From 72f7273cf866bb05dd968af16ffeddc503f1fb1b Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Thu, 12 Mar 2026 15:12:04 +0100
Subject: [PATCH] Harden ECS task definition for Security Hub compliance

- Add readonlyRootFilesystem=true to container definition (ECS.5 HIGH)
- Add ephemeral /tmp volume mount so containers can still write temp files
- Add non-root user default "1000" with tostring() for JSON encoding (ECS.20)
- Wire container_user through registry for app.yaml override via compute.user
---
 scripts/registry.py                        |  1 +
 terraform/modules/ecs-service/main.tf      | 15 +++++++++++++++
 terraform/modules/ecs-service/variables.tf |  6 ++++++
 3 files changed, 22 insertions(+)

diff --git a/scripts/registry.py b/scripts/registry.py
index 5b01788..9f2301a 100644
--- a/scripts/registry.py
+++ b/scripts/registry.py
@@ -166,6 +166,7 @@
             "security_group_ids": "list:ref:platform.ecs_tasks_security_group_id",
             "target_group_arn": "ref:routing.target_group_arn",
             "region": "env:AWS_REGION",
+            "container_user": "yaml:compute.user|default:1000",
             "environment": "collect:env_vars",
             "secrets": "collect:secret_vars",
         },
diff --git a/terraform/modules/ecs-service/main.tf b/terraform/modules/ecs-service/main.tf
index faefc5a..604132c 100644
--- a/terraform/modules/ecs-service/main.tf
+++ b/terraform/modules/ecs-service/main.tf
@@ -20,11 +20,26 @@ resource "aws_ecs_task_definition" "this" {
   execution_role_arn       = var.execution_role_arn
   task_role_arn            = var.task_role_arn
 
+  volume {
+    name = "tmp"
+  }
+
   container_definitions = jsonencode([
     {
       name      = var.name
       image     = var.image
       essential = true
+      user      = tostring(var.container_user)
+
+      readonlyRootFilesystem = true
+
+      mountPoints = [
+        {
+          sourceVolume  = "tmp"
+          containerPath = "/tmp"
+          readOnly      = false
+        }
+      ]
 
       portMappings = [
         {
diff --git a/terraform/modules/ecs-service/variables.tf b/terraform/modules/ecs-service/variables.tf
index a06b21f..029b5c9 100644
--- a/terraform/modules/ecs-service/variables.tf
+++ b/terraform/modules/ecs-service/variables.tf
@@ -84,3 +84,9 @@ variable "region" {
   description = "AWS region for CloudWatch logs"
   type        = string
 }
+
+variable "container_user" {
+  description = "User to run the container as (non-root for ECS.20 compliance)"
+  type        = string
+  default     = "1000"
+}