From 915aaa6cbcefb993a3aca2ebce87636a43a002b1 Mon Sep 17 00:00:00 2001
From: Jay Whitwell <jay.whitwell@digital.justice.gov.uk>
Date: Fri, 10 May 2024 11:18:13 +0100
Subject: [PATCH 1/2] add readonly root filesystem

---
 terraform/environment/region/api_ecs.tf | 42 ++++++++++++++-----------
 1 file changed, 23 insertions(+), 19 deletions(-)

diff --git a/terraform/environment/region/api_ecs.tf b/terraform/environment/region/api_ecs.tf
index 1daadf8f15..452526fa8b 100644
--- a/terraform/environment/region/api_ecs.tf
+++ b/terraform/environment/region/api_ecs.tf
@@ -307,11 +307,12 @@ data "aws_iam_policy_document" "api_permissions_role" {
 locals {
   api_web = jsonencode(
     {
-      cpu         = 1,
-      essential   = true,
-      image       = "${data.aws_ecr_repository.use_an_lpa_api_web.repository_url}:${var.container_version}",
-      mountPoints = [],
-      name        = "web",
+      cpu                    = 1,
+      essential              = true,
+      image                  = "${data.aws_ecr_repository.use_an_lpa_api_web.repository_url}:${var.container_version}",
+      mountPoints            = [],
+      readonlyRootFilesystem = true,
+      name                   = "web",
       portMappings = [
         {
           containerPort = 80,
@@ -353,11 +354,12 @@ locals {
 
   api_aws_otel_collector = jsonencode(
     {
-      cpu         = 0,
-      essential   = true,
-      image       = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1",
-      mountPoints = [],
-      name        = "aws-otel-collector",
+      cpu                    = 0,
+      essential              = true,
+      image                  = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1",
+      mountPoints            = [],
+      readonlyRootFilesystem = true,
+      name                   = "aws-otel-collector",
       command = [
         "--config=/etc/ecs/ecs-default-config.yaml"
       ],
@@ -376,10 +378,11 @@ locals {
 
   api_fpm_stats_export = jsonencode(
     {
-      cpu       = 0,
-      essential = false,
-      image     = "311462405659.dkr.ecr.eu-west-1.amazonaws.com/shared/php-fpm-stats-exporter:v0.1.3",
-      name      = "fpm-stats-export",
+      cpu                    = 0,
+      essential              = false,
+      image                  = "311462405659.dkr.ecr.eu-west-1.amazonaws.com/shared/php-fpm-stats-exporter:v0.1.3",
+      name                   = "fpm-stats-export",
+      readonlyRootFilesystem = true,
       logConfiguration = {
         logDriver = "awslogs",
         options = {
@@ -411,11 +414,12 @@ locals {
 
   api_app = jsonencode(
     {
-      cpu         = 1,
-      essential   = true,
-      image       = "${data.aws_ecr_repository.use_an_lpa_api_app.repository_url}:${var.container_version}",
-      mountPoints = [],
-      name        = "app",
+      cpu                    = 1,
+      essential              = true,
+      image                  = "${data.aws_ecr_repository.use_an_lpa_api_app.repository_url}:${var.container_version}",
+      mountPoints            = [],
+      readonlyRootFilesystem = true,
+      name                   = "app",
       portMappings = [
         {
           containerPort = 9000,

From 9ea4ac9416b5830b9222dca6930758f822f0d126 Mon Sep 17 00:00:00 2001
From: Jay Whitwell <jay.whitwell@digital.justice.gov.uk>
Date: Fri, 10 May 2024 13:30:07 +0100
Subject: [PATCH 2/2] add readonly filesystems

---
 terraform/environment/region/admin_ecs.tf  | 12 +++++------
 terraform/environment/region/api_ecs.tf    | 11 +++++------
 terraform/environment/region/use_ecs.tf    | 22 +++++++++++----------
 terraform/environment/region/viewer_ecs.tf | 23 +++++++++++-----------
 4 files changed, 35 insertions(+), 33 deletions(-)

diff --git a/terraform/environment/region/admin_ecs.tf b/terraform/environment/region/admin_ecs.tf
index 4ece5d84b9..6fe475d5bc 100644
--- a/terraform/environment/region/admin_ecs.tf
+++ b/terraform/environment/region/admin_ecs.tf
@@ -225,11 +225,12 @@ data "aws_iam_policy_document" "admin_permissions_role" {
 locals {
   admin_app = jsonencode(
     {
-      cpu         = 1,
-      essential   = true,
-      image       = "${data.aws_ecr_repository.use_an_lpa_admin_app.repository_url}:${var.admin_container_version}",
-      mountPoints = [],
-      name        = "app",
+      cpu                    = 1,
+      essential              = true,
+      image                  = "${data.aws_ecr_repository.use_an_lpa_admin_app.repository_url}:${var.admin_container_version}",
+      mountPoints            = [],
+      readonlyRootFilesystem = true,
+      name                   = "app",
       portMappings = [
         {
           containerPort = 8080,
@@ -282,5 +283,4 @@ locals {
       ]
     }
   )
-
 }
diff --git a/terraform/environment/region/api_ecs.tf b/terraform/environment/region/api_ecs.tf
index 452526fa8b..03b86f7050 100644
--- a/terraform/environment/region/api_ecs.tf
+++ b/terraform/environment/region/api_ecs.tf
@@ -307,12 +307,11 @@ data "aws_iam_policy_document" "api_permissions_role" {
 locals {
   api_web = jsonencode(
     {
-      cpu                    = 1,
-      essential              = true,
-      image                  = "${data.aws_ecr_repository.use_an_lpa_api_web.repository_url}:${var.container_version}",
-      mountPoints            = [],
-      readonlyRootFilesystem = true,
-      name                   = "web",
+      cpu         = 1,
+      essential   = true,
+      image       = "${data.aws_ecr_repository.use_an_lpa_api_web.repository_url}:${var.container_version}",
+      mountPoints = [],
+      name        = "web",
       portMappings = [
         {
           containerPort = 80,
diff --git a/terraform/environment/region/use_ecs.tf b/terraform/environment/region/use_ecs.tf
index cfe27d3df9..ff39bea835 100644
--- a/terraform/environment/region/use_ecs.tf
+++ b/terraform/environment/region/use_ecs.tf
@@ -244,11 +244,12 @@ locals {
 
   actor_aws_otel_collector = jsonencode(
     {
-      cpu         = 0,
-      essential   = true,
-      image       = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1",
-      mountPoints = [],
-      name        = "aws-otel-collector",
+      cpu                    = 0,
+      essential              = true,
+      image                  = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1",
+      mountPoints            = [],
+      readonlyRootFilesystem = true,
+      name                   = "aws-otel-collector",
       command = [
         "--config=/etc/ecs/ecs-default-config.yaml"
       ],
@@ -267,11 +268,12 @@ locals {
 
   actor_app = jsonencode(
     {
-      cpu         = 1,
-      essential   = true,
-      image       = "${data.aws_ecr_repository.use_an_lpa_front_app.repository_url}:${var.container_version}",
-      mountPoints = [],
-      name        = "app",
+      cpu                    = 1,
+      essential              = true,
+      image                  = "${data.aws_ecr_repository.use_an_lpa_front_app.repository_url}:${var.container_version}",
+      mountPoints            = [],
+      readonlyRootFilesystem = true,
+      name                   = "app",
       portMappings = [
         {
           containerPort = 9000,
diff --git a/terraform/environment/region/viewer_ecs.tf b/terraform/environment/region/viewer_ecs.tf
index 4db5d839cc..7228f19dd3 100644
--- a/terraform/environment/region/viewer_ecs.tf
+++ b/terraform/environment/region/viewer_ecs.tf
@@ -217,11 +217,12 @@ locals {
 
   viewer_aws_otel_collector = jsonencode(
     {
-      cpu         = 0,
-      essential   = true,
-      image       = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1",
-      mountPoints = [],
-      name        = "aws-otel-collector",
+      cpu                    = 0,
+      essential              = true,
+      image                  = "public.ecr.aws/aws-observability/aws-otel-collector:v0.14.1",
+      mountPoints            = [],
+      readonlyRootFilesystem = true,
+      name                   = "aws-otel-collector",
       command = [
         "--config=/etc/ecs/ecs-default-config.yaml"
       ],
@@ -240,11 +241,12 @@ locals {
 
   viewer_app = jsonencode(
     {
-      cpu         = 1,
-      essential   = true,
-      image       = "${data.aws_ecr_repository.use_an_lpa_front_app.repository_url}:${var.container_version}",
-      mountPoints = [],
-      name        = "app",
+      cpu                    = 1,
+      essential              = true,
+      image                  = "${data.aws_ecr_repository.use_an_lpa_front_app.repository_url}:${var.container_version}",
+      mountPoints            = [],
+      readonlyRootFilesystem = true,
+      name                   = "app",
       portMappings = [
         {
           containerPort = 9000,
@@ -272,7 +274,6 @@ locals {
     }
   )
 
-
   viewer_app_environment_variables = concat(
     [
       {