diff --git a/provider/aws/formation/rack.json b/provider/aws/formation/rack.json index c71a24063..4946b4db5 100644 --- a/provider/aws/formation/rack.json +++ b/provider/aws/formation/rack.json @@ -149,6 +149,7 @@ "PublicInstanceInclude": { "Fn::Or": [ { "Fn::Equals": [ { "Ref": "InstancesIpToIncludInWhiteListing" }, "Both" ] }, { "Fn::Equals": [ { "Ref": "InstancesIpToIncludInWhiteListing" }, "Workload" ] } ] }, "PublicInstancesAndWhiteList": { "Fn::And": [ { "Condition": "PublicInstances" }, { "Condition": "WhiteListCIDRs" }, {"Condition": "PublicInstanceInclude"} ] }, "PublicRouter": { "Fn::Equals": [ { "Ref": "InternalOnly" }, "No" ] }, + "EnableContainerReadonlyRootFilesystem": { "Fn::Equals": [ { "Ref": "EnableContainerReadonlyRootFilesystem" }, "Yes" ] }, "RegionHasEFS": { "Fn::Equals": [ { "Fn::FindInMap": [ "RegionConfig", { "Ref": "AWS::Region" }, "EFS" ] }, "Yes" @@ -692,6 +693,11 @@ "Default": "1", "Description": "How often to poll ECS for service events in seconds. Longer intervals may alleviate rate limiting / throttling from ECS." }, + "EnableContainerReadonlyRootFilesystem": { + "Type": "String", + "Default": "No", + "AllowedValues": [ "Yes", "No" ] + }, "EncryptEbs": { "Type": "String", "Description": "Enable encryption at rest for EBS volumes", @@ -3865,6 +3871,7 @@ "ContainerDefinitions": [ { "Cpu": { "Ref": "BuildCpu" }, + "EnableContainerReadonlyRootFilesystem": { "Fn::If": [ "EnableContainerReadonlyRootFilesystem", "true", "false" ] }, "DockerLabels": { "convox.release": { "Ref": "Version" }, "rack.ApiBalancerSecurity": { "Ref": "ApiBalancerSecurity" }, @@ -3965,6 +3972,7 @@ { "Command": [ "/go/bin/monitor" ], "Cpu": "64", + "EnableContainerReadonlyRootFilesystem": { "Fn::If": [ "EnableContainerReadonlyRootFilesystem", "true", "false" ] }, "DockerLabels": { "convox.release": { "Ref": "Version" }, "rack.ApiBalancerSecurity": { "Ref": "ApiBalancerSecurity" }, @@ -4080,6 +4088,7 @@ { "Command": [ "/go/bin/rack" ], "Cpu": { "Ref": "ApiCpu" }, + "EnableContainerReadonlyRootFilesystem": { "Fn::If": [ "EnableContainerReadonlyRootFilesystem", "true", "false" ] }, "DockerLabels": { "convox.release": { "Ref": "Version" }, "rack.AsgSpot": { "Fn::If": [ "SpotInstances", { "Ref": "SpotInstances" }, { "Ref": "AWS::NoValue" } ] }, diff --git a/provider/aws/formation/service.json.tmpl b/provider/aws/formation/service.json.tmpl index 89517d109..b6cb8aa4c 100644 --- a/provider/aws/formation/service.json.tmpl +++ b/provider/aws/formation/service.json.tmpl @@ -16,6 +16,7 @@ "IsolateServices": { "Fn::Or": [ { "Condition": "FargateEither" }, { "Condition": "Isolate" } ] }, "Private": { "Fn::Equals": [ { "Ref": "Private" }, "Yes" ] }, "RackUrl": { "Fn::Equals": [ { "Ref": "RackUrl" }, "Yes" ] }, + "ReadonlyRootFilesystem": { "Fn::Equals": [ { "Ref": "ReadonlyRootFilesystem" }, "Yes" ] }, "RouteHttp": { "Fn::Equals": [ { "Ref": "RedirectHttps" }, "No" ] }, "TaskTags": { "Fn::Equals": [ { "Ref": "TaskTags" }, "Yes" ] } }, @@ -124,6 +125,11 @@ "Default": "No", "AllowedValues": [ "Yes", "No" ] }, + "ReadonlyRootFilesystem": { + "Type": "String", + "Default": "No", + "AllowedValues": [ "Yes", "No" ] + }, "RedirectHttps": { "Type": "String", "Default": "Yes", @@ -748,6 +754,7 @@ } ], "Cpu": { "Fn::If": [ "FargateEither", { "Ref": "Cpu" }, { "Ref": "AWS::NoValue" } ] }, + "ReadonlyRootFilesystem": { "Fn::If": [ "ReadonlyRootFilesystem", "true", "false" ] }, "ExecutionRoleArn": { "Fn::GetAtt": [ "ExecutionRole", "Arn" ] }, "Family": { "Fn::Sub": "${AWS::StackName}-service-{{.Name}}" }, "Memory": { "Fn::If": [ "FargateEither", { "Ref": "Memory" }, { "Ref": "AWS::NoValue" } ] }, diff --git a/provider/aws/formation/timer.json.tmpl b/provider/aws/formation/timer.json.tmpl index f5ead3474..e4acadbfa 100644 --- a/provider/aws/formation/timer.json.tmpl +++ b/provider/aws/formation/timer.json.tmpl @@ -7,7 +7,8 @@ "FargateEither": { "Fn::Or": [ { "Condition": "FargateBase" }, { "Condition": "FargateSpot" } ] }, "FargateBase": { "Fn::Equals": [ { "Ref": "Fargate" }, "Yes" ] }, "FargateSpot": { "Fn::Equals": [ { "Ref": "Fargate" }, "Spot" ] }, - "RackUrl": { "Fn::Equals": [ { "Ref": "RackUrl" }, "Yes" ] } + "RackUrl": { "Fn::Equals": [ { "Ref": "RackUrl" }, "Yes" ] }, + "ReadonlyRootFilesystem": { "Fn::Equals": [ { "Ref": "ReadonlyRootFilesystem" }, "Yes" ] } }, "Outputs": { "Fargate": { @@ -53,6 +54,11 @@ "Default": "No", "AllowedValues": [ "Yes", "No" ] }, + "ReadonlyRootFilesystem": { + "Type": "String", + "Default": "No", + "AllowedValues": [ "Yes", "No" ] + }, "Registry": { "Type": "String" }, @@ -162,6 +168,7 @@ { "Command": [ "sh", "-c", {{ safe $.Timer.Command }} ], "Cpu": { "Ref": "Cpu" }, + "ReadonlyRootFilesystem": { "Fn::If": [ "ReadonlyRootFilesystem", "true", "false" ] }, "DockerLabels": { "convox.app": "{{$.App}}", "convox.generation": "2", "convox.process.type": "timer", "convox.release": "{{$.Release.Id}}" }, "Environment": [ {{ range $k, $v := .EnvironmentDefaults }} diff --git a/provider/aws/releases.go b/provider/aws/releases.go index 9fa74cb80..67b663bc8 100644 --- a/provider/aws/releases.go +++ b/provider/aws/releases.go @@ -374,13 +374,19 @@ func (p *Provider) ReleasePromote(app, id string, opts structs.ReleasePromoteOpt return err } + readonlyRootFilesystem, err := p.stackParameter(p.Rack, "EnableContainerReadonlyRootFilesystem") + if err != nil { + return err + } + updates := map[string]string{ - "LogBucket": p.LogBucket, - "LogDriver": p.LogDriver, - "PlaceLambdaInVpc": lambdaInVpc, - "Private": private, - "SyslogDestination": p.SyslogDestination, - "SyslogFormat": p.SyslogFormat, + "LogBucket": p.LogBucket, + "LogDriver": p.LogDriver, + "PlaceLambdaInVpc": lambdaInVpc, + "Private": private, + "SyslogDestination": p.SyslogDestination, + "SyslogFormat": p.SyslogFormat, + "ReadonlyRootFilesystem": readonlyRootFilesystem, } if m.Params != nil {