copilot-cli: Release v1.22.0

⚡️ Features and Enhancements

• Enable setting IAM permissions boundaries for all IAM roles in an application (#3969)

  You can now leverage IAM permissions boundaries to comply with your organization’s security requirements and service control policies by passing the --permissions-boundary flag with the copilot app init command.
  See our blog post to learn more!

• Add FIFO (first in, first out) capabilities for SNS topics and SQS queues of Worker Services (#4014, #4018)

  For applications when the order of operations and events is critical, or where duplicates can't be tolerated you can now enable fifo: true in your manifests.
  See our blog post for a walkthrough of connecting SNS FIFO topics to the SQS FIFO queue of a Worker Service.
  See the manifest specification for SNS FIFO topics and SQS FIFO queues.

• Configure the CloudFront CDN to terminate TLS (#4017)

  Your application can now benefit from terminating TLS at a geographically closer endpoint to the end user for faster TLS handshakes:

  cdn:
    tls_termination: true

  See our [blog post](https://aws.github.io/copilot-cli/blogs/release-v122/#cloudfront-tls-termination to learn more!
  See the environment manifest for the specification.

• Enable TLS connections between the Application Load Balancer and Fargate tasks (#4021)

  If the port of the target container is set to 443, the target group's protocol and health check protocol is now set to HTTPS.
  See the sample end-to-end encryption manifest specification.

• Add support for Windows Server 2022 (#3968)

  You can now specify windows_server_2022_core and windows_server_2022_full as OS Family options to run Windows 2022 Fargate tasks.
  See platform in the manifest specification.

• Allow disabling HTTP to HTTPS redirection for Load Balanced Web Services (#4003)

  You can now set http.redirect_to_https as false (by default it's true) for your applications with a domain name.
  This field is particularly useful when enabling CloudFront to terminate TLS.
  See the manifest specification.

• Display logs for the last stopped task using the new -p, --previous flag (#3983)

  You can now easily view the logs of the last stopped task to help with troubleshooting with copilot svc logs -p.

• Filter logs to an individual container with the new --container flag (#3985)

  You can now run copilot svc logs --container nginx to filter the logs to an individual container.

🐛 Bug Fixes

• Allow the creation of an internal hosted zone in the aws-cn and aws-us-gov partitions (#3995)
• Fix object ownership for pipeline artifacts to be the bucket owner so cross accounts deployments are enabled (#3998)
• Disable writing health check grace period to CloudFormation by setting http.grace_period: 0s (#4015)

❤️ Contributions

Thank you, contributors 🥰!

• @shingos (#3976)
• @gabrielcostasilva (#3993)
• @jterry75 (#3968)

copilot-cli: Release v1.21.1

🐛 Bug Fixes

• Preserve existing service discovery endpoint (#3949)

  In the transition from env upgrade to env deploy, we lost the preservation of the ServiceDiscoveryEndpoint parameter and instead assumed the [app].[env].local format. However, environments that predated our v1.9.0 release have [app].local-formatted ServiceDiscoveryEndpoint parameters, and therefore were erroring out when updates were attempted. This fix preserves the existing value when env deploy is run.

• Trigger EnvControllerAction custom resource whenever Copilot version updated (#3957)

  For users with internal ALBs, their backend service CloudFormation stacks rely on the environment stack for an Output, InternalWorkloadsHostedZone. After upgrading to v1.21.0, svc deploy failed for those users, as this Output was not being generated because nothing within the EnvController's properties had changed to trigger an execution. This fix ensures that the Lambda is triggered whenever the Copilot version is changed.

• Ensure EnvManagerRole has permission to upload artifacts to S3 (#3956)

  By checking for the appropriate permissions and adding them if they're absent, Copilot makes sure the EnvManagerRole can push objects to S3, whether the environment was deployed in the same account as the application or not.

• Give EnvManagerRole permission to --generate-cmd (#3942)

  Now that the EnvManagerRole session is executing the command generation when that flag is applied to task run, it needs the states:DescribeStateMachine permission to do so. This fix grants that permission.

copilot-cli: Release v1.21.0

⚡️ Features and Enhancements

• Enable Amazon CloudFront in your environments to deliver content with low-latency and improved security (#3701)

  By simply setting cdn: true in your environment manifest and running copilot env deploy, you can deploy your application globally and securely!
  Copilot's CloudFront integration supports HTTPS:

  cdn:
    certificate: arn:aws:acm:us-east-1:${AWS_ACCOUNT_ID}:certificate/13245665-h74x-4ore-jdnz-avs87dl11jd

  and you can limit public traffic to your ALB to this distribution:

  http:
    public:
      security_groups:
        ingress:
          restrict_to:
            cdn: true

  See our blog post for more!

• Package local paths, such as Lambda functions, that your addons/ AWS CloudFormation template references (#3875)

  Copilot can now upload local files referenced in your addons templates to S3, then replace the relevant resource properties with the uploaded S3 location. On copilot svc deploy or copilot svc package --upload-assets, certain fields on supported resources will be updated with an S3 location! To see the full list of resources that are supported, take a look at the AWS CLI documentation.
  See our blog post for more!

• Run Copilot's new job logs command (#3794)

  View and follow logs for executions of your scheduled jobs by running copilot job logs. You can choose how many invocations of the job to view, filter logs by specific task IDs, and choose whether to view state machine execution logs.
  You might view logs from the last invocation of the job and all the state machine execution data:
  copilot job logs --include-state-machine
  or invoke a task and follow its logs:
  copilot job run -n [jobName] && copilot job logs -n [jobName] --follow
  For more details, see the blog post!

• Configure security groups via env manifest (#3749, #3810)

  Define ingress and egress for your security groups:

  network:
    vpc:
      security_group:
        ingress:
          - ip_protocol: tcp
            ports: 0-65535
            cidr: 0.0.0.0/0
        egress:
          - ip_protocol: tcp
            ports: 80
            cidr: 0.0.0.0/0

• Enable access logs for ELBs (#3849)

  Another new field for the environment manifest! Copilot can create an S3 bucket for you and write ELB access logs to it.

  http:
    public:
      access_logs: true 

  Alternatively, you can specify an existing bucket. Read the blog post to find out how!

• Specify subnets in bulk with tags (#3727)

  In v1.19.0, we introduced the ability to indicate specific subnets in which to launch ECS tasks; now, you may refer to groups of those subnets by their tags:

  network:
    vpc:
      placement:
        subnets:
          from_tags:
            org: bi
            type:
              - public
              - private

  See the docs for more details.

• Leverage environment files for task run (#3803)

  You can add environment variables in bulk with the task run command. Store your env vars in an environment variable file (with the .env extension), then pass in the path to that file using the new --env-file flag.

🐛 Bug Fixes

• Network load balanced services can target sidecar ports (#3819)
• The Environment Manager Role works for partitions besides the AWS public one (#3845)

❤️ Contributions

Thank you, contributors!

• @dave-moser (#3847)
• @dclark (#3897)
• @apopa57 (#3898, #3899)

copilot-cli: Release v1.20.0

⚡️ Features and Enhancements

• Brand-New Env Manifests Allow You to Configure and Modify your Environments (#3522)

  Update environments even after they're deployed, rather than deleting and recreating them! Environment manifests enable modeling and provisioning environments with infrastructure as code.
  Please note that env init no longer automatically deploys an environment and instead generates a manifest file.

   $ cat copilot/environments/prod/manifest.yml
   # The manifest for the "prod" environment.
   # Read the full specification for the "Environment" type at:
   #  https://aws.github.io/copilot-cli/docs/manifest/environment/
  
   # Your environment name will be used in naming your resources like VPC, cluster, etc.
   name: prod
   type: Environment
  
   # Import your own VPC and subnets or configure how they should be created.
   # network:
   #   vpc:
   #     id:
  
   # Configure the load balancers in your environment, once created.
   # http:
   #   public:
   #   private:
  
   # Configure observability for your environment resources.
   observability:
   container_insights: false

  For a detailed explanation and walkthrough, see blog post.

• A New Type of Pipeline to Manage Environment Deployment (#3751)

  Enjoy continuous delivery of environments by setting up an environment pipeline. Follow the same steps (pipeline init and pipeline deploy) that you've been using to create pipelines for services and jobs. A pipeline manifest and buildspec will be created, which you may configure and push to your source repository between the two commands.
  See blog post for more.

• --manifest flags for svc show and env show (#3715 & #3597)

  The --manifest flag helps you generate manifest files for your existing environments, for smooth integration into Copilot's new env manifest functionality.

   $ mkdir -p copilot/environments/prod
   $ copilot env show -n prod --manifest > copilot/environments/prod/manifest.yml

  The flag also makes it easy to init new services and envs that are similar to your existing ones (that have been deployed since v1.20.0).

   $ mkdir -p copilot/second-svc
   $ copilot svc show -n first-svc --manifest env-name > copilot/second-svc/manifest.yml
  // Change the value of the `name:` field in the manifest from `first-svc` to `second-svc`
   $ copilot svc init -n second-svc

• Configuration of Autoscaling Cooldown Periods Allowed (#3629, #3644, #3667)

  For Load Balanced, Backend, and Worker Services, configure their autoscaling fields under count to have custom cooldown periods.
  Previously, each scaling metric such as cpu_percentage had a set in cooldown of 120 secs and out cooldown of 60 seconds.
  For a detailed explanation and walkthrough, see blog post. For the specifications, see documentation.

• New copilot env package command (#3731)

  Like the existing svc package command, this new command prints the CloudFormation stack template and configuration used to deploy your environment. You may optionally write the output to a directory or upload assets like container images and Lambda functions. Asset locations are automatically plugged into the template!

• copilot job run (#3692)

  When you set up a scheduled job, sometimes you want to give it a test run to ensure that it works as expected, or you want to force a one-off run of your job. Now you can!

• Denial of Default Security Group Ingress Allowed (#3682)

  Indicate in your workload manifest that you don't want to allow ingress of Copilot's default EnvironmentSecurityGroup. Find out how here!

• You Can Now Add Permissions to Pipeline Build Role (#3709)

  By adding policies to your build role via your pipeline manifest, you'll enjoy greatly increased flexibility. Access Secrets Manager to avoid the Docker Hub pull rate limit, grab parameters from Systems Manager, pull objects down from an S3 bucket, and more!

• Surface Exit Codes for task run (#3620)

  Copilot now forwards non-zero exit codes when tasks launched by the copilot task run --follow command fail.

• Predictable Alias for Backend Services (#3668)

  For a backend service with an internal ALB, Copilot will create a hosted zone [env].[app].internal and insert an A record [svc].[env].[app].internal into the hosted zone that points to the internal ALB.

🐛 Bug Fixes

• Fix Quoting of Env Vars and Secrets in task run --generate-cmd (#3702)
• Allow Wildcard Character (*) in Aliases (#3739)
• Don't Require Availability Zones When the VPC is Adjusted (#3745)
• Don't Require Docker Engine for svc init When Bringing a Built Image (#3671)
• Don't Require port Specification for Sidecar Config to Render Properly (#3666)

❤️ Contributions

Thank you, contributors!

• @gautam-nutalapati (#3682)
• @kangere (#3692)
• @codekitchen (#3702)

copilot-cli: Release v1.19.0

⚡️ Features and enhancements

• Support creating an Internal Application Load Balancer in front of "Backend Services" (#3538)

  You can now enable the http field for Backend Services.
  When http is specified, an internal load balancer is provisioned in your environment stack that gets shared across all your backend services.

  name: api
  type: Backend Service
  http:
    path: '/'

  For a detailed explanation and walkthrough, see blog post. For the specification, see documentation.

• Support specifying subnet IDs for placing a service (#3592)

  You can now use the new field subnets under vpc.placement to specify explicitly subnet IDs:

   network:
     vpc:
       placement:
          subnets: ['subnet-1EXAMPLE', 'subnet-2EXAMPLE']

• Add a new hosted_zone field under alias to automatically add A-records (#3608, #3643)

  You no longer have to manage the A-record for environments with imported certificates outside of Copilot. You can now specify:

  http:
    alias:
    - name: example.com
      hosted_zone: 'Z111111QQQQQQQ'

• Export the private route table IDs so that clients can write VPC Endpoint addons/ templates (#3611)

• Add http.healthcheck.port field to configure the port used against healthchecks (#3548)

🐛 Bug Fixes

• Preserve tags applied by app init --resource-tags when services are deleted from the application (#3582)
• Fix regression with enabling autoscaling fields for Load Balanced Web Services with only nlb (#3578)
• Enable copilot svc exec for Fargate Windows tasks (#3566)

❤️ Contributions

Thank you, contributors!

• @gautam-nutalapati (#3609)
• @jonstacks (#3543)

copilot-cli: Release v1.18.1

🐛 Bug Fix

• Allow the EnvManagerRole to upload resources to S3, enabling cross-account env upgrade (#3562 & #3567)

  With v1.18, deployments to environments in accounts different than your application's resulted in error, due to missing S3 permissions.
  With this fix, the EnvironmentManagerRole is now granted the permissions necessary to upload objects to your application's S3 bucket, allowing environment templates to be updated.

copilot-cli: Release v1.18.0

⚡️ Features and enhancements

• Allow importing existing ACM certificates to your public load balancer while initializing an environment (#3503)

  Use the copilot env init --import-cert-arns flag to import validated ACM certificates if you have domains managed outside of Route 53, or want to enable HTTPS without having a domain associated with your application.
  For a detailed walkthrough, see blog post. For the new flag description, see documentation.

• Control the order of services of jobs deployed in a pipeline (#3497)

  You can now create dependencies between workloads deployed in a pipeline with the new deployments field in pipeline manifests.
  Furthermore, the deployments field now allows you to specify deploying any custom CloudFormation stack.
  For a detailed walkthrough, see blog post. For the specification, see documentation.

• Add observability configuration to Load Balanced Web, Backend, and Worker services (#3451, #3481)

  Similar to Request-Driven Web services, now you can specify tracing: awsxray for your ECS services to deploy them with a AWS Distro for OpenTelemetry Collector sidecar.
  For a detailed walkthrough, see blog post. For the specification, see documentation.

• Add 'recreate' option to rolling deployments for faster deployment cycles in development environments (#3461)

  Under the hood, Copilot sets minimumHealthyPercent and maximumPercent to 0 and 100 respectively (defaults are 100 and 200), so that old tasks are stopped before spinning up any new tasks.
  To learn more, see blog post. For the specification, see documentation.

🐛 Bug Fixes

• Upload addon templates generated in the build stage of a pipeline with the bucket-owner-full-control ACL (#3485)

  Addon templates that can be shared by multiple environments previously received an AccessDenied error.
  Updating the copilot version in your buildspec to v1.18 should now fix this issue.

• Wrap key-value pairs generated by copilot task run --generate-cmd with quotation marks (#3514)
• Use the '/' path separator while generating the pipeline buildspec even on Windows (#3532)

❤️ Contributions

Thank you, contributors!

• @corey-cole (#3457)

copilot-cli: Release v1.17.0

⚡️ Features and enhancements

• Support tracing for Request-Driven Web Services (#3440)

  You can now update the manifest file for Request-Driven Web Services to use AWS X-Ray with your instrumented AWS App Runner workloads for end-to-end analysis, debugging, and diagnosis:

  # Enable tracing for the service.
  observability:
    tracing: awsxray

• Allow disabling of Scheduled Jobs (#3447)

  Easily toggle your Scheduled Job off by setting your schedule to "none" in your manifest, disabling the event rule.

  on:
    schedule: "none"

• Increase visibility of progress trackers (#3430 & #3432)

  With more resources surfaced, you have a finer-grained look at which resources Copilot is handling under the hood.

🐛 Bug Fixes

• Remove color formatting of suggested pipeline names (#3437)

  This allows default pipeline names to pass validation consistently.

❤️ Contributions

Thank you, contributors!

• @kangere (#3447)

copilot-cli: Release v1.16.0

⚡️ Features and enhancements

• Support multiple pipelines in a git repository (#3231)

  You can now run copilot pipeline init to create multiple CodePipelines that track separate branches in your repository.
  To learn more, see docs.

• Add support for SNS subscription filter policies (#3338)

  Worker services can now filter SNS messages for each subscribed topic using the filter_policy field.
  To learn more, see docs.

• Add a --no-rollback flag to the deploy commands to disable automatic stack rollback in case of a deployment failure (#3341)

• Add a --upload-assets flag to the package commands to push assets to ECR or S3 before generating CloudFormation templates (#3268)

  Your pipeline buildspec can now be significantly simplified with this flag. If you'd like to regenerate the buildspec, delete the file and run copilot pipeline init again.

• Allow additional security groups when running task run in an environment (#3365)

• app show now displays the deployed environments for services and jobs in a table format (#3379)

• env show now displays the deployed jobs in a table format (#3316)

• Make Docker progress updates quiet when the environment variable CI=true (#3345)

• Log warning when deploying an App Runner service in a region where it's not available yet (#3326)

• Customize buildspec path in the pipeline manifest with build.buildspec (#3403)

🐛 Bug Fixes

• Assuming a role with MFA enabled now prompts for a token code instead of erroring (#3331)
• Environment overrides for the network field in service manifests no longer override base value (#3352)
• The range field uses the FARGATE_SPOT capacity provider only when spot_from is provided (#3367)
• Public subnets with an implicit internet gateway association are now detected when running env init (#3269)
• Secrets can now be accessed by ephemeral tasks created with task run, either with the copilot-application and copilot-environment tags, or with the --acknowledge-secrets-access flag (#3256)
• copilot svc logs --follow used to truncate to 10 logs per task, now all logs are streamed (#3258)

❤️ Contributions

Thank you, contributors!

• @codekitchen (#3365)
• @shingos (#3354)
• @csantos (#3330)
• @rfma23 (#3348)
• @g-grass (#3289)
• @isleys (#3377)
• @kangere (#3368)

copilot-cli: Release v1.15.0

⚡️ Features and enhancements

• Support connecting to a VPC for Request-Driven Web Services (AWS App Runner) (#3195)

  You can now connect to your environment's VPC by updating your manifest file with:

  network:
    vpc:
      placement: 'private'

  Once your App Runner service is connected to the VPC, you can then use existing features such as service discovery to connect to Backend Services or connect to an Amazon Aurora database with copilot storage init.
  For more details, see documentation.

• Allow injecting AWS Secrets Manager secrets using secret names instead of ARNs (#3223)

  Previously, you could only specify AWS Secrets Manager secrets only using their full ARN. You can now inject secrets using their names to keep your manifest files succinct:

   secrets:
     DB:
        secretsmanager: 'demo/test/mysql'
     # You can refer to a specific key in the JSON blob.
     DB_PASSWORD:
        secretsmanager: 'demo/test/mysql:password::'

  For more details, see documentation.

• Respect the AWS_CONFIG_FILE environment variable to read the config file for your profiles (#3232)

❤️ Contributions

Thank you, contributors!

• @acomagu (#3232)