feat(deployment): offer container readonly fix

Author: hannahhoward

app/locals.tf

@@ -26,12 +26,14 @@ locals {
     service_min = 1
     service_max = 10
     httpport = var.httpport
+    readonly = !var.write_to_container
   } : {
     cpu = 256
     memory = 512
     service_min = 1
     service_max = 2
     httpport = var.httpport
+    readonly = !var.write_to_container
   }
   db_username = "${var.environment}_${var.app}"
   db_database = "${var.environment}_${var.app}"

app/variables.tf

@@ -145,4 +145,10 @@ variable "domain_base" {
   description = "base domain of the application"
   type        = string
   default = ""
+}
+
+variable "write_to_container" {
+  description = "whether applications can write to the container file system"
+  type = bool
+  default = false
 }

cmd/storoku/main.go

@@ -289,6 +289,7 @@ type Config struct {
 	Buckets          []Bucket `json:"buckets"`
 	Secrets          []Secret `json:"secrets"`
 	Tables           []Table  `json:"tables"`
+	WriteToContainer bool     `json:"writeToContainer"`
 }
 
 func (c Config) Version() string {

cmd/storoku/template/deploy/app/main.tf

@@ -55,6 +55,7 @@ module "app" {
   did_env_var = "{{.DIDEnvVar}}"{{end}}
   app = var.app
   appState = var.app
+  write_to_container = {{.WriteToContainer}}
   environment = terraform.workspace
   # if there are any env vars you want available only to your container
   # in the vpc as opposed to set in the dockerfile, enter them here

cmd/storoku/writetocontainer.go

@@ -0,0 +1,32 @@
+package main
+
+import (
+	"context"
+
+	"github.com/urfave/cli/v3"
+)
+
+var writeToContainerCmd = &cli.Command{
+	Name:  "write-to-container",
+	Usage: "modify write-to-container settings",
+	Commands: []*cli.Command{
+		writeToContainerOnCmd,
+		writeToContainerOffCmd,
+	},
+}
+
+var writeToContainerOnCmd = &cli.Command{
+	Name: "on",
+	Action: modifyAndRegenerate(func(ctx context.Context, cmd *cli.Command, c *Config) error {
+		c.WriteToContainer = true
+		return nil
+	}),
+}
+
+var writeToContainerOffCmd = &cli.Command{
+	Name: "off",
+	Action: modifyAndRegenerate(func(ctx context.Context, cmd *cli.Command, c *Config) error {
+		c.WriteToContainer = false
+		return nil
+	}),
+}

deployment/ecs_task.tf

@@ -20,7 +20,7 @@ resource "aws_ecs_task_definition" "app" {
       cpu                   = var.config.cpu
       memory                 = var.config.memory
       essential              = true
-      readonlyRootFilesystem = true
+      readonlyRootFilesystem = var.config.readonly
       portMappings = [
         {
           containerPort = var.config.httpport

deployment/variables.tf

@@ -83,6 +83,7 @@ variable "config" {
     service_min = number
     service_max = number
     httpport = number
+    readonly = bool
   })
 }
 
@@ -184,4 +185,4 @@ variable "db_config" {
     username = string
     database = string
   }) 
-}
+}