From dfadeb03f27cff08f18afd11c7fdd8172c5b0ae9 Mon Sep 17 00:00:00 2001
From: Michael Sambol <sambol.michael@gmail.com>
Date: Fri, 16 Feb 2024 19:55:07 -0800
Subject: [PATCH] fix(batch): Windows does not support readonlyRootFilesystem

---
 .../aws-batch/lib/ecs-container-definition.ts          |  5 +++++
 .../aws-batch/test/ecs-container-definition.test.ts    | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/packages/aws-cdk-lib/aws-batch/lib/ecs-container-definition.ts b/packages/aws-cdk-lib/aws-batch/lib/ecs-container-definition.ts
index 8d5369d7c88d9..52a24c5965962 100644
--- a/packages/aws-cdk-lib/aws-batch/lib/ecs-container-definition.ts
+++ b/packages/aws-cdk-lib/aws-batch/lib/ecs-container-definition.ts
@@ -1057,6 +1057,11 @@ export class EcsFargateContainerDefinition extends EcsContainerDefinitionBase im
     this.fargateCpuArchitecture = props.fargateCpuArchitecture;
     this.fargateOperatingSystemFamily = props.fargateOperatingSystemFamily;
 
+    if (this.fargateOperatingSystemFamily?._operatingSystemFamily.toLowerCase().includes('windows') && this.readonlyRootFilesystem) {
+      // see https://kubernetes.io/docs/concepts/windows/intro/
+      throw new Error('Readonly root filesystem is not possible on Windows; write access is required for registry & system processes to run inside the container');
+    }
+
     // validates ephemeralStorageSize is within limits
     if (props.ephemeralStorageSize) {
       if (props.ephemeralStorageSize.toGibibytes() > 200) {
diff --git a/packages/aws-cdk-lib/aws-batch/test/ecs-container-definition.test.ts b/packages/aws-cdk-lib/aws-batch/test/ecs-container-definition.test.ts
index 038ba05965020..caae20862e9a6 100644
--- a/packages/aws-cdk-lib/aws-batch/test/ecs-container-definition.test.ts
+++ b/packages/aws-cdk-lib/aws-batch/test/ecs-container-definition.test.ts
@@ -1067,4 +1067,14 @@ describe('Fargate containers', () => {
       }),
     })).toThrow("ECS Fargate container 'EcsFargateContainer2' specifies 'ephemeralStorageSize' at 201 > 200 GB");
   });
+
+  test('readonlyRootFilesystem can\'t be true with Windows family', () => {
+    expect(() => new EcsJobDefinition(stack, 'ECSJobDefn', {
+      container: new EcsFargateContainerDefinition(stack, 'EcsFargateContainer', {
+        ...defaultContainerProps,
+        readonlyRootFilesystem: true,
+        fargateOperatingSystemFamily: ecs.OperatingSystemFamily.WINDOWS_SERVER_2004_CORE,
+      }),
+    })).toThrow('Readonly root filesystem is not possible on Windows; write access is required for registry & system processes to run inside the container');
+  });
 });