feat: add rofs configuration option

Author: Mathew-Estafanous

modules/ecs_fargate/README.md

@@ -255,6 +255,7 @@ No modules.
 | <a name="input_dd_is_datadog_dependency_enabled"></a> [dd\_is\_datadog\_dependency\_enabled](#input\_dd\_is\_datadog\_dependency\_enabled) | Whether the Datadog Agent container is a dependency for other containers | `bool` | `false` | no |
 | <a name="input_dd_log_collection"></a> [dd\_log\_collection](#input\_dd\_log\_collection) | Configuration for Datadog Log Collection | <pre>object({<br/>    enabled = optional(bool, false)<br/>    fluentbit_config = optional(object({<br/>      registry                         = optional(string, "public.ecr.aws/aws-observability/aws-for-fluent-bit")<br/>      image_version                    = optional(string, "stable")<br/>      cpu                              = optional(number)<br/>      memory_limit_mib                 = optional(number)<br/>      is_log_router_essential          = optional(bool, false)<br/>      is_log_router_dependency_enabled = optional(bool, false)<br/>      environment = optional(list(object({<br/>        name  = string<br/>        value = string<br/>      })), [])<br/>      log_router_health_check = optional(object({<br/>        command      = optional(list(string))<br/>        interval     = optional(number)<br/>        retries      = optional(number)<br/>        start_period = optional(number)<br/>        timeout      = optional(number)<br/>        }),<br/>        {<br/>          command      = ["CMD-SHELL", "exit 0"]<br/>          interval     = 5<br/>          retries      = 3<br/>          start_period = 15<br/>          timeout      = 5<br/>        }<br/>      )<br/>      firelens_options = optional(object({<br/>        config_file_type  = optional(string)<br/>        config_file_value = optional(string)<br/>      }))<br/>      log_driver_configuration = optional(object({<br/>        host_endpoint = optional(string, "http-intake.logs.datadoghq.com")<br/>        tls           = optional(bool)<br/>        compress      = optional(string)<br/>        service_name  = optional(string)<br/>        source_name   = optional(string)<br/>        message_key   = optional(string)<br/>        }),<br/>        {<br/>          host_endpoint = "http-intake.logs.datadoghq.com"<br/>        }<br/>      )<br/>      mountPoints = optional(list(object({<br/>        sourceVolume : string,<br/>        containerPath : string,<br/>        readOnly : bool<br/>      })), [])<br/>      dependsOn = optional(list(object({<br/>        containerName : string,<br/>        condition : string<br/>      })), [])<br/>      }),<br/>      {<br/>        fluentbit_config = {<br/>          registry      = "public.ecr.aws/aws-observability/aws-for-fluent-bit"<br/>          image_version = "stable"<br/>          log_driver_configuration = {<br/>            host_endpoint = "http-intake.logs.datadoghq.com"<br/>          }<br/>        }<br/>      }<br/>    )<br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "fluentbit_config": {<br/>    "is_log_router_essential": false,<br/>    "log_driver_configuration": {<br/>      "host_endpoint": "http-intake.logs.datadoghq.com"<br/>    }<br/>  }<br/>}</pre> | no |
 | <a name="input_dd_memory_limit_mib"></a> [dd\_memory\_limit\_mib](#input\_dd\_memory\_limit\_mib) | Datadog Agent container memory limit in MiB | `number` | `null` | no |
+| <a name="input_dd_readonly_root_filesystem"></a> [dd\_readonly\_root\_filesystem](#input\_dd\_readonly\_root\_filesystem) | Datadog Agent container runs with read-only root filesystem enabled | `bool` | `true` | no |
 | <a name="input_dd_registry"></a> [dd\_registry](#input\_dd\_registry) | Datadog Agent image registry | `string` | `"public.ecr.aws/datadog/agent"` | no |
 | <a name="input_dd_service"></a> [dd\_service](#input\_dd\_service) | The task service name. Used for tagging (UST) | `string` | `null` | no |
 | <a name="input_dd_site"></a> [dd\_site](#input\_dd\_site) | Datadog Site | `string` | `"datadoghq.com"` | no |

modules/ecs_fargate/datadog.tf

@@ -244,7 +244,7 @@ locals {
     )
   ]
 
-  rofs_volumes = [
+  rofs_volumes = var.dd_readonly_root_filesystem ? [
     {
       name = "agent-config"
     },
@@ -254,7 +254,14 @@ locals {
     {
       name = "agent-run"
     }
-  ]
+  ] : []
+
+  rofs_agent_depends_on = var.dd_readonly_root_filesystem ? [
+    {
+      condition     = "SUCCESS"
+      containerName = "init-volume"
+    }
+  ] : []
 
   # Volume configuration for task
   apm_dsd_volume = local.is_apm_dsd_volume ? [
@@ -347,77 +354,76 @@ locals {
   )
 
   # Datadog Agent container definition
-  dd_agent_container = [
-    {
-      cpu                    = 0
-      memory                 = 128
-      name                   = "init-volume"
-      image                  = "${var.dd_registry}:${var.dd_image_version}"
-      essential              = false
-      readOnlyRootFilesystem = true
-      command                = ["/bin/sh", "-c", "cp -vnR /etc/datadog-agent/* /agent-config/ && exit 0"]
-      mountPoints = [
-        {
-          sourceVolume  = "agent-config"
-          containerPath = "/agent-config"
-          readOnly      = false
-        }
-      ]
-    },
-    merge(
+  dd_agent_container = concat(
+    var.dd_readonly_root_filesystem ? [
       {
-        name         = "datadog-agent"
-        image        = "${var.dd_registry}:${var.dd_image_version}"
-        essential    = var.dd_essential
-        environment  = local.dd_agent_env
-        dockerLabels = var.dd_docker_labels
-        cpu          = var.dd_cpu
-        memory       = var.dd_memory_limit_mib
-
-        readonlyRootFilesystem = true
-        secrets = var.dd_api_key_secret != null ? [
-          {
-            name      = "DD_API_KEY"
-            valueFrom = var.dd_api_key_secret.arn
-          }
-        ] : []
-        portMappings = [
+        cpu                    = 0
+        memory                 = 128
+        name                   = "init-volume"
+        image                  = "${var.dd_registry}:${var.dd_image_version}"
+        essential              = false
+        readOnlyRootFilesystem = true
+        command                = ["/bin/sh", "-c", "cp -vnR /etc/datadog-agent/* /agent-config/ && exit 0"]
+        mountPoints = [
           {
-            containerPort = 8125
-            hostPort      = 8125
-            protocol      = "udp"
-          },
-          {
-            containerPort = 8126
-            hostPort      = 8126
-            protocol      = "tcp"
-          }
-        ],
-
-        dependsOn = [
-          {
-            condition     = "SUCCESS"
-            containerName = "init-volume"
+            sourceVolume  = "agent-config"
+            containerPath = "/agent-config"
+            readOnly      = false
           }
         ]
-
-        mountPoints      = local.dd_agent_mount,
-        logConfiguration = local.dd_firelens_log_configuration,
-        dependsOn        = try(var.dd_log_collection.fluentbit_config.is_log_router_dependency_enabled, false) && local.dd_firelens_log_configuration != null ? local.log_router_dependency : [],
-        systemControls   = []
-        volumesFrom      = []
-      },
-      try(var.dd_health_check.command == null, true) ? {} : {
-        healthCheck = {
-          command     = var.dd_health_check.command
-          interval    = var.dd_health_check.interval
-          timeout     = var.dd_health_check.timeout
-          retries     = var.dd_health_check.retries
-          startPeriod = var.dd_health_check.start_period
-        }
       }
-    )
-  ]
+    ] : [],
+    [
+      merge(
+        {
+          name         = "datadog-agent"
+          image        = "${var.dd_registry}:${var.dd_image_version}"
+          essential    = var.dd_essential
+          environment  = local.dd_agent_env
+          dockerLabels = var.dd_docker_labels
+          cpu          = var.dd_cpu
+          memory       = var.dd_memory_limit_mib
+
+          readonlyRootFilesystem = var.dd_readonly_root_filesystem
+          secrets = var.dd_api_key_secret != null ? [
+            {
+              name      = "DD_API_KEY"
+              valueFrom = var.dd_api_key_secret.arn
+            }
+          ] : []
+          portMappings = [
+            {
+              containerPort = 8125
+              hostPort      = 8125
+              protocol      = "udp"
+            },
+            {
+              containerPort = 8126
+              hostPort      = 8126
+              protocol      = "tcp"
+            }
+          ],
+
+          dependsOn = local.rofs_agent_depends_on,
+
+          mountPoints      = local.dd_agent_mount,
+          logConfiguration = local.dd_firelens_log_configuration,
+          dependsOn        = try(var.dd_log_collection.fluentbit_config.is_log_router_dependency_enabled, false) && local.dd_firelens_log_configuration != null ? local.log_router_dependency : [],
+          systemControls   = []
+          volumesFrom      = []
+        },
+        try(var.dd_health_check.command == null, true) ? {} : {
+          healthCheck = {
+            command     = var.dd_health_check.command
+            interval    = var.dd_health_check.interval
+            timeout     = var.dd_health_check.timeout
+            retries     = var.dd_health_check.retries
+            startPeriod = var.dd_health_check.start_period
+          }
+        }
+      )
+    ]
+  )
 
   dd_log_environment = var.dd_log_collection.fluentbit_config.environment != null ? var.dd_log_collection.fluentbit_config.environment : []
 

modules/ecs_fargate/variables.tf

@@ -65,6 +65,13 @@ variable "dd_is_datadog_dependency_enabled" {
   nullable    = false
 }
 
+variable "dd_readonly_root_filesystem" {
+  description = "Datadog Agent container runs with read-only root filesystem enabled"
+  type        = bool
+  default     = true
+  nullable    = false
+}
+
 variable "dd_health_check" {
   description = "Datadog Agent health check configuration"
   type = object({