Add support for ECS Exec for debugging

[rocketnova]

Ticket

Resolves #148

Changes

What was added, updated, or removed in this PR.

• Add ECS Exec support
• Add enable_service_execution config in the app environment configs
• Update the service layer to conditionally enable ECS Exec as a container definition attribute
• Update the service layer to conditionally set root file system to not read-only
  • Required to use the Session Manager plugin
• Update the network layer to conditionally create a VPC endpoint for ssmmessages
  • Required when using interface Amazon VPC endpoints with Amazon ECS
  • Only created for networks that have an environment with enable_service_execution set to true
• Add accompanying documentation

Context for reviewers

Testing instructions, background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers.

Sometimes it's really useful to be able to create a shell into the running container as deployed to AWS. This can be critical for debugging, especially debugging third-party containers. It can also be really useful to be able to access the RDS database.

AWS ECS Exec is AWS's equivalent to running docker compose exec or docker run. This PR adds that support to the infrastructure template.

Testing

Provide evidence that the code works as expected. Explain what was done for testing and the results of the test plan. Include screenshots, GIF demos, shell commands or output to help show the changes working as expected. ProTip: you can drag and drop or paste images into this textbox.

Testing that was performed

Tested by deploying this branch to my local version of https://github.com/navapbc/platform-test and then deploying necessary resources (account, network, build repository, service) to my AWS account. Demo here:

Testing steps

You can re-create this test by doing the following setup:

1. Clone the test repo: git clone git@github.com:navapbc/platform-test.git
2. Change to the test repo: cd platform-test
3. Install this branch: make -f platform-test.mak install-infra BRANCH=rocket/add-ecs-exec
4. Configure the infra repo as usual (project-config, app-config). Be sure not to set project_name to platform-test as that will cause S3 bucket name issues. See #520
5. Modify /infra/app-config/dev.tf and set enable_service_execution = true
6. Configure the following resources as usual:
   1. AWS account
   2. Network for NETWORK_NAME=dev
   3. Build repository for APP_NAME=app
   4. Database for APP_NAME=app ENVIRONMENT=dev
   5. Service for APP_NAME=app ENVIRONMENT=dev

Test your deployment by:

1. In AWS Console, verify that VPC > Endpoints includes a VPC endopint for com.amazonaws.us-east-1.ssmmessages
2. In AWS Console, go to ECS > Clusters > app-dev > Services > app-dev > Tasks
3. In your terminal, run

   aws ecs execute-command --cluster <CLUSTER_NAME> \
       --task <TASK_ID> \
       --container <CONTAINER_NAME> \
       --interactive \
       --command "/bin/sh"

You can verify that the VPC endpoint is only created for networks that contain an app with enable_service_execution=true by deploying the prod network and checking in the AWS Console.