diff --git a/terraform/environment/region/admin_ecs.tf b/terraform/environment/region/admin_ecs.tf index 4ece5d84b9..6fe475d5bc 100644 --- a/terraform/environment/region/admin_ecs.tf +++ b/terraform/environment/region/admin_ecs.tf @@ -225,11 +225,12 @@ data "aws_iam_policy_document" "admin_permissions_role" { locals { admin_app = jsonencode( { - cpu = 1, - essential = true, - image = "${data.aws_ecr_repository.use_an_lpa_admin_app.repository_url}:${var.admin_container_version}", - mountPoints = [], - name = "app", + cpu = 1, + essential = true, + image = "${data.aws_ecr_repository.use_an_lpa_admin_app.repository_url}:${var.admin_container_version}", + mountPoints = [], + readonlyRootFilesystem = true, + name = "app", portMappings = [ { containerPort = 8080, @@ -282,5 +283,4 @@ locals { ] } ) - } diff --git a/terraform/environment/region/api_ecs.tf b/terraform/environment/region/api_ecs.tf index 1daadf8f15..03b86f7050 100644 --- a/terraform/environment/region/api_ecs.tf +++ b/terraform/environment/region/api_ecs.tf @@ -353,11 +353,12 @@ locals { api_aws_otel_collector = jsonencode( { - cpu = 0, - essential = true, - image = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1", - mountPoints = [], - name = "aws-otel-collector", + cpu = 0, + essential = true, + image = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1", + mountPoints = [], + readonlyRootFilesystem = true, + name = "aws-otel-collector", command = [ "--config=/etc/ecs/ecs-default-config.yaml" ], @@ -376,10 +377,11 @@ locals { api_fpm_stats_export = jsonencode( { - cpu = 0, - essential = false, - image = "311462405659.dkr.ecr.eu-west-1.amazonaws.com/shared/php-fpm-stats-exporter:v0.1.3", - name = "fpm-stats-export", + cpu = 0, + essential = false, + image = "311462405659.dkr.ecr.eu-west-1.amazonaws.com/shared/php-fpm-stats-exporter:v0.1.3", + name = "fpm-stats-export", + readonlyRootFilesystem = true, logConfiguration = { logDriver = "awslogs", options = { @@ -411,11 +413,12 @@ locals { api_app = jsonencode( { - cpu = 1, - essential = true, - image = "${data.aws_ecr_repository.use_an_lpa_api_app.repository_url}:${var.container_version}", - mountPoints = [], - name = "app", + cpu = 1, + essential = true, + image = "${data.aws_ecr_repository.use_an_lpa_api_app.repository_url}:${var.container_version}", + mountPoints = [], + readonlyRootFilesystem = true, + name = "app", portMappings = [ { containerPort = 9000, diff --git a/terraform/environment/region/use_ecs.tf b/terraform/environment/region/use_ecs.tf index cfe27d3df9..ff39bea835 100644 --- a/terraform/environment/region/use_ecs.tf +++ b/terraform/environment/region/use_ecs.tf @@ -244,11 +244,12 @@ locals { actor_aws_otel_collector = jsonencode( { - cpu = 0, - essential = true, - image = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1", - mountPoints = [], - name = "aws-otel-collector", + cpu = 0, + essential = true, + image = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1", + mountPoints = [], + readonlyRootFilesystem = true, + name = "aws-otel-collector", command = [ "--config=/etc/ecs/ecs-default-config.yaml" ], @@ -267,11 +268,12 @@ locals { actor_app = jsonencode( { - cpu = 1, - essential = true, - image = "${data.aws_ecr_repository.use_an_lpa_front_app.repository_url}:${var.container_version}", - mountPoints = [], - name = "app", + cpu = 1, + essential = true, + image = "${data.aws_ecr_repository.use_an_lpa_front_app.repository_url}:${var.container_version}", + mountPoints = [], + readonlyRootFilesystem = true, + name = "app", portMappings = [ { containerPort = 9000, diff --git a/terraform/environment/region/viewer_ecs.tf b/terraform/environment/region/viewer_ecs.tf index 4db5d839cc..7228f19dd3 100644 --- a/terraform/environment/region/viewer_ecs.tf +++ b/terraform/environment/region/viewer_ecs.tf @@ -217,11 +217,12 @@ locals { viewer_aws_otel_collector = jsonencode( { - cpu = 0, - essential = true, - image = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1", - mountPoints = [], - name = "aws-otel-collector", + cpu = 0, + essential = true, + image = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1", + mountPoints = [], + readonlyRootFilesystem = true, + name = "aws-otel-collector", command = [ "--config=/etc/ecs/ecs-default-config.yaml" ], @@ -240,11 +241,12 @@ locals { viewer_app = jsonencode( { - cpu = 1, - essential = true, - image = "${data.aws_ecr_repository.use_an_lpa_front_app.repository_url}:${var.container_version}", - mountPoints = [], - name = "app", + cpu = 1, + essential = true, + image = "${data.aws_ecr_repository.use_an_lpa_front_app.repository_url}:${var.container_version}", + mountPoints = [], + readonlyRootFilesystem = true, + name = "app", portMappings = [ { containerPort = 9000, @@ -272,7 +274,6 @@ locals { } ) - viewer_app_environment_variables = concat( [ {