Add variables to enable readonly root filesystem and run as user

Eugene Dementiev · Eugene Dementiev · commit 6dff0cfc109b · 2020-03-12T14:28:14.000+13:00
diff --git a/main.tf b/main.tf
@@ -8,11 +8,13 @@ resource "aws_ecs_task_definition" "task" {
       essential         = var.essential
       memory            = var.memory
       memoryReservation = var.memory_reservation
-      mountPoints       = []
+      mountPoints       = var.readonlyRootFilesystem ? [{ sourceVolume = "tmp", containerPath = "/tmp" }] : []
       volumesFrom       = []
       linuxParameters = {
         initProcessEnabled = var.init_process_enabled
       }
+      readonlyRootFilesystem = var.readonlyRootFilesystem
+      user                   = var.user
     }
     ], var.additional_container_definitions) : merge(s, {
     environment = [for k in sort(keys(var.environment)) : { "name" : k, "value" : var.environment[k] }]
@@ -28,6 +30,17 @@ resource "aws_ecs_task_definition" "task" {
 
   task_role_arn = var.task_role_arn
 
+  # the /tmp volume is needed if the root fs is readonly
+  # tmpfs takes precious memory, so it's easier to create a volume
+  dynamic "volume" {
+    for_each = var.readonlyRootFilesystem ? [{}] : []
+    content {
+      name = "tmp"
+      docker_volume_configuration {
+        scope = "task"
+      }
+    }
+  }
 }
 
 
diff --git a/variables.tf b/variables.tf
@@ -82,6 +82,12 @@ variable "log_configuration" {
   default = { logDriver = "", options = {} }
 }
 
+variable "readonlyRootFilesystem" {
+  type        = bool
+  description = "Enforce read-only access to the file system inside of the Docker container"
+  default     = false
+}
+
 variable "deployment_minimum_healthy_percent" {
   description = "Minimum number of healty contianers during deployments"
   default     = 50
@@ -93,14 +99,22 @@ variable "deployment_maximum_percent" {
 }
 
 variable "desired_count" {
+  type    = number
   default = 1
 }
 
 variable "init_process_enabled" {
+  type        = bool
   description = "Use embdedded to Docker tini init process that correctly reaps zombie processes"
   default     = true
 }
 
+variable "user" {
+  type        = string
+  description = "Run container as the specified user. Formats are: user, user:group, uid, uid:gid, user:gid, uid:group"
+  default     = ""
+}
+
 
 locals {
   balanced                     = var.container_port > 0
