Merge pull request #2545 from guardian/pm-expose-task-containerdefini…

…tion feat: Expose components of ecs-task, enforce read only root filesystem
guardian · Dec 20, 2024 · d7b778b · d7b778b
2 parents e77eabb + c964005
commit d7b778b
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 11 deletions.
diff --git a/.changeset/wet-pillows-judge.md b/.changeset/wet-pillows-judge.md
@@ -0,0 +1,5 @@
+---
+"@guardian/cdk": minor
+---
+
+Expose taskDefinition, containerDefinition and task in `GuEcsTask`
diff --git a/src/constructs/ecs/__snapshots__/ecs-task.test.ts.snap b/src/constructs/ecs/__snapshots__/ecs-task.test.ts.snap
@@ -480,7 +480,7 @@ exports[`The GuEcsTask pattern should create the correct resources with lots of
             },
             "Memory": 1024,
             "Name": "test-ecs-task-ecs-test-TaskContainer",
-            "ReadonlyRootFilesystem": false,
+            "ReadonlyRootFilesystem": true,
           },
         ],
         "Cpu": "1024",
@@ -1192,7 +1192,7 @@ exports[`The GuEcsTask pattern should support overriding the subnets used by the
             },
             "Memory": 1024,
             "Name": "test-ecs-task-ecs-test-TaskContainer",
-            "ReadonlyRootFilesystem": false,
+            "ReadonlyRootFilesystem": true,
           },
         ],
         "Cpu": "1024",

diff --git a/src/constructs/ecs/ecs-task.ts b/src/constructs/ecs/ecs-task.ts
@@ -3,7 +3,7 @@ import { Alarm, TreatMissingData } from "aws-cdk-lib/aws-cloudwatch";
 import { SnsAction } from "aws-cdk-lib/aws-cloudwatch-actions";
 import type { ISecurityGroup, ISubnet, IVpc } from "aws-cdk-lib/aws-ec2";
 import type { IRepository } from "aws-cdk-lib/aws-ecr";
-import type { RepositoryImageProps } from "aws-cdk-lib/aws-ecs";
+import type { ContainerDefinition, RepositoryImageProps } from "aws-cdk-lib/aws-ecs";
 import {
   Cluster,
   Compatibility,
@@ -128,11 +128,6 @@ export interface GuEcsTaskProps extends AppIdentity {
    * shoud set this value to `false`.
    */
   enableDistributablePolicy?: boolean;
-  /**
-   * When this parameter is true, the container is given read-only access to its root file system.
-   * @default false
-   */
-  readonlyRootFilesystem?: boolean;
   /**
    * If `true`, CloudWatch Container Insights will be enabled for the cluster
    * @default false
@@ -164,7 +159,10 @@ const getContainer = (config: ContainerConfiguration) => {
  *
  */
 export class GuEcsTask extends Construct {
-  stateMachine: StateMachine;
+  public readonly stateMachine: StateMachine;
+  public readonly taskDefinition: TaskDefinition;
+  public readonly containerDefinition: ContainerDefinition;
+  public readonly task: EcsRunTask;
 
   constructor(scope: GuStack, id: string, props: GuEcsTaskProps) {
     super(scope, id);
@@ -186,7 +184,6 @@ export class GuEcsTask extends Construct {
       securityGroups = [],
       environmentOverrides,
       enableDistributablePolicy = true,
-      readonlyRootFilesystem = false,
       containerInsights = false,
     } = props;
 
@@ -216,6 +213,7 @@ export class GuEcsTask extends Construct {
         operatingSystemFamily: OperatingSystemFamily.of("LINUX"),
       },
     });
+    this.taskDefinition = taskDefinition;
 
     const containerDefinition = taskDefinition.addContainer(`${id}-TaskContainer`, {
       image: getContainer(containerConfiguration),
@@ -227,8 +225,9 @@ export class GuEcsTask extends Construct {
         streamPrefix: app,
         logRetention: 14,
       }),
-      readonlyRootFilesystem,
+      readonlyRootFilesystem: true,
     });
+    this.containerDefinition = containerDefinition;
 
     if (enableDistributablePolicy) {
       const distPolicy = new GuGetDistributablePolicyStatement(scope, { app });
@@ -256,6 +255,7 @@ export class GuEcsTask extends Construct {
         },
       ],
     });
+    this.task = task;
 
     this.stateMachine = new StateMachine(scope, `${id}-StateMachine`, {
       definitionBody: DefinitionBody.fromChainable(task),