From e9cd35e4e747d081799676869810ae491514ba14 Mon Sep 17 00:00:00 2001
From: Kieran Pritchard <kieran.pritchard@ons.gov.uk>
Date: Wed, 18 Mar 2026 13:44:42 +0000
Subject: [PATCH 1/3] fix: make ECS Docker container non-root

---
 Dockerfile                  | 4 ++++
 terraform/dashboard/main.tf | 1 +
 2 files changed, 5 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 7573df4..4dcbc7e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,6 +16,10 @@ RUN poetry install --only main --no-root
 # Expose the port the app runs on
 EXPOSE 8501
 
+# Run as non-root user for security
+RUN useradd -m appuser
+USER appuser
+
 # Run the dashboard
 # Note: ENTRYPOINT cannot be overriden by docker run command
 ENTRYPOINT ["poetry", "run", "streamlit", "run", "src/app.py", "--server.port=8501", "--server.address=0.0.0.0"]
\ No newline at end of file
diff --git a/terraform/dashboard/main.tf b/terraform/dashboard/main.tf
index 01e8774..3da50b5 100644
--- a/terraform/dashboard/main.tf
+++ b/terraform/dashboard/main.tf
@@ -33,6 +33,7 @@ resource "aws_ecs_task_definition" "ecs_service_definition" {
           appProtocol   = "http"
         }
       ],
+      readonlyRootFilesystem = true,
       environment = [
         {
           name  = "AWS_ACCESS_KEY_ID"

From 082e153c4abe433c208946149582554272ec5cfb Mon Sep 17 00:00:00 2001
From: Kieran Pritchard <kieran.pritchard@ons.gov.uk>
Date: Wed, 18 Mar 2026 14:29:43 +0000
Subject: [PATCH 2/3] fix: amend dockerfile

- Need to install deps after switching user
---
 Dockerfile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 4dcbc7e..001f562 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,16 +10,16 @@ WORKDIR /app
 # Copy the current directory contents into the container at /app
 COPY . /app
 
+# Run as non-root user for security
+RUN useradd -m appuser
+USER appuser
+
 # Run poetry install --without dev
 RUN poetry install --only main --no-root 
 
 # Expose the port the app runs on
 EXPOSE 8501
 
-# Run as non-root user for security
-RUN useradd -m appuser
-USER appuser
-
 # Run the dashboard
 # Note: ENTRYPOINT cannot be overriden by docker run command
 ENTRYPOINT ["poetry", "run", "streamlit", "run", "src/app.py", "--server.port=8501", "--server.address=0.0.0.0"]
\ No newline at end of file

From d5e700beb3e56b3afe5896123253eaf993cee21f Mon Sep 17 00:00:00 2001
From: Kieran Pritchard <kieran.pritchard@ons.gov.uk>
Date: Wed, 18 Mar 2026 14:30:16 +0000
Subject: [PATCH 3/3] chore: remove public IP address

- Complies with ONS standards
---
 terraform/dashboard/main.tf | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/terraform/dashboard/main.tf b/terraform/dashboard/main.tf
index 3da50b5..8563857 100644
--- a/terraform/dashboard/main.tf
+++ b/terraform/dashboard/main.tf
@@ -118,10 +118,7 @@ resource "aws_ecs_service" "application" {
   network_configuration {
     subnets         = data.terraform_remote_state.ecs_infrastructure.outputs.private_subnets
     security_groups = [aws_security_group.allow_rules_service.id]
-
-    # TODO: The container fails to launch unless a public IP is assigned
-    # For a private ip, you would need to use a NAT Gateway?
-    assign_public_ip = true
+    assign_public_ip = false
   }
 
 }