The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.
Filter out non-active ECS services (#5152)
The
GetResources
API for ECS recently changed to return non-active ECS services, causing an error when running Copilot commands after recently recreating a service. Copilot now validates that the service ARNs returned byGetResources
are active.
Prevent app upgrade followed by downgrade from removing ECR Repos (#5141)
Copilot apps upgraded to v1.28 or v1.29 and subsequently downgraded to versions prior were running into an issue where ECR repos were getting removed from the app stack. After this fix, upgrading your app with v1.29.1+ and then downgrading will cause the older Copilot version to print out an error instead of removing any ECR repos.
Explicitly block S3 public access (#5141)
Though objects uploaded to Copilot-created S3 buckets have never been public, Copilot-created S3 buckets now explicitly block public access at the bucket level.
Fix copilot init
when app name is not set via flags (#5126)
Validate sidecar image
configuration (#5122)
Copilot pipelines are much more nimble and extensible with CDK and YAML path overrides with
copilot pipeline override
! This feature provides a safe and easy way to modify your pipeline's CloudFormation template. A new--diff
flag forcopilot pipeline deploy
enables you to preview changes to your CloudFormation template. (#4991) See the blogpost for more.
- For more dynamic development, Copilot will now invalidate the CloudFront edge cache each time you redeploy a Static Site workload, enabling you to see and deliver your updated content right away. (#5035)
copilot svc show
for Static Site workloads includes a tree representation of your S3 bucket's contents. (#4966)View sample output
Service name: static-site About Application my-app Name static-site Type Static Site Routes Environment URL ----------- --- test https://d399t9j1xbplme.cloudfront.net/ S3 Bucket Objects Environment test . βββ ReadMe.md βββ error.html βββ index.html βββ Images β βββ SomeImage.PNG β βββ AnotherImage.PNG βββ css β βββ Style.css β βββ all.min.css β βββ bootstrap.min.css βββ images βββ bg-masthead.jpg
copilot svc status
for Static Site workloads includes the S3 bucket's object count and total size. (#4985)
--allow-downgrade
flag for init
, deploy
, and package
commands) (#5064)copilot app init
(as an alternative to the permissions boundary name (#4981)copilot svc package
now applies overrides for Static Site workload types (#4952)copilot job logs
by adding policies to each environment (#4979)Thank you, contributors π₯°!
With the new Static Site service type, you can now deploy and host static websites with Amazon S3. You can specify local files to be uploaded to an S3 bucket with the Static Site service manifest.
name: example type: Static Site http: alias: 'example.com' files: - source: src/someDirectory recursive: true - source: someFile.html
To learn more on how to deploy your static website using the Static Site service, see the manifest specification. For the announcement, check out the blog post.
--diff-yes
flag to copilot [noun] deploy
(#4832)Copilot [noun] deploy now has the new flag
--diff-yes
; you can specify the flag to automatically print the difference between your local changes and the latest deployed template.
Previously, Copilot built and pushed main container and sidecar container images sequentially. You can now build main container and sidecar container images in parallel. With parallel build, you can reduce the overall time it takes to build and push container images to Amazon ECR.
copilot app delete
(#4863)CustomDomainFunction
lambda timeout (#4772).grace_period
for ALB and NLB (#4734)deregistration_delay
for ALB and NLB (#4740)Thank you, contributors π₯°!
Extend Copilot-generated CloudFormation templates with the Cloud Development Kit (CDK) or YAML Patch overrides (#4208, #4209)
With the new
copilot [noun] override
command, you can now fully customize your environment, service, or job AWS CloudFormation templates generated from Copilot manifests. You can override templates using the CDK when you need the expressive power and safety of a programming language, alternatively you can apply YAML patches when you need only a handful modifications.To learn more about how to use overrides, checkout the CDK guide or the YAML patch guide. For the announcement, check out the blog post.
Add support for multiple listener rules for http
and listeners for nlb
for Load Balanced Web and Backend Services (#4170)
You can now define multiple host-based or path listener rules for Application Load Balancers with the new
http.additional_rules
property. Similarly, you can define multiple listeners on different ports and protocols for Network Load Balancers with thenlb.additional_listeners
field.Sample manifest file
name: 'frontend' type: 'Load Balanced Web Service' image: build: 'path/to/Dockerfile' port: 8080 sidecars: docs: port: 7000 build: 'path/to/Dockerfile' http: alias: 'example.com' path: '/' additional_rules: - alias: 'admin.example.com' path: '/' target_port: 9000 - path: '/docs' target_container: docs
To learn more on how to add additional listeners and listener rules, see the manifest specification. For the announcement, check out the blog post.
Preview CloudFormation template changes with the new --diff
flag (#4259)
You can now run
copilot [noun] package --diff
orcopilot [noun] deploy --diff
to view the difference between your local changes and the latest deployed template.View sample screenshot
For the announcement, check out the blog post.
Enable building container images for sidecars (#4254)
Previously, Copilot only supported taking a container image URL for sidecar containers. Now, you can use
image.build
for your sidecars just like your main container to build and push images from local Dockerfiles.To learn more see the guide for sidecar containers. For the announcement, check out the blog post.
Enable uploading local environment files for sidecar containers (#4447)
Previously, you could only specify an environment file (
env_file
) for your main container. You can now specify an environment file to upload for any sidecar container. To learn more see the guide for sidecar containers. For the announcement, check out the blog post.
!Sub
in environment storage addons causing the addon deployment failure (#4562)Add support for automating rollbacks for Amazon ECS services with CloudWatch alarms
You can now monitor your ECS deployments with custom CloudWatch alarms! Configure your services to roll back to the last completed deployment if your alarms go into
In alarm
state during deployment. With the circuit breaker, Copilot has already been rolling back your failed deployments. Now, you can also roll back service deployments that aren't failing, but aren't performing in accordance with the metrics of your choice.For example, in your backend, worker, or load-balanced web service manifest, you may import your own existing CloudWatch alarms:
deployment: rollback_alarms: ["MyAlarm-ELB-4xx", "MyAlarm-ELB-5xx"]
Or have Copilot create a CPU and/or memory utilization alarm for you, with thresholds of your choice:
deployment: rollback_alarms: cpu_utilization: 70 // Percentage value at or above which alarm is triggered. memory_utilization: 50 // Percentage value at or above which alarm is triggered.
Read the blog post for more!
Update storage init
to support DynamoDB tables, S3 buckets or RDS clusters as environment storage
Now, you can create environment addons for your storage easily with
copilot storage init --lifecycle environment
. The storage is deployed when you runcopilot env deploy
, and isn't deleted until you delete the environment by runningcopilot env delete
.Here is an example of prompts that you might see when you run
copilot storage init
without any flags.$ copilot storage init What type of storage would you like to create? > DynamoDB (NoSQL) S3 (Objects) Aurora Serverless (SQL) Which workload needs access to the storage? > api backend What would you like to name this DynamoDB Table? movies Do you want the storage to be created and deleted with the api service? Yes, the storage should be created and deleted at the same time as api > No, the storage should be created and deleted at the environment level
Read the blog post for more!
Support Request-Driven Web Service secrets
You can now add your secrets (from SSM Parameter Store or AWS Secrets Manager) to your App Runner service as environment variables using Copilot.
Similar to other service types such as Load-Balanced Web Service, you need to first add the following tags to your secrets:
Key Value copilot-application
Application name from which you want to access the secret copilot-environment
Environment name from which you want to access the secret Then simply update your Request-Driven Web Service manifest with:
secrets: GITHUB_TOKEN: GH_TOKEN_SECRET
And deploy! Your service can now access the secret as an environment variable.
Read the blog post for more!
env init
only when needed (#4440)svc delete
should ignore Route53 A-record deletion error if not found (#4409)Support user-written environment addons
You can now deploy addons associated with your environments. Addons are additional AWS resources that are not integrated in Copilot by default - for example, DynamoDB, RDS, etc. Environment addons resources have their lifecycle managed at the environment level. Hence, resources can be shared across services or jobs and won't be deleted unless the environment is deleted.
If you are already familiar with workload addons, then good news - the experience of managing environment addons is pretty similar.
You just need to store your CFN templates under
copilot/environments/addons
folder, and then runcopilot env deploy
- your addons will the be deployed along with the environment.For an example walk-through, see our blog post !
Support static content delivery through an existing S3 bucket
You can now bring your own S3 bucket to work with CloudFront for faster static content delivery. You can use CloudFront with an S3 bucket as the origin by configuring the environment manifest as below:
cdn: static_assets: location: cf-s3-ecs-demo-bucket.s3.us-west-2.amazonaws.com alias: example.com path: static/*
Read the blog post for more!
SslPolicy
instead of SSLPolicy
(https://github.com/aws/copilot-cli/pull/4278)ECS Service Connect Support (#4226)
ECS Service Connect enables a client service to connect to its downstream services in a load-balanced and resilient fashion. To enable Service Connect, you can simply add this configuration to your service manifest:
network: connect: true
Check out our blog post for more! Also, check out the network.connect field in the manifest specification.
Add --no-rollback
flag to env deploy
(#4168)
Copilot
env deploy
now has a new flag--no-rollback
; you can specify the flag to disable automatic env deployment rollback to help with debugging.
Add AutoScalingConfiguration
to Request-Driven Web Service (RDWS) (#4186)
It is now possible to specify autoscaling configuration for your RDWS. For example, this can be configured in your service manifest:
count: high-availability/3
Add log retention to VPC flow logs (#4164)
The default value for VPC flow logs is now 14 days (2 weeks):
network: vpc: flow_logs: on
Alternatively, you can customize the number of days for retention:
network: vpc: flow_logs: retention: 30
spot_from
to Fargate Capacity Provider when min
and spot_from
equal (#4187)Thank you, contributors π₯°!
Restrict the ingress of a Request-Driven Web Service (RDWS) to environment only (#4137)
Previously, a RDWS was always internet-facing. Now, you have the option of toggling the service to be private. Specify
http.private: true
in a RDWS manifest, and the service will accept traffic from within the environment only.See our blog post for more! Also, check out the http.private field in the manifest specification.
Support Aurora Serverless v2 in storage init
(#4075)
copilot storage init --storage-type Aurora
will now generate an addon template for Aurora Serverless v2 by default. To generate a template for v1, you can runcopilot storage init --storage-type Aurora --serverless-version v1
Check out our blog post for more!
Restrict ingress to the public ALB using source IPs (#4103)
It is now possible to limit the ingress to your public ALB to up to 50 source IPs. This can be configured in your environment manifest:
http: public: ingress: source_ips: - 10.0.0.0/24 - 10.0.1.0/24
Check out our blog post for more, as well as
http.public.ingress.source_ips
in the manifest specification !
Configure SSL policy for environment ALBs' HTTPS listener (#4099)
You can now specify the security policy applied on the HTTPS listener for your environment ALB(s) to comply with your organization's security requirements. This can be configured in your environment manifest:
http: public: ssl_policy: ELBSecurityPolicy-FS-1-2-Res-2019-08 private: ssl_policy: ELBSecurityPolicy-FS-1-2-Res-2019-08
Check out the
ssl_policy
field in the manifest specification.
Restrict container access to root file system to read-only (#4062)
You can now give your containers read-only access to its root file system to comply with Security Hub's recommendation of [ECS.5] ECS containers should be limited to read-only access to root filesystems. This can be configured in your service's manifest:
storage: readonly_fs: true
See
storage.readononly_fs
in the manifest specification or read the blog post.
Enable VPC flow logs for environments (#4088)
You can now capture information about the IP traffic going in and out of your environment VPC by enabling VPC flow logs in your environment manifest:
network: vpc: flow_logs: on
See
network.vpc.flow_logs
in the manifest specification.
Show permissions boundary policy name in app show
(#4071)
In Copilot v1.22.0, we introduced permissions boundaries for all IAM roles in an application. Now you can see this configuration in
copilot app show
.$ copilot app show --name myapp About Name myapp Version v1.1.0 URI N/A Permissions Boundary myPermissionsBoundaries
http
fields in environment manifest (#4068). See our blog post for more information on this manifest fix!sh
-unfriendly here string from the default buildspec (#4102)Thank you, contributors π₯°!
Allow cdn
certificate import without http
cert import in Environment manifests (#4061)
In v1.22.0, Copilot introduced TLS termination by CloudFront for Load Balanced Web Services. However, enabling the feature required importing a certificate to both the public Application Load Balancer and CloudFront. This requirement has been removed, and you can now enable TLS termination without having a certificate attached to the load balancer.
FixΒ segfault while running env package
(#4061)
Escape double-quotes in serialized parameters.json
values when running copilot svc package --output-dir
(#4061)
Use the sidecar container's port and protocol if it is the target container for the load balancer (#4047)
Use theΒ image.location
Β value if present when running copilot svc package --output-dir
(#4055)
The manifest generated for a Worker service with svc init
now takes into consideration whether or not the topics selected are FIFO (#4056)
Enable setting IAM permissions boundaries for all IAM roles in an application (#3969)
You can now leverage IAM permissions boundaries to comply with your organizationβs security requirements and service control policies by passing the
--permissions-boundary
flag with thecopilot app init
command. See our blog post to learn more!
Add FIFO (first in, first out) capabilities for SNS topics and SQS queues of Worker Services (#4014, #4018)
For applications when the order of operations and events is critical, or where duplicates can't be tolerated you can now enable
fifo: true
in your manifests. See our blog post for a walkthrough of connecting SNS FIFO topics to the SQS FIFO queue of a Worker Service. See the manifest specification for SNS FIFO topics and SQS FIFO queues.
Configure the CloudFront CDN to terminate TLS (#4017)
Your application can now benefit from terminating TLS at a geographically closer endpoint to the end user for faster TLS handshakes:
cdn: tls_termination: true
See our [blog post](https://aws.github.io/copilot-cli/blogs/release-v122/#cloudfront-tls-termination to learn more! See the environment manifest for the specification.
Enable TLS connections between the Application Load Balancer and Fargate tasks (#4021)
If the port of the target container is set to
443
, the target group's protocol and health check protocol is now set toHTTPS
. See the sample end-to-end encryption manifest specification.
Add support for Windows Server 2022 (#3968)
You can now specify
windows_server_2022_core
andwindows_server_2022_full
as OS Family options to run Windows 2022 Fargate tasks. Seeplatform
in the manifest specification.
Allow disabling HTTP to HTTPS redirection for Load Balanced Web Services (#4003)
You can now set
http.redirect_to_https
asfalse
(by default it's true) for your applications with a domain name. This field is particularly useful when enabling CloudFront to terminate TLS. See the manifest specification.
Display logs for the last stopped task using the new -p, --previous
flag (#3983)
You can now easily view the logs of the last stopped task to help with troubleshooting with
copilot svc logs -p
.
Filter logs to an individual container with the new --container
flag (#3985)
You can now run
copilot svc logs --container nginx
to filter the logs to an individual container.
aws-cn
and aws-us-gov
partitions (#3995)http.grace_period: 0s
(#4015)Thank you, contributors π₯°!