The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.
⬆️ Updates
🐛 Bug Fixes
ListStacks permission to EnvManagerRole (#5761)🐛 Bug Fixes
copilot job package --diff and prevent output of full template (#5685)🐛 Bug Fixes
copilot svc package command for a request-driven web service when image.build is used. (#5638)❤️ Contributions
Thank you, contributors 🥰!
run local --use-task-role: Elevate your local testing experience with the ECS Task Role using the new --use-task-role flag (#5529)
The
copilot run localcommand now includes a--use-task-roleflag. When activated, Copilot will fetch IAM permissions from your deployed service and seamlessly inject them into the containers created byrun local. This ensures that your containers mirror the same permissions as they would in the cloud, facilitating more accurate testing.
If you prefer not to utilize the
TaskRolepermissions or if Copilot encounters issues retrieving them, you can disable this feature by setting--use-task-role=false.
run local depends_on support: Local run containers now respect depends_on in your service manifests (#5509)
Enhancing the run local feature! Previously, copilot run local initiated the startup and removal of all containers without a specific order. With this improvement, container actions are aligned with your
depends_onconfiguration in your service manifests.
Allow variable escaping in manifest: Escape interpolated variables in your manifests with the latest update (#5516)
Now, you have the flexibility to escape interpolated variables in your manifests. Use the following syntax to prevent Copilot from resolving
${name}using the local environment:command: echo hello \${name} variable: name: world
run local --watch skips files specified by .dockerignore: --watch flag now respects .dockerignore and Copilot will not watch these files (#5565)
Upgrade Lambda Node.js version to 20.x: as Node.js 16 has been End-of-Life since Sep. 2023 (#5583)
v1.32.1, a security patch restricted kms:Decrypt to ECS Execution Role and AppRunner Instance Role. This affected users with managed KMS keys. Now, any KMS key with correct copilot-application and copilot-environment tags is allowed for seamless deployment.response_time should respect imported ALB (#5564)run local --proxy should work when Service Connect is disabled (#5604)Thank you, contributors 🥰!
image.location URI for containers. (#5555)run local --proxy: Proxy outbound requests from your local containers to the environment VPC using --proxy! (#5412)
We are enhancing the
run localfeature released in v1.30.0: the--proxyflag proxies outbound requests to your environment VPC. This feature gives you higher fidelity for your local testing usingrun local– the containers on your local machine can now talk to the other services in the VPC and talk to your RDS database through the cluster or instance endpoints.
run local --watch: Listen to changes to your workspace and automatically restart the containers (#5413)
Another enhancement to the
run localfeature! Test your services usingrun localwhile making changes to your code, and Copilot will automatically restart the local containers. You can test your service with the new changes without having to kill the original process and runrun localagain. The flag--watchis great by itself, but extremely useful if you use--proxy: it saves you quite a bit of the overhead time to set up the proxy.
Import an application load balancer: Place an existing ALB in front of your service (#5438)
Bring your own application load balancer if you don't like the default shared application load balancer of your environment! Just specify the name or the ARN of the application load balancer in the
http.albfield, and Copilot will figure out whether it has an HTTP listener, an HTTPS listener, or both. Copilot will then create listener rules on the listeners it finds, and optionally upserts A records for your alias to the respective hosted zones if any are specified!http: alb: myALB # Or arn:aws:elasticloadbalancing:us-west-2:1234567890:loadbalancer/app/myALB/12345abcde path: '/' alias: - name: example.com hosted_zone: Z08230443CW11KE6JBNUA allowed_source_ips: ["192.0.2.0/24", "198.51.100.10/32", "67.170.82.49/32"]
Support addons for Static Site (#5384): you can now use addons to add additional resources to your Static Site workload, the same way as you would for any other services!
Support docker build args in task run --build-args (#5377)
Pass additional build args to build the image using
--build-args!$ copilot task run --build-args GO_VERSION=1.19
Enforce KMS encryption on the pipeline artifact buckets (#5329): Any new applications will start using the KMS key managed by Copilot as the default encryption key – instead of the S3-managed key – for your pipeline artifact buckets. It also rejects any s3:PutObject actions that disable server-side encryption. This change should not affect any existing applications, and can be optionally applied to your existing application by running copilot app upgrade to meet compliance requirements.
Enforce HTTPS on the pipeline artifact buckets (#5393): Reject any access to pipeline artifact buckets that are not secure. Any new applications will come with this configuration. For existing applications, run copilot app upgrade to get the extra protection.
sts:AssumeRole permission for the ECS task roles or the App Runner instance roles (#5423): Previously, there was a bug where the ECS tasks roles were given permission to assume roles that are tagged with the application name and the environment name. We are removing this permission for better security posture. We recommend that you redeploy your Load-Balanced Web Services, Backend Services, Worker Services, Request-Driven Web Service, and Scheduled Job to apply this fix.Thank you, contributors 🥰!
NLB enhancements: You can now add security groups to Copilot-managed NLBs. NLBs also support the UDP protocol. (#5284)
Previously, the
nlbfield in a Load-Balanced Web Service supported onlytcportlstraffic. Now, you can listen toudptraffic as well!nlb: port: 8080/udp healthcheck: port: 80 # This needs to be a tcp port additional_listeners: - port: 8081/udp healthcheck: port: 80 # This needs to be a tcp portNote that you will need to specify a health check port on your container that accepts TCP traffic, as health check using udp protocol isn't supported today.
Better task failure logs: Copilot will show more descriptive information during deployments when tasks fail, allowing for better troubleshooting. (#5249)
copilot [noun] deploywill now display the ECS task stopped reasons within your CloudFormation deployment progress tracker:- An ECS service to run and maintain your tasks in the environment cluster Deployments Revision Rollout Desired Running Failed Pending PRIMARY 11 [in progress] 1 0 1 0 ACTIVE 8 [completed] 1 1 0 0 Latest 2 stopped tasks TaskId CurrentStatus DesiredStatus 6b1d6e32 DEPROVISIONING STOPPED 9802d212 STOPPED STOPPED ✘ Latest 2 tasks stopped reason - [6b1d6e32,9802d212]: Essential container in task exited Troubleshoot task stopped reason 1. You can run `copilot svc logs --previous` to see the logs of the last stopped task. 2. You can visit this article: https://repost.aws/knowledge-center/ecs-task-stopped.
copilot deploy enhancements: You can now deploy multiple workloads at once, or deploy all local workloads, with --all. (#5324)
copilot deploynow supports deploying multiple workloads with one command, with optional ordering. You can specify multiple workloads with the--nameflag, use the new--allflag in conjunction with--init-wkldto initialize and deploy all local workloads, and you can now provide a "deployment order" tag when specifying service names.$ copilot deploy --all -n fe/1 -n worker/2 # Deploy "fe" first, and then "worker".
Import an ACM certificate for your Static Site: You can now bring your own ACM certificate for your Static Site service. (#5285 )
To import an ACM certificate for your static site, simply specify the below fields in your static site manifest:
http: alias: example.com certificate: "arn:aws:acm:us-east-1:1234567890:certificate/e5a6e114-b022-45b1-9339-38fbfd6db3e2"
copilot [env/svc] init improvements: these init commands no longer complain if you are initiating an existing service/job/environment already managed by the same workspace. In addition, copilot env init will no longer ask you to select an AWS profile if you have not configured one. (#5242 and #5202)
Enable versioning on S3 buckets: Copilot now enables versioning on all of the S3 buckets created by Copilot. (#5289)
copilot svc status against a service that is already stopped. (#5336)Thank you, contributors 🥰!
copilot run local to run your services locally (#5049, #5201, #5182)
You can use
copilot run localto test Copilot services on your local machine! To get started, deploy your service withcopilot svc deploy. Once your service is deployed, you can test changes to your code without waiting for a deployment by runningcopilot run local. Copilot will build or pull your service's images, inject secrets and environment variables defined in your manifest, grab your current IAM session credentials, and run Docker containers on your machine with that data. See the blogpost for more info.
In pipelines, you can now use
pre_deploymentsandpost_deploymentsto define actions for your pipeline to run before or after your services or environments are deployed. This is helpful for running database migrations from within your pipeline!
While waiting for
copilot [noun] deployto finish, if you hit Ctrl-C, Copilot will roll back the current CloudFormation deployment. This is especially helpful if your Service is failing and you're stuck waiting for a CloudFormation deployment to fail!
copilot deploy to init-alize and deploy services and environments (#5168, #5215)
You can now use
copilot deployto deploy environments and initialize services and environments with local manifests. The guided workflow now includes uninitialized local workloads and environments. Getting started with Copilot is now as easy asgit clone . && copilot deploy!
copilot [noun] deploy to 0 if there are no changes (#5179)from_cfn for importing an EFS ID (#5156)copilot env init (#5202)copilot deploy (#5183)copilot env delete (#5184)http validation if it's disabled (#5198)Filter out non-active ECS services (#5152)
The
GetResourcesAPI for ECS recently changed to return non-active ECS services, causing an error when running Copilot commands after recently recreating a service. Copilot now validates that the service ARNs returned byGetResourcesare active.
Prevent app upgrade followed by downgrade from removing ECR Repos (#5141)
Copilot apps upgraded to v1.28 or v1.29 and subsequently downgraded to versions prior were running into an issue where ECR repos were getting removed from the app stack. After this fix, upgrading your app with v1.29.1+ and then downgrading will cause the older Copilot version to print out an error instead of removing any ECR repos.
Explicitly block S3 public access (#5141)
Though objects uploaded to Copilot-created S3 buckets have never been public, Copilot-created S3 buckets now explicitly block public access at the bucket level.
Fix copilot init when app name is not set via flags (#5126)
Validate sidecar image configuration (#5122)