fix(batch): windows does not support readonlyRootFilesystem

[msambol]

Here's from the k8s docs:

securityContext.readOnlyRootFilesystem - not possible on Windows; write access is required for registry & system processes to run inside the container

Closes #29140.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[msambol]

Exemption request: I don't believe an integration test is needed for this fix.

[juantula]

@msambol I'm not sure this actually fixes #29140, because the generated CF template includes the readOnlyRootFilesystem even when the attribute is not present in the code, so looks like it's setting a default value when it's present. I think a change is also needed somewhere else to prevent the attribute to be generated.

[msambol]

@juantula Correct, it doesn't fix the root problem. Those files are generated from the CFN spec, AFAIK, so the change will need to be over there. I'm hoping @pahud can assist.

[juantula]

@msambol BTW, thanks a lot for your help on this issue! :)

[pahud]

I probably would modify here

aws-cdk/packages/aws-cdk-lib/aws-batch/lib/ecs-container-definition.ts

Line 616 in eca1bcf

this.readonlyRootFilesystem = props.readonlyRootFilesystem ?? false;

to

this.readonlyRootFilesystem =  is_windows() ? undefined : props.readonlyRootFilesystem ?? false; 

This will make sure readonlyRootFilesystem would always be undefined when OS is windows.

Plus add a check here - if os is windows and props.readonlyRootFilesystem is defined, throw an error.

[msambol]

@pahud operatingSystemFamily isn't available in the constructor so I had to remove it here from the final rendering.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[jfuss]

Nothing major just a couple comments/thoughts.

[jfuss]

Can we do this as a ternary operation in the above containerDef? Or do we need things to render first before we can apply this?

[msambol]

I think I could change this line to use undefined instead of false ?

this.readonlyRootFilesystem = props.readonlyRootFilesystem ?? undefined; <– was false

That would change the default value but that shouldn't matter because the default was false ? Then I can remove quite a bit of this code.

[jfuss]

@msambol If we set this.readonlyRootFilesystem from false to undefined, I am unsure what the consequences of that might be. I assume undefined will omit the value vs false setting this directly.

Now I think about it, I like the default being undefined but only if the service defaults to false when the property is not provided. Let me poke someone from the team that might know more to see what you suggest here will have wider side affects we might want to avoid.

[jfuss]

@msambol So one thing I missed, we can't update the this.readonlyRootFilesystem because that may break customers you expected the default value to be false. So I think we have to do it in the way you have it. If we can simplify it with a ternary in the containerDef I think that is helpful but not strictly required.

[msambol]

makes sense... I updated the PR.

Pull request has been modified.

[msambol]

@jfuss changed this to a ternary

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 677090f
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).