAllResources()); - // FIXME: These should be restricted to the ECS cluster probably, but I don't exactly - // know how. + // Restrict to the ASG + fn.addToRolePolicy(new iam.PolicyStatement() + .addActions( + 'autoscaling:CompleteLifecycleAction' + ) + .addResource(props.autoScalingGroup.autoScalingGroupArn)); + + fn.addToRolePolicy(new iam.PolicyStatement() + .addActions( + 'ecs:DescribeContainerInstances', + 'ecs:DescribeTasks') + .addAllResources()); + + // Restrict to the ECS Cluster fn.addToRolePolicy(new iam.PolicyStatement() .addActions( 'ecs:ListContainerInstances', 'ecs:SubmitContainerStateChange', 'ecs:SubmitTaskStateChange', - 'ecs:DescribeContainerInstances', 'ecs:UpdateContainerInstancesState', - 'ecs:ListTasks', - 'ecs:DescribeTasks') - .addAllResources()); + 'ecs:ListTasks') + .addResource(props.cluster.clusterArn)); } } diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json index 742246c78bff2..45625b2d4a15e 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json @@ -559,7 +559,6 @@ "Statement": [ { "Action": [ - "autoscaling:CompleteLifecycleAction", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", @@ -568,18 +567,56 @@ "Effect": "Allow", "Resource": "*" }, + { + "Action": "autoscaling:CompleteLifecycleAction", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":autoscaling:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":autoScalingGroup:*:autoScalingGroupName/", + { + "Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB" + } + ] + ] + } + }, + { + "Action": [ + "ecs:DescribeContainerInstances", + "ecs:DescribeTasks" + ], + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", - "ecs:DescribeContainerInstances", "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", - "ecs:DescribeTasks" + "ecs:ListTasks" ], "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json index 2b58e6a36f645..4316141bd1952 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json @@ -580,7 +580,6 @@ "Statement": [ { "Action": [ - "autoscaling:CompleteLifecycleAction", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", @@ -589,18 +588,56 @@ "Effect": "Allow", "Resource": "*" }, + { + "Action": "autoscaling:CompleteLifecycleAction", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":autoscaling:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":autoScalingGroup:*:autoScalingGroupName/", + { + "Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB" + } + ] + ] + } + }, + { + "Action": [ + "ecs:DescribeContainerInstances", + "ecs:DescribeTasks" + ], + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", - "ecs:DescribeContainerInstances", "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", - "ecs:DescribeTasks" + "ecs:ListTasks" ], "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json index 2f7fcd2493f68..82b202d4f6551 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json @@ -559,7 +559,6 @@ "Statement": [ { "Action": [ - "autoscaling:CompleteLifecycleAction", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", @@ -568,18 +567,56 @@ "Effect": "Allow", "Resource": "*" }, + { + "Action": "autoscaling:CompleteLifecycleAction", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":autoscaling:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":autoScalingGroup:*:autoScalingGroupName/", + { + "Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB" + } + ] + ] + } + }, + { + "Action": [ + "ecs:DescribeContainerInstances", + "ecs:DescribeTasks" + ], + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", - "ecs:DescribeContainerInstances", "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", - "ecs:DescribeTasks" + "ecs:ListTasks" ], "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json index f72fce6092f55..c8770a3740c09 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json @@ -559,7 +559,6 @@ "Statement": [ { "Action": [ - "autoscaling:CompleteLifecycleAction", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", @@ -568,18 +567,56 @@ "Effect": "Allow", "Resource": "*" }, + { + "Action": "autoscaling:CompleteLifecycleAction", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":autoscaling:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":autoScalingGroup:*:autoScalingGroupName/", + { + "Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB" + } + ] + ] + } + }, + { + "Action": [ + "ecs:DescribeContainerInstances", + "ecs:DescribeTasks" + ], + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", - "ecs:DescribeContainerInstances", "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", - "ecs:DescribeTasks" + "ecs:ListTasks" ], "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json b/packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json index c9f77ff04f967..70ec436edefaf 100644 --- a/packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json +++ b/packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json @@ -403,7 +403,6 @@ "Statement": [ { "Action": [ - "autoscaling:CompleteLifecycleAction", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", @@ -412,18 +411,56 @@ "Effect": "Allow", "Resource": "*" }, + { + "Action": "autoscaling:CompleteLifecycleAction", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":autoscaling:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":autoScalingGroup:*:autoScalingGroupName/", + { + "Ref": "EcsClusterDefaultAutoScalingGroupASGC1A785DB" + } + ] + ] + } + }, + { + "Action": [ + "ecs:DescribeContainerInstances", + "ecs:DescribeTasks" + ], + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", - "ecs:DescribeContainerInstances", "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", - "ecs:DescribeTasks" + "ecs:ListTasks" ], "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } } ], "Version": "2012-10-17" diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.ec2-task.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.ec2-task.expected.json index 18b32f655f009..f8d6494414d5b 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.ec2-task.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/integ.ec2-task.expected.json @@ -211,7 +211,6 @@ "Statement": [ { "Action": [ - "autoscaling:CompleteLifecycleAction", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeInstanceStatus", @@ -220,18 +219,56 @@ "Effect": "Allow", "Resource": "*" }, + { + "Action": "autoscaling:CompleteLifecycleAction", + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":autoscaling:", + { + "Ref": "AWS::Region" + }, + ":", + { + "Ref": "AWS::AccountId" + }, + ":autoScalingGroup:*:autoScalingGroupName/", + { + "Ref": "FargateClusterDefaultAutoScalingGroupASG36A4948F" + } + ] + ] + } + }, + { + "Action": [ + "ecs:DescribeContainerInstances", + "ecs:DescribeTasks" + ], + "Effect": "Allow", + "Resource": "*" + }, { "Action": [ "ecs:ListContainerInstances", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange", - "ecs:DescribeContainerInstances", "ecs:UpdateContainerInstancesState", - "ecs:ListTasks", - "ecs:DescribeTasks" + "ecs:ListTasks" ], "Effect": "Allow", - "Resource": "*" + "Resource": { + "Fn::GetAtt": [ + "FargateCluster7CCD5F93", + "Arn" + ] + } } ], "Version": "2012-10-17"