The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.
⬆️ Updates
🐛 Bug Fixes
ListStacks
permission to EnvManagerRole (#5761)🐛 Bug Fixes
copilot job package --diff
and prevent output of full template (#5685)🐛 Bug Fixes
copilot svc package
command for a request-driven web service when image.build
is used. (#5638)❤️ Contributions
Thank you, contributors 🥰!
run local --use-task-role
: Elevate your local testing experience with the ECS Task Role using the new --use-task-role
flag (#5529)
The
copilot run local
command now includes a--use-task-role
flag. When activated, Copilot will fetch IAM permissions from your deployed service and seamlessly inject them into the containers created byrun local
. This ensures that your containers mirror the same permissions as they would in the cloud, facilitating more accurate testing.
If you prefer not to utilize the
TaskRole
permissions or if Copilot encounters issues retrieving them, you can disable this feature by setting--use-task-role=false
.
run local depends_on
support: Local run containers now respect depends_on
in your service manifests (#5509)
Enhancing the run local feature! Previously, copilot run local initiated the startup and removal of all containers without a specific order. With this improvement, container actions are aligned with your
depends_on
configuration in your service manifests.
Allow variable escaping in manifest: Escape interpolated variables in your manifests with the latest update (#5516)
Now, you have the flexibility to escape interpolated variables in your manifests. Use the following syntax to prevent Copilot from resolving
${name}
using the local environment:command: echo hello \${name} variable: name: world
run local --watch
skips files specified by .dockerignore
: --watch
flag now respects .dockerignore
and Copilot will not watch these files (#5565)
Upgrade Lambda Node.js version to 20.x: as Node.js 16 has been End-of-Life since Sep. 2023 (#5583)
v1.32.1
, a security patch restricted kms:Decrypt
to ECS Execution Role and AppRunner Instance Role. This affected users with managed KMS keys. Now, any KMS key with correct copilot-application
and copilot-environment
tags is allowed for seamless deployment.response_time
should respect imported ALB (#5564)run local --proxy
should work when Service Connect is disabled (#5604)Thank you, contributors 🥰!
image.location
URI for containers. (#5555)run local --proxy
: Proxy outbound requests from your local containers to the environment VPC using --proxy
! (#5412)
We are enhancing the
run local
feature released in v1.30.0: the--proxy
flag proxies outbound requests to your environment VPC. This feature gives you higher fidelity for your local testing usingrun local
– the containers on your local machine can now talk to the other services in the VPC and talk to your RDS database through the cluster or instance endpoints.
run local --watch
: Listen to changes to your workspace and automatically restart the containers (#5413)
Another enhancement to the
run local
feature! Test your services usingrun local
while making changes to your code, and Copilot will automatically restart the local containers. You can test your service with the new changes without having to kill the original process and runrun local
again. The flag--watch
is great by itself, but extremely useful if you use--proxy
: it saves you quite a bit of the overhead time to set up the proxy.
Import an application load balancer: Place an existing ALB in front of your service (#5438)
Bring your own application load balancer if you don't like the default shared application load balancer of your environment! Just specify the name or the ARN of the application load balancer in the
http.alb
field, and Copilot will figure out whether it has an HTTP listener, an HTTPS listener, or both. Copilot will then create listener rules on the listeners it finds, and optionally upserts A records for your alias to the respective hosted zones if any are specified!http: alb: myALB # Or arn:aws:elasticloadbalancing:us-west-2:1234567890:loadbalancer/app/myALB/12345abcde path: '/' alias: - name: example.com hosted_zone: Z08230443CW11KE6JBNUA allowed_source_ips: ["192.0.2.0/24", "198.51.100.10/32", "67.170.82.49/32"]
Support addons for Static Site (#5384): you can now use addons to add additional resources to your Static Site workload, the same way as you would for any other services!
Support docker build args in task run --build-args
(#5377)
Pass additional build args to build the image using
--build-args
!$ copilot task run --build-args GO_VERSION=1.19
Enforce KMS encryption on the pipeline artifact buckets (#5329): Any new applications will start using the KMS key managed by Copilot as the default encryption key – instead of the S3-managed key – for your pipeline artifact buckets. It also rejects any s3:PutObject
actions that disable server-side encryption. This change should not affect any existing applications, and can be optionally applied to your existing application by running copilot app upgrade
to meet compliance requirements.
Enforce HTTPS on the pipeline artifact buckets (#5393): Reject any access to pipeline artifact buckets that are not secure. Any new applications will come with this configuration. For existing applications, run copilot app upgrade
to get the extra protection.
sts:AssumeRole
permission for the ECS task roles or the App Runner instance roles (#5423): Previously, there was a bug where the ECS tasks roles were given permission to assume roles that are tagged with the application name and the environment name. We are removing this permission for better security posture. We recommend that you redeploy your Load-Balanced Web Services, Backend Services, Worker Services, Request-Driven Web Service, and Scheduled Job to apply this fix.Thank you, contributors 🥰!
NLB enhancements: You can now add security groups to Copilot-managed NLBs. NLBs also support the UDP protocol. (#5284)
Previously, the
nlb
field in a Load-Balanced Web Service supported onlytcp
ortls
traffic. Now, you can listen toudp
traffic as well!nlb: port: 8080/udp healthcheck: port: 80 # This needs to be a tcp port additional_listeners: - port: 8081/udp healthcheck: port: 80 # This needs to be a tcp port
Note that you will need to specify a health check port on your container that accepts TCP traffic, as health check using udp protocol isn't supported today.
Better task failure logs: Copilot will show more descriptive information during deployments when tasks fail, allowing for better troubleshooting. (#5249)
copilot [noun] deploy
will now display the ECS task stopped reasons within your CloudFormation deployment progress tracker:- An ECS service to run and maintain your tasks in the environment cluster Deployments Revision Rollout Desired Running Failed Pending PRIMARY 11 [in progress] 1 0 1 0 ACTIVE 8 [completed] 1 1 0 0 Latest 2 stopped tasks TaskId CurrentStatus DesiredStatus 6b1d6e32 DEPROVISIONING STOPPED 9802d212 STOPPED STOPPED ✘ Latest 2 tasks stopped reason - [6b1d6e32,9802d212]: Essential container in task exited Troubleshoot task stopped reason 1. You can run `copilot svc logs --previous` to see the logs of the last stopped task. 2. You can visit this article: https://repost.aws/knowledge-center/ecs-task-stopped.
copilot deploy
enhancements: You can now deploy multiple workloads at once, or deploy all local workloads, with --all
. (#5324)
copilot deploy
now supports deploying multiple workloads with one command, with optional ordering. You can specify multiple workloads with the--name
flag, use the new--all
flag in conjunction with--init-wkld
to initialize and deploy all local workloads, and you can now provide a "deployment order" tag when specifying service names.$ copilot deploy --all -n fe/1 -n worker/2 # Deploy "fe" first, and then "worker".
Import an ACM certificate for your Static Site: You can now bring your own ACM certificate for your Static Site service. (#5285 )
To import an ACM certificate for your static site, simply specify the below fields in your static site manifest:
http: alias: example.com certificate: "arn:aws:acm:us-east-1:1234567890:certificate/e5a6e114-b022-45b1-9339-38fbfd6db3e2"
copilot [env/svc] init
improvements: these init
commands no longer complain if you are initiating an existing service/job/environment already managed by the same workspace. In addition, copilot env init
will no longer ask you to select an AWS profile if you have not configured one. (#5242 and #5202)
Enable versioning on S3 buckets: Copilot now enables versioning on all of the S3 buckets created by Copilot. (#5289)
copilot svc status
against a service that is already stopped. (#5336)Thank you, contributors 🥰!
copilot run local
to run your services locally (#5049, #5201, #5182)
You can use
copilot run local
to test Copilot services on your local machine! To get started, deploy your service withcopilot svc deploy
. Once your service is deployed, you can test changes to your code without waiting for a deployment by runningcopilot run local
. Copilot will build or pull your service's images, inject secrets and environment variables defined in your manifest, grab your current IAM session credentials, and run Docker containers on your machine with that data. See the blogpost for more info.
In pipelines, you can now use
pre_deployments
andpost_deployments
to define actions for your pipeline to run before or after your services or environments are deployed. This is helpful for running database migrations from within your pipeline!
While waiting for
copilot [noun] deploy
to finish, if you hit Ctrl-C, Copilot will roll back the current CloudFormation deployment. This is especially helpful if your Service is failing and you're stuck waiting for a CloudFormation deployment to fail!
copilot deploy
to init
-alize and deploy
services and environments (#5168, #5215)
You can now use
copilot deploy
to deploy environments and initialize services and environments with local manifests. The guided workflow now includes uninitialized local workloads and environments. Getting started with Copilot is now as easy asgit clone . && copilot deploy
!
copilot [noun] deploy
to 0 if there are no changes (#5179)from_cfn
for importing an EFS ID (#5156)copilot env init
(#5202)copilot deploy
(#5183)copilot env delete
(#5184)http
validation if it's disabled (#5198)Filter out non-active ECS services (#5152)
The
GetResources
API for ECS recently changed to return non-active ECS services, causing an error when running Copilot commands after recently recreating a service. Copilot now validates that the service ARNs returned byGetResources
are active.
Prevent app upgrade followed by downgrade from removing ECR Repos (#5141)
Copilot apps upgraded to v1.28 or v1.29 and subsequently downgraded to versions prior were running into an issue where ECR repos were getting removed from the app stack. After this fix, upgrading your app with v1.29.1+ and then downgrading will cause the older Copilot version to print out an error instead of removing any ECR repos.
Explicitly block S3 public access (#5141)
Though objects uploaded to Copilot-created S3 buckets have never been public, Copilot-created S3 buckets now explicitly block public access at the bucket level.
Fix copilot init
when app name is not set via flags (#5126)
Validate sidecar image
configuration (#5122)