Merge branch 'master' into nija-at/cognito-test-refactor

Author: mergify[bot]

packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.multiple-application-load-balanced-ecs-service.expected.json

@@ -658,7 +658,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "ClusterEB0386A7",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json

@@ -474,7 +474,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts

@@ -90,6 +90,9 @@ export class InstanceDrainHook extends cdk.Construct {
     fn.addToRolePolicy(new iam.PolicyStatement({
       actions: ['ecs:DescribeContainerInstances', 'ecs:DescribeTasks'],
       resources: ['*'],
+      conditions: {
+        ArnEquals: { 'ecs:cluster': props.cluster.clusterArn },
+      },
     }));
 
     // Restrict to the ECS Cluster

packages/@aws-cdk/aws-ecs/test/ec2/integ.app-mesh-proxy-config.expected.json

@@ -637,7 +637,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs/test/ec2/integ.clb-host-nw.expected.json

@@ -658,7 +658,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs/test/ec2/integ.firelens-s3-config.expected.json

@@ -637,7 +637,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json

@@ -637,7 +637,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json

@@ -658,7 +658,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json

@@ -637,7 +637,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json

@@ -637,7 +637,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs/test/ec2/integ.spot-drain.expected.json

@@ -639,7 +639,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [
@@ -1110,7 +1120,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-ecs/test/test.ecs-cluster.ts

@@ -444,6 +444,16 @@ export = {
               ],
               Effect: 'Allow',
               Resource: '*',
+              Condition: {
+                ArnEquals: {
+                  'ecs:cluster': {
+                    'Fn::GetAtt': [
+                      'EcsCluster97242B84',
+                      'Arn',
+                    ],
+                  },
+                },
+              },
             },
             {
               Action: [

packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json

@@ -475,7 +475,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "EcsCluster97242B84",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.expected.json

@@ -269,7 +269,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "Ec2ClusterEE43E89D",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [

packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-task.expected.json

@@ -269,7 +269,17 @@
                 "ecs:DescribeTasks"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": "*",
+              "Condition": {
+                "ArnEquals": {
+                  "ecs:cluster": {
+                    "Fn::GetAtt": [
+                      "FargateCluster7CCD5F93",
+                      "Arn"
+                    ]
+                  }
+                }
+              }
             },
             {
               "Action": [