Add flag to enable readonly root fs for container

provider/aws/formation/rack.json

@@ -149,6 +149,7 @@
     "PublicInstanceInclude": { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "InstancesIpToIncludInWhiteListing" }, "Both" ] }, { "Fn::Equals": [ { "Ref": "InstancesIpToIncludInWhiteListing" }, "Workload" ] } ] },
     "PublicInstancesAndWhiteList": { "Fn::And": [ { "Condition": "PublicInstances" }, { "Condition": "WhiteListCIDRs" }, {"Condition": "PublicInstanceInclude"} ] },
     "PublicRouter": { "Fn::Equals": [ { "Ref": "InternalOnly" }, "No" ] },
+    "EnableContainerReadonlyRootFilesystem": { "Fn::Equals": [ { "Ref": "EnableContainerReadonlyRootFilesystem" }, "Yes" ] },
     "RegionHasEFS": { "Fn::Equals": [
       { "Fn::FindInMap": [ "RegionConfig", { "Ref": "AWS::Region" }, "EFS" ] },
       "Yes"
@@ -692,6 +693,11 @@
       "Default": "1",
       "Description": "How often to poll ECS for service events in seconds. Longer intervals may alleviate rate limiting / throttling from ECS."
     },
+    "EnableContainerReadonlyRootFilesystem": {
+      "Type": "String",
+      "Default": "No",
+      "AllowedValues": [ "Yes", "No" ]
+    },
     "EncryptEbs": {
       "Type": "String",
       "Description": "Enable encryption at rest for EBS volumes",
@@ -3865,6 +3871,7 @@
         "ContainerDefinitions": [
           {
             "Cpu": { "Ref": "BuildCpu" },
+            "EnableContainerReadonlyRootFilesystem": { "Fn::If": [ "EnableContainerReadonlyRootFilesystem", "true", "false" ] },
             "DockerLabels": {
               "convox.release": { "Ref": "Version" },
               "rack.ApiBalancerSecurity": { "Ref": "ApiBalancerSecurity" },
@@ -3965,6 +3972,7 @@
           {
             "Command": [ "/go/bin/monitor" ],
             "Cpu": "64",
+            "EnableContainerReadonlyRootFilesystem": { "Fn::If": [ "EnableContainerReadonlyRootFilesystem", "true", "false" ] },
             "DockerLabels": {
               "convox.release": { "Ref": "Version" },
               "rack.ApiBalancerSecurity": { "Ref": "ApiBalancerSecurity" },
@@ -4080,6 +4088,7 @@
           {
             "Command": [ "/go/bin/rack" ],
             "Cpu": { "Ref": "ApiCpu" },
+            "EnableContainerReadonlyRootFilesystem": { "Fn::If": [ "EnableContainerReadonlyRootFilesystem", "true", "false" ] },
             "DockerLabels": {
               "convox.release": { "Ref": "Version" },
               "rack.AsgSpot": { "Fn::If": [ "SpotInstances", { "Ref": "SpotInstances" }, { "Ref": "AWS::NoValue" } ] },

provider/aws/formation/service.json.tmpl

@@ -16,6 +16,7 @@
       "IsolateServices": { "Fn::Or": [ { "Condition": "FargateEither" }, { "Condition": "Isolate" } ] },
       "Private": { "Fn::Equals": [ { "Ref": "Private" }, "Yes" ] },
       "RackUrl": { "Fn::Equals": [ { "Ref": "RackUrl" }, "Yes" ] },
+      "ReadonlyRootFilesystem": { "Fn::Equals": [ { "Ref": "ReadonlyRootFilesystem" }, "Yes" ] },
       "RouteHttp": { "Fn::Equals": [ { "Ref": "RedirectHttps" }, "No" ] },
       "TaskTags": { "Fn::Equals": [ { "Ref": "TaskTags" }, "Yes" ] }
     },
@@ -124,6 +125,11 @@
         "Default": "No",
         "AllowedValues": [ "Yes", "No" ]
       },
+      "ReadonlyRootFilesystem": {
+        "Type": "String",
+        "Default": "No",
+        "AllowedValues": [ "Yes", "No" ]
+      },
       "RedirectHttps": {
         "Type": "String",
         "Default": "Yes",
@@ -748,6 +754,7 @@
             }
           ],
           "Cpu": { "Fn::If": [ "FargateEither", { "Ref": "Cpu" }, { "Ref": "AWS::NoValue" } ] },
+          "ReadonlyRootFilesystem": { "Fn::If": [ "ReadonlyRootFilesystem", "true", "false" ] },
           "ExecutionRoleArn": { "Fn::GetAtt": [ "ExecutionRole", "Arn" ] },
           "Family": { "Fn::Sub": "${AWS::StackName}-service-{{.Name}}" },
           "Memory": { "Fn::If": [ "FargateEither", { "Ref": "Memory" }, { "Ref": "AWS::NoValue" } ] },

provider/aws/formation/timer.json.tmpl

@@ -7,7 +7,8 @@
       "FargateEither": { "Fn::Or": [ { "Condition": "FargateBase" }, { "Condition": "FargateSpot" } ] },
       "FargateBase": { "Fn::Equals": [ { "Ref": "Fargate" }, "Yes" ] },
       "FargateSpot": { "Fn::Equals": [ { "Ref": "Fargate" }, "Spot" ] },
-      "RackUrl": { "Fn::Equals": [ { "Ref": "RackUrl" }, "Yes" ] }
+      "RackUrl": { "Fn::Equals": [ { "Ref": "RackUrl" }, "Yes" ] },
+      "ReadonlyRootFilesystem": { "Fn::Equals": [ { "Ref": "ReadonlyRootFilesystem" }, "Yes" ] }
     },
     "Outputs": {
       "Fargate": {
@@ -53,6 +54,11 @@
         "Default": "No",
         "AllowedValues": [ "Yes", "No" ]
       },
+      "ReadonlyRootFilesystem": {
+        "Type": "String",
+        "Default": "No",
+        "AllowedValues": [ "Yes", "No" ]
+      },
       "Registry": {
         "Type": "String"
       },
@@ -162,6 +168,7 @@
               {
                 "Command": [ "sh", "-c", {{ safe $.Timer.Command }} ],
                 "Cpu": { "Ref": "Cpu" },
+                "ReadonlyRootFilesystem": { "Fn::If": [ "ReadonlyRootFilesystem", "true", "false" ] },
                 "DockerLabels": { "convox.app": "{{$.App}}", "convox.generation": "2", "convox.process.type": "timer", "convox.release": "{{$.Release.Id}}" },
                 "Environment": [
                   {{ range $k, $v := .EnvironmentDefaults }}

provider/aws/releases.go

@@ -374,13 +374,19 @@ func (p *Provider) ReleasePromote(app, id string, opts structs.ReleasePromoteOpt
 		return err
 	}
 
+	readonlyRootFilesystem, err := p.stackParameter(p.Rack, "EnableContainerReadonlyRootFilesystem")
+	if err != nil {
+		return err
+	}
+
 	updates := map[string]string{
-		"LogBucket":         p.LogBucket,
-		"LogDriver":         p.LogDriver,
-		"PlaceLambdaInVpc":  lambdaInVpc,
-		"Private":           private,
-		"SyslogDestination": p.SyslogDestination,
-		"SyslogFormat":      p.SyslogFormat,
+		"LogBucket":              p.LogBucket,
+		"LogDriver":              p.LogDriver,
+		"PlaceLambdaInVpc":       lambdaInVpc,
+		"Private":                private,
+		"SyslogDestination":      p.SyslogDestination,
+		"SyslogFormat":           p.SyslogFormat,
+		"ReadonlyRootFilesystem": readonlyRootFilesystem,
 	}
 
 	if m.Params != nil {