@@ -275,12 +275,35 @@ export class WebServer extends pulumi.ComponentResource {
275275 { parent : this } ,
276276 ) ;
277277
278+ const execCmdInlinePolicy = {
279+ name : 'ecs-exec' ,
280+ policy : JSON . stringify ( {
281+ Version : '2012-10-17' ,
282+ Statement : [
283+ {
284+ Sid : 'AllowContainerToCreateECSExecSSMChannel' ,
285+ Effect : 'Allow' ,
286+ Action : [
287+ 'ssmmessages:CreateControlChannel' ,
288+ 'ssmmessages:CreateDataChannel' ,
289+ 'ssmmessages:OpenControlChannel' ,
290+ 'ssmmessages:OpenDataChannel' ,
291+ ] ,
292+ Resource : '*' ,
293+ } ,
294+ ] ,
295+ } ) ,
296+ } ;
297+
278298 const taskRole = new aws . iam . Role (
279299 `${ name } ,
280300 {
281301 name : `${ name } ,
282302 assumeRolePolicy,
283- inlinePolicies : argsWithDefaults . taskRoleInlinePolicies ,
303+ inlinePolicies : [
304+ execCmdInlinePolicy ,
305+ ...argsWithDefaults . taskRoleInlinePolicies ,
306+ ] ,
284307 } ,
285308 { parent : this } ,
286309 ) ;
@@ -322,6 +345,7 @@ export class WebServer extends pulumi.ComponentResource {
322345 ( [ containerName , image , port , environment , logGroup , region ] ) => {
323346 return JSON . stringify ( [
324347 {
348+ readonlyRootFilesystem : true ,
325349 name : containerName ,
326350 image,
327351 essential : true ,
@@ -380,6 +404,7 @@ export class WebServer extends pulumi.ComponentResource {
380404 launchType : 'FARGATE' ,
381405 desiredCount : argsWithDefaults . desiredCount ,
382406 taskDefinition : this . taskDefinition . arn ,
407+ enableExecuteCommand : true ,
383408 loadBalancers : [
384409 {
385410 containerName : name ,
0 commit comments