fix(ecs): wrong ARN generated in Cluster.grantTaskProtection method (#36207)

The `Cluster.grantTaskProtection()` method is delegating to the method in the auto-generated `ClusterGrants` class. This class is generating policies with an incorrect ARN. It's using the cluster ARN (`:cluster/abc/*`) instead of the tasks ARN (`:task/abc/*`).

Since the code generation mechanism doesn't provide any way of specifying a custom logic for the ARN generation, replace the auto-generated `ClusterGrants` with hand-written one, in which the ARN is computed by:

```ts
  private arnForTasks(keyPattern: string): string {
    return Stack.of(this.resource).formatArn({
      service: 'ecs',
      resource: 'task',
      resourceName: `${this.resource.clusterRef.clusterName}/${keyPattern}`,
      arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
    });
  }
```

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: otaviomacedo

packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.assets.json

@@ -423,11 +423,21 @@
         "Fn::Join": [
          "",
          [
+          "arn:",
           {
-           "Fn::GetAtt": [
-            "ClusterEB0386A7",
-            "Arn"
-           ]
+           "Ref": "AWS::Partition"
+          },
+          ":ecs:",
+          {
+           "Ref": "AWS::Region"
+          },
+          ":",
+          {
+           "Ref": "AWS::AccountId"
+          },
+          ":task/",
+          {
+           "Ref": "ClusterEB0386A7"
           },
           "/*"
          ]

packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/aws-ecs-integ.template.json

@@ -0,0 +1,63 @@
+/* eslint-disable @stylistic/max-len, eol-last */
+import * as ecs from './ecs.generated';
+import { Grant, IGrantable } from '../../aws-iam';
+import { ArnFormat, Stack } from '../../core';
+
+/**
+ * Properties for ClusterGrants
+ */
+interface ClusterGrantsProps {
+  /**
+   * The resource on which actions will be allowed
+   */
+  readonly resource: ecs.IClusterRef;
+}
+
+/**
+ * Collection of grant methods for a IClusterRef
+ */
+export class ClusterGrants {
+  /**
+   * Creates grants for ClusterGrants
+   */
+  public static fromCluster(resource: ecs.IClusterRef): ClusterGrants {
+    return new ClusterGrants({
+      resource: resource,
+    });
+  }
+
+  protected readonly resource: ecs.IClusterRef;
+
+  private constructor(props: ClusterGrantsProps) {
+    this.resource = props.resource;
+  }
+
+  /**
+   * Grants an ECS Task Protection API permission to the specified grantee.
+   * This method provides a streamlined way to assign the 'ecs:UpdateTaskProtection'
+   * permission, enabling the grantee to manage task protection in the ECS cluster.
+   */
+  public taskProtection(grantee: IGrantable): Grant {
+    const actions = ['ecs:UpdateTaskProtection'];
+    return Grant.addToPrincipal({
+      actions: actions,
+      grantee: grantee,
+      resourceArns: [this.arnForTasks('*')],
+    });
+  }
+
+  /**
+   * Returns an ARN that represents all tasks within the cluster that match
+   * the task pattern specified. To represent all tasks, specify ``"*"``.
+   *
+   * @param keyPattern Task id pattern
+   */
+  private arnForTasks(keyPattern: string): string {
+    return Stack.of(this.resource).formatArn({
+      service: 'ecs',
+      resource: 'task',
+      resourceName: `${this.resource.clusterRef.clusterName}/${keyPattern}`,
+      arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
+    });
+  }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/manifest.json

@@ -1,8 +1,8 @@
 import { Construct, IConstruct } from 'constructs';
 import { BottleRocketImage, EcsOptimizedAmi } from './amis';
+import { ClusterGrants } from './cluster-grants';
 import { InstanceDrainHook } from './drain-hook/instance-drain-hook';
 import { ECSMetrics } from './ecs-canned-metrics.generated';
-import { ClusterGrants } from './ecs-grants.generated';
 import {
   CfnCluster,
   CfnCapacityProvider,

packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.cluster-grant-task-protection.js.snapshot/tree.json

@@ -8,6 +8,7 @@ export * from './container-definition';
 export * from './container-image';
 export * from './amis';
 export * from './cluster';
+export * from './cluster-grants';
 export * from './environment-file';
 export * from './credential-spec';
 export * from './firelens-log-router';
@@ -53,4 +54,3 @@ export * from './alternate-target-configuration';
 // AWS::ECS CloudFormation Resources:
 //
 export * from './ecs.generated';
-export * from './ecs-grants.generated';

packages/aws-cdk-lib/aws-ecs/grants.json

@@ -1323,12 +1323,14 @@ describe('cluster', () => {
               'Fn::Join': [
                 '',
                 [
-                  {
-                    'Fn::GetAtt': [
-                      'EcsCluster97242B84',
-                      'Arn',
-                    ],
-                  },
+                  'arn:',
+                  { Ref: 'AWS::Partition' },
+                  ':ecs:',
+                  { Ref: 'AWS::Region' },
+                  ':',
+                  { Ref: 'AWS::AccountId' },
+                  ':task/',
+                  { Ref: 'EcsCluster97242B84' },
                   '/*',
                 ],
               ],