From 100f3002761c656fec73e50d37f8ecbe7632d3ca Mon Sep 17 00:00:00 2001
From: nimalank7 <nimalan.kirubakaran@digital.cabinet-office.gov.uk>
Date: Tue, 26 Nov 2024 17:47:41 +0000
Subject: [PATCH] Set `readOnlyRootFileSystem` on Argo Workflow pods

Description:
- As part of alphagov/govuk-helm-charts#1883
---
 terraform/deployments/cluster-services/argo.tf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/terraform/deployments/cluster-services/argo.tf b/terraform/deployments/cluster-services/argo.tf
index 5a2227a66..bcba9ddaa 100644
--- a/terraform/deployments/cluster-services/argo.tf
+++ b/terraform/deployments/cluster-services/argo.tf
@@ -267,6 +267,7 @@ resource "helm_release" "argo_workflows" {
         }
       }
       securityContext = {
+        readOnlyRootFileSystem   = true
         allowPrivilegeEscalation = false
         capabilities = {
           drop = ["ALL"]
@@ -276,6 +277,7 @@ resource "helm_release" "argo_workflows" {
 
     mainContainer = {
       securityContext = {
+        readOnlyRootFileSystem   = true
         allowPrivilegeEscalation = false
         capabilities = {
           drop = ["ALL"]