Copilot Cli Versions Save

🐛 Bug Fixes

• Filter out non-active ECS services (#5152)

  The GetResources API for ECS recently changed to return non-active ECS services, causing an error when running Copilot commands after recently recreating a service. Copilot now validates that the service ARNs returned by GetResources are active.

• Prevent app upgrade followed by downgrade from removing ECR Repos (#5141)

  Copilot apps upgraded to v1.28 or v1.29 and subsequently downgraded to versions prior were running into an issue where ECR repos were getting removed from the app stack. After this fix, upgrading your app with v1.29.1+ and then downgrading will cause the older Copilot version to print out an error instead of removing any ECR repos.

• Explicitly block S3 public access (#5141)

  Though objects uploaded to Copilot-created S3 buckets have never been public, Copilot-created S3 buckets now explicitly block public access at the bucket level.

• Fix copilot init when app name is not set via flags (#5126)

• Validate sidecar image configuration (#5122)

⚡️ Features and Enhancements

• Pipeline CloudFormation template overrides (#5034)

  Copilot pipelines are much more nimble and extensible with CDK and YAML path overrides with copilot pipeline override! This feature provides a safe and easy way to modify your pipeline's CloudFormation template. A new --diff flag for copilot pipeline deploy enables you to preview changes to your CloudFormation template. (#4991) See the blogpost for more.

• Static Site enhancements

  • For more dynamic development, Copilot will now invalidate the CloudFront edge cache each time you redeploy a Static Site workload, enabling you to see and deliver your updated content right away. (#5035)
  • copilot svc show for Static Site workloads includes a tree representation of your S3 bucket's contents. (#4966)

  View sample output

  Service name: static-site
  About
  
    Application  my-app
    Name         static-site
    Type         Static Site
  
  Routes
  
    Environment  URL
    -----------  ---
    test         https://d399t9j1xbplme.cloudfront.net/
  
  S3 Bucket Objects
  
    Environment  test
  .
  ├── ReadMe.md
  ├── error.html
  ├── index.html
  ├── Images
  │   ├── SomeImage.PNG
  │   └── AnotherImage.PNG
  ├── css
  │   ├── Style.css
  │   ├── all.min.css
  │   └── bootstrap.min.css
  └── images
      └── bg-masthead.jpg
  

  • copilot svc status for Static Site workloads includes the S3 bucket's object count and total size. (#4985)

• Prevent clashes between Copilot versions by disallowing downgrading (unless explicitly enabled with the new --allow-downgrade flag for init, deploy, and package commands) (#5064)
• Support Yarn for CDK overrides (#5076)
• Enable interpolation of lists of strings in Copilot manifests (#4993)
• Allow passing an existing permissions boundary's ARN when running copilot app init (as an alternative to the permissions boundary name (#4981)
• Recommend splitting domains/conditions into different listener rules if the quota (five per rule) is detected. (#4961)

🐛 Bug Fixes


• copilot svc package now applies overrides for Static Site workload types (#4952)
• prevent exceeding CloudWatch Logs Resource Policy size when running copilot job logs by adding policies to each environment (#4979)
• Static Site CloudFormation manifests quote aliases so asterisks render properly in CloudFormation templates (#5003)
• Distinguish between active and non-active ECS clusters to avoid clashes (#5062)

❤️ Contributions

Thank you, contributors 🥰!

• @tjhorner (#4980)
• @build-with-aws-copilot (#5063)

⚡️ Features and Enhancements

• Static Site service type (#4621)

With the new Static Site service type, you can now deploy and host static websites with Amazon S3. You can specify local files to be uploaded to an S3 bucket with the Static Site service manifest.

name: example
type: Static Site
http:
  alias: 'example.com'
files:
  - source: src/someDirectory
    recursive: true
  - source: someFile.html

To learn more on how to deploy your static website using the Static Site service, see the manifest specification. For the announcement, check out the blog post.

• Add --diff-yes flag to copilot [noun] deploy(#4832)

Copilot [noun] deploy now has the new flag --diff-yes; you can specify the flag to automatically print the difference between your local changes and the latest deployed template.

• Container Images Parallel Build (#4760)

Previously, Copilot built and pushed main container and sidecar container images sequentially. You can now build main container and sidecar container images in parallel. With parallel build, you can reduce the overall time it takes to build and push container images to Amazon ECR.

🐛 Bug Fixes


• Use LogicalID-safe name for sidecars env file parameter from the CloudFormation template (#4714)
• Remove CloudWatch alarm-based rollbacks from ECS services in the GovCloud region (#4782)
• Remove Docker runtime version from the buildspec in the pipeline CloudFormation template (#4723)
• Keep parameter descriptions consistent across environment addons in the CloudFormation template (#4813)
• Add Darwin ARM binary for Session Manager plugin installation (#4916)
• Do not require a workspace summary when running copilot app delete (#4863)
• Update custom domain records in parallel to fix the CustomDomainFunction lambda timeout (#4772).
• Fix file not found error for CDK override ON Windows (#4807)
• Use a more portable CDK executable for CDK overrides (#4808)
• Separate out grace_period for ALB and NLB (#4734)
• Separate out deregistration_delay for ALB and NLB (#4740)

❤️ Contributions

Thank you, contributors 🥰!

• @interu (#4816, #4741)
• @0xO0O0 (#4723)
• @andreas-bergstrom (#4873)

⚡️ Features and Enhancements

• Extend Copilot-generated CloudFormation templates with the Cloud Development Kit (CDK) or YAML Patch overrides (#4208, #4209)

  With the new copilot [noun] override command, you can now fully customize your environment, service, or job AWS CloudFormation templates generated from Copilot manifests. You can override templates using the CDK when you need the expressive power and safety of a programming language, alternatively you can apply YAML patches when you need only a handful modifications.

  To learn more about how to use overrides, checkout the CDK guide or the YAML patch guide. For the announcement, check out the blog post.

• Add support for multiple listener rules for http and listeners for nlb for Load Balanced Web and Backend Services (#4170)

  You can now define multiple host-based or path listener rules for Application Load Balancers with the new http.additional_rules property. Similarly, you can define multiple listeners on different ports and protocols for Network Load Balancers with the nlb.additional_listeners field.

  Sample manifest file

  name: 'frontend'
  type: 'Load Balanced Web Service'
  
  image:
    build: 'path/to/Dockerfile'
    port: 8080
  
  sidecars:
     docs:
        port: 7000
        build: 'path/to/Dockerfile'
  
  http:
    alias: 'example.com'
    path: '/'
    additional_rules:
      -  alias: 'admin.example.com'
         path: '/'
         target_port: 9000
      -  path: '/docs'
         target_container: docs
  

  To learn more on how to add additional listeners and listener rules, see the manifest specification. For the announcement, check out the blog post.

• Preview CloudFormation template changes with the new --diff flag (#4259)

  You can now run copilot [noun] package --diff or copilot [noun] deploy --diff to view the difference between your local changes and the latest deployed template.

  View sample screenshot

  

  For the announcement, check out the blog post.

• Enable building container images for sidecars (#4254)

  Previously, Copilot only supported taking a container image URL for sidecar containers. Now, you can use image.build for your sidecars just like your main container to build and push images from local Dockerfiles.

  To learn more see the guide for sidecar containers. For the announcement, check out the blog post.

• Enable uploading local environment files for sidecar containers (#4447)

  Previously, you could only specify an environment file (env_file) for your main container. You can now specify an environment file to upload for any sidecar container. To learn more see the guide for sidecar containers. For the announcement, check out the blog post.

🐛 Bug Fixes

• Removing CloudWatch alarm based rollbacks from ECS services now disassociates the alarms (#4565)
• Remove !Sub in environment storage addons causing the addon deployment failure (#4562)

⚡️ Features and Enhancements

• Add support for automating rollbacks for Amazon ECS services with CloudWatch alarms

  You can now monitor your ECS deployments with custom CloudWatch alarms! Configure your services to roll back to the last completed deployment if your alarms go into In alarm state during deployment. With the circuit breaker, Copilot has already been rolling back your failed deployments. Now, you can also roll back service deployments that aren't failing, but aren't performing in accordance with the metrics of your choice.

  For example, in your backend, worker, or load-balanced web service manifest, you may import your own existing CloudWatch alarms:

  deployment:
    rollback_alarms: ["MyAlarm-ELB-4xx", "MyAlarm-ELB-5xx"]
  

  Or have Copilot create a CPU and/or memory utilization alarm for you, with thresholds of your choice:

  deployment:
    rollback_alarms:
      cpu_utilization: 70    // Percentage value at or above which alarm is triggered.
      memory_utilization: 50 // Percentage value at or above which alarm is triggered.
  

  Read the blog post for more!

• Update storage init to support DynamoDB tables, S3 buckets or RDS clusters as environment storage

  Now, you can create environment addons for your storage easily with copilot storage init --lifecycle environment. The storage is deployed when you run copilot env deploy, and isn't deleted until you delete the environment by running copilot env delete.

  Here is an example of prompts that you might see when you run copilot storage init without any flags.

  $ copilot storage init
  What type of storage would you like to create?
   > DynamoDB            (NoSQL)
     S3                  (Objects)
     Aurora Serverless   (SQL)
  Which workload needs access to the storage? 
   > api
     backend
  What would you like to name this DynamoDB Table? movies
  Do you want the storage to be created and deleted with the api service?
     Yes, the storage should be created and deleted at the same time as api
   > No, the storage should be created and deleted at the environment level
  

  Read the blog post for more!

• Support Request-Driven Web Service secrets

  You can now add your secrets (from SSM Parameter Store or AWS Secrets Manager) to your App Runner service as environment variables using Copilot.

  Similar to other service types such as Load-Balanced Web Service, you need to first add the following tags to your secrets:

  Key	Value
  copilot-application	Application name from which you want to access the secret
  copilot-environment	Environment name from which you want to access the secret

  Then simply update your Request-Driven Web Service manifest with:

  secrets:
    GITHUB_TOKEN: GH_TOKEN_SECRET
  

  And deploy! Your service can now access the secret as an environment variable.

  Read the blog post for more!

🐛 Bug Fixes

• Require aws config file in env init only when needed (#4440)
• svc delete should ignore Route53 A-record deletion error if not found (#4409)
• Service Connect shouldn't affect gov cloud deployment (#4390)

⚡️ Features and Enhancements

• Support user-written environment addons

  You can now deploy addons associated with your environments. Addons are additional AWS resources that are not integrated in Copilot by default - for example, DynamoDB, RDS, etc. Environment addons resources have their lifecycle managed at the environment level. Hence, resources can be shared across services or jobs and won't be deleted unless the environment is deleted.

  If you are already familiar with workload addons, then good news - the experience of managing environment addons is pretty similar.

  You just need to store your CFN templates under copilot/environments/addons folder, and then run copilot env deploy - your addons will the be deployed along with the environment.

  For an example walk-through, see our blog post !

• Support static content delivery through an existing S3 bucket

  You can now bring your own S3 bucket to work with CloudFront for faster static content delivery. You can use CloudFront with an S3 bucket as the origin by configuring the environment manifest as below:

  cdn:
    static_assets:
      location: cf-s3-ecs-demo-bucket.s3.us-west-2.amazonaws.com
      alias: example.com
      path: static/*
  

  Read the blog post for more!

🐛 Bug Fixes

• Render CFN template with SslPolicy instead of SSLPolicy (https://github.com/aws/copilot-cli/pull/4278)

⚡️ Features and Enhancements

• ECS Service Connect Support (#4226)

  ECS Service Connect enables a client service to connect to its downstream services in a load-balanced and resilient fashion. To enable Service Connect, you can simply add this configuration to your service manifest:

  network:
    connect: true
  

  Check out our blog post for more! Also, check out the network.connect field in the manifest specification.

• Add --no-rollback flag to env deploy (#4168)

  Copilot env deploy now has a new flag --no-rollback; you can specify the flag to disable automatic env deployment rollback to help with debugging.

• Add AutoScalingConfiguration to Request-Driven Web Service (RDWS) (#4186)

  It is now possible to specify autoscaling configuration for your RDWS. For example, this can be configured in your service manifest:

  count: high-availability/3
  

• Add log retention to VPC flow logs (#4164)

  The default value for VPC flow logs is now 14 days (2 weeks):

  network:
    vpc:
      flow_logs: on
  

  Alternatively, you can customize the number of days for retention:

  network:
    vpc:
      flow_logs:
        retention: 30
  

🐛 Bug Fixes

• Access logs bucket policy should be applied after ALB update (#4169)
• Set tasks fewer than spot_from to Fargate Capacity Provider when min and spot_from equal (#4187)
• Check if an application exists globally before creating it (#4113)

❤️ Contributions

Thank you, contributors 🥰!

• @hkford (#4144, #4128)
• @isleys (#4129)

⚡️ Features and Enhancements

• Restrict the ingress of a Request-Driven Web Service (RDWS) to environment only (#4137)

  Previously, a RDWS was always internet-facing. Now, you have the option of toggling the service to be private. Specify http.private: true in a RDWS manifest, and the service will accept traffic from within the environment only.

  See our blog post for more! Also, check out the http.private field in the manifest specification.

• Support Aurora Serverless v2 in storage init (#4075)

  copilot storage init --storage-type Aurora will now generate an addon template for Aurora Serverless v2 by default. To generate a template for v1, you can run copilot storage init --storage-type Aurora --serverless-version v1

  Check out our blog post for more!

• Restrict ingress to the public ALB using source IPs (#4103)

  It is now possible to limit the ingress to your public ALB to up to 50 source IPs. This can be configured in your environment manifest:

  http:
   public:
     ingress:
       source_ips:
         - 10.0.0.0/24
         - 10.0.1.0/24
  

  Check out our blog post for more, as well as http.public.ingress.source_ips in the manifest specification !

• Configure SSL policy for environment ALBs' HTTPS listener (#4099)

  You can now specify the security policy applied on the HTTPS listener for your environment ALB(s) to comply with your organization's security requirements. This can be configured in your environment manifest:

  http:
   public: 
     ssl_policy: ELBSecurityPolicy-FS-1-2-Res-2019-08
  
   private: 
     ssl_policy: ELBSecurityPolicy-FS-1-2-Res-2019-08
  

  Check out the ssl_policy field in the manifest specification.

• Restrict container access to root file system to read-only (#4062)

  You can now give your containers read-only access to its root file system to comply with Security Hub's recommendation of [ECS.5] ECS containers should be limited to read-only access to root filesystems. This can be configured in your service's manifest:

  storage:
   readonly_fs: true
  

  See storage.readononly_fs in the manifest specification or read the blog post.

• Enable VPC flow logs for environments (#4088)

  You can now capture information about the IP traffic going in and out of your environment VPC by enabling VPC flow logs in your environment manifest:

  network:
   vpc:
     flow_logs: on
  

  See network.vpc.flow_logs in the manifest specification.

• Show permissions boundary policy name in app show (#4071)

  In Copilot v1.22.0, we introduced permissions boundaries for all IAM roles in an application. Now you can see this configuration in copilot app show.

  $ copilot app show --name myapp
  
  About
  
   Name                  myapp
   Version               v1.1.0
   URI                   N/A
   Permissions Boundary  myPermissionsBoundaries
  

🐛 Bug Fixes

• Fix misplaced http fields in environment manifest (#4068). See our blog post for more information on this manifest fix!
• TLS termination does not require a certificate or domain for CDN (#4096)
• Remove sh-unfriendly here string from the default buildspec (#4102)

❤️ Contributions

Thank you, contributors 🥰!

• @hkford (https://github.com/aws/copilot-cli/pull/4075)

🐛 Bug Fixes

• Allow cdn certificate import without http cert import in Environment manifests (#4061)

  In v1.22.0, Copilot introduced TLS termination by CloudFront for Load Balanced Web Services. However, enabling the feature required importing a certificate to both the public Application Load Balancer and CloudFront. This requirement has been removed, and you can now enable TLS termination without having a certificate attached to the load balancer.

• Fix segfault while running env package (#4061)

• Escape double-quotes in serialized parameters.json values when running copilot svc package --output-dir (#4061)

• Use the sidecar container's port and protocol if it is the target container for the load balancer (#4047)

• Use the image.location value if present when running copilot svc package --output-dir (#4055)

• The manifest generated for a Worker service with svc init now takes into consideration whether or not the topics selected are FIFO (#4056)

⚡️ Features and Enhancements

• Enable setting IAM permissions boundaries for all IAM roles in an application (#3969)

  You can now leverage IAM permissions boundaries to comply with your organization’s security requirements and service control policies by passing the --permissions-boundary flag with the copilot app init command. See our blog post to learn more!

• Add FIFO (first in, first out) capabilities for SNS topics and SQS queues of Worker Services (#4014, #4018)

  For applications when the order of operations and events is critical, or where duplicates can't be tolerated you can now enable fifo: true in your manifests. See our blog post for a walkthrough of connecting SNS FIFO topics to the SQS FIFO queue of a Worker Service. See the manifest specification for SNS FIFO topics and SQS FIFO queues.

• Configure the CloudFront CDN to terminate TLS (#4017)

  Your application can now benefit from terminating TLS at a geographically closer endpoint to the end user for faster TLS handshakes:

  cdn:
    tls_termination: true
  

  See our [blog post](https://aws.github.io/copilot-cli/blogs/release-v122/#cloudfront-tls-termination to learn more! See the environment manifest for the specification.

• Enable TLS connections between the Application Load Balancer and Fargate tasks (#4021)

  If the port of the target container is set to 443, the target group's protocol and health check protocol is now set to HTTPS. See the sample end-to-end encryption manifest specification.

• Add support for Windows Server 2022 (#3968)

  You can now specify windows_server_2022_core and windows_server_2022_full as OS Family options to run Windows 2022 Fargate tasks. See platform in the manifest specification.

• Allow disabling HTTP to HTTPS redirection for Load Balanced Web Services (#4003)

  You can now set http.redirect_to_https as false (by default it's true) for your applications with a domain name. This field is particularly useful when enabling CloudFront to terminate TLS. See the manifest specification.

• Display logs for the last stopped task using the new -p, --previous flag (#3983)

  You can now easily view the logs of the last stopped task to help with troubleshooting with copilot svc logs -p.

• Filter logs to an individual container with the new --container flag (#3985)

  You can now run copilot svc logs --container nginx to filter the logs to an individual container.

🐛 Bug Fixes

• Allow the creation of an internal hosted zone in the aws-cn and aws-us-gov partitions (#3995)
• Fix object ownership for pipeline artifacts to be the bucket owner so cross accounts deployments are enabled (#3998)
• Disable writing health check grace period to CloudFormation by setting http.grace_period: 0s (#4015)

❤️ Contributions

Thank you, contributors 🥰!

• @shingos (#3976)
• @gabrielcostasilva (#3993)
• @jterry75 (#3968)