(aws-ecs): Give Cluster a grant method for the task protection API

[SamStephens]

Describe the feature

In order for ECS tasks to interact with the task protection API, the task role needs permissions on the API.

It would be nice if ECS Cluster used the standard grantX pattern and provided a method similar to grantTaskProtection.

Use Case

To simplify declaring my tasks need permissions on the task protection API.

Proposed Solution

Currently my setup for the permissions is:

        cluster_task_arn = Stack.of(self).format_arn(
            service='ecs',
            resource='task',
            resource_name=f'{fargate_cluster.cluster_name}/*'
        )
        fargate_task_definition.add_to_task_role_policy(
            aws_iam.PolicyStatement(
                actions=["ecs:UpdateTaskProtection"],
                resources=[cluster_task_arn],
            )
        )

With this feature I'd expect to do something like

fargate_cluster.grant_task_protection(fargate_task_definition.task_role)

Other Information

See also my request for an arnForTasks method

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.85.0

Environment details (OS name and version, etc.)

Ubuntu (Windows Subsystem for Linux)

[pahud]

Sounds great and thank you for your PR.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.