Skip to content

feat: add readonlyRootFilesystem to ECS task definitions for enhanced…#40

Merged
alismx merged 18 commits intomainfrom
alis/rorf
Nov 12, 2025
Merged

feat: add readonlyRootFilesystem to ECS task definitions for enhanced…#40
alismx merged 18 commits intomainfrom
alis/rorf

Conversation

@alismx
Copy link
Copy Markdown
Collaborator

@alismx alismx commented Oct 22, 2025
edited
Loading

Changes Proposed

  • Added lifecycle policy for ECR repositories to keep the last 10 images.
  • Enabled container insights for ECS clusters.
  • Set readonlyRootFilesystem to true for all containers except 'trigger-code-reference'.
  • Configured S3 bucket versioning, object lock configuration with compliance mode, and logging for both ecr_viewer and logging buckets.
  • Added SSL-only policies for S3 buckets using IAM policy documents.
  • Introduced new input variables auth_session_duration_min, ecr_viewer_object_retention_days, and logging_object_retention_days to control session duration, object retention days in compliance mode for ECR viewer and logging buckets.

Additional Information

  • Decisions were made to enhance data protection and compliance by enabling versioning and setting object locks on S3 buckets.
  • The SSL-only policies ensure that all requests to the S3 buckets are encrypted during transit.
  • Default values were chosen based on common best practices, but they can be customized via input variables.

Address report items:

  • ECR.1
  • ECR.2
  • ECR.3
  • ECS.5
  • ECS.12
  • S3.15
  • S3.9
  • S3.5

Note: The DIBBS ECR viewer app team has reviewed this and didn't note any issues.

alismx added 18 commits October 21, 2025 12:02
@alismx
feat: add readonlyRootFilesystem to ECS task definitions for enhanced…
902b4bf 
… security compliance
@alismx
feat(enable_ecr.tf): enable image scanning on push for ECR repositories
2b30e26
@alismx
fix(ecr): set image tag mutability to immutable
85982bb
@alismx
fix(ecs.tf): make root filesystem writable for trigger-code-reference…
201fd62 
… task definition
@alismx
feat: add ECR lifecycle policy to retain last 10 images
6480c2f
@alismx
fix: update ECR lifecycle policy to conditionally apply based on vari…
1189dd2 
…able
@alismx
fix(ecr): update lifecycle policy to use tag_pattern_list
06356f9
@alismx
feat(README.md, _local.tf): add ecr lifecycle policy and new inputs
a6bc8b7
@alismx
feat(ecs.tf): enable container insights for ECS cluster
3afc88b
@alismx
add s3 object retention for ecr viewer and logging buckets
8586bbf
@alismx
feat(s3.tf): enable versioning for logging bucket
765d794
@alismx
feat: add S3 bucket logging for logging and ecr_viewer buckets
5791600
@alismx
feat(README.md, graph.png): add logging resources and retention days …
a68dbc1 
…inputs
@alismx
feat(s3.tf): add SSL policies for logging and ecr_viewer buckets
bd7e582
@alismx
chore(terraform): consolidate SSL conditions in ecr_viewer_s3 and log…
0b2563c 
…ging policies
@alismx
fix(s3.tf): remove unused logging_ssl resource and update ecr_viewer_…
5e81b0b 
…ssl configuration
@alismx
fix: add dependency on versioning for object lock configurations
8c7dd46
@alismx
fix(graph.png): update graph image
19b22f0
@alismx alismx marked this pull request as ready for review October 27, 2025 22:15
@alismx alismx merged commit b6e149a into main Nov 12, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alismx