I'm trying to set the continer definition readonlyRootFilesystem=true but I'm not sure it's exposed in this construct.
I similary question here: Is it possible to create a QueueProcessingFargateService with read-only root filesystem with cdk?
But we're using the ApplicationLoadBalancedFargateService, can't see how we'd do this with Escape hatches.
There's no need for escape hatches. Define the Task Definition with the taskDefinition prop instead of taskImageOptions. You must provide one or the other, but not both.
The taskDefinition prop accepts a FargateTaskDefinition construct, on which you can set readonlyRootFilesystem: true. The taskImageOptions is a convenience prop that creates a FargateTaskDefinition for you under the hood, but with fewer options.
const taskDefinition = new ecs.FargateTaskDefinition(this, "TaskDefinition", {});
taskDefinition.addContainer("sample", {
image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
readonlyRootFilesystem: true,
});
new ecs_patterns.ApplicationLoadBalancedFargateService(stack, "Service", {
// ...
taskDefinition,
}
In other words, the constraints mentioned in the linked question no longer apply.