Environment

List of all available properties for a 'Environment' manifest.
To learn more about Copilot environments, see Environments concept page.

Sample environment manifests

BasicImported VPCConfigured VPCWith public certificatesPrivateContent delivery network

name: prod
type: Environment
observability:
  container_insights: true

name: imported
type: Environment
network:
  vpc:
    id: 'vpc-12345'
    subnets:
      public:
        - id: 'subnet-11111'
        - id: 'subnet-22222'
      private:
        - id: 'subnet-33333'
        - id: 'subnet-44444'

name: qa
type: Environment
network:
  vpc:
    cidr: '10.0.0.0/16'
    subnets:
      public:
        - cidr: '10.0.0.0/24'
          az: 'us-east-2a'
        - cidr: '10.0.1.0/24'
          az: 'us-east-2b'
      private:
        - cidr: '10.0.3.0/24'
          az: 'us-east-2a'
        - cidr: '10.0.4.0/24'
          az: 'us-east-2b'

name: prod-pdx
type: Environment
http:
  public: # Apply an existing certificate to your public load balancer.
    certificates:
      - arn:aws:acm:${AWS_REGION}:${AWS_ACCOUNT_ID}:certificate/13245665-cv8f-adf3-j7gd-adf876af95

name: onprem
type: Environment
network:
  vpc:
    id: 'vpc-12345'
    subnets:
      private:
        - id: 'subnet-11111'
        - id: 'subnet-22222'
        - id: 'subnet-33333'
        - id: 'subnet-44444'
http:
  private: # Apply an existing certificate to your private load balancer.
    certificates:
      - arn:aws:acm:${AWS_REGION}:${AWS_ACCOUNT_ID}:certificate/13245665-cv8f-adf3-j7gd-adf876af95
    subnets: ['subnet-11111', 'subnet-22222']

name: cloudfront
type: Environment
cdn: true
http:
  public:
    ingress:
       cdn: true

name String
The name of your environment.

type String
Must be set to 'Environment'.

network Map
The network section contains parameters for importing an existing VPC or configuring the Copilot-generated VPC.

network.vpc Map
The vpc section contains parameters to configure CIDR settings and subnets.

network.vpc.id String
The ID of the VPC to import. This field is mutually exclusive with cidr.

network.vpc.cidr String
An IPv4 CIDR block to associate with the Copilot-generated VPC. This field is mutually exclusive with id.

network.vpc.subnets Map
Configure public and private subnets in a VPC.

For example, if you're importing an existing VPC:

network:
  vpc:
    id: 'vpc-12345'
    subnets:
      public:
        - id: 'subnet-11111'
        - id: 'subnet-22222'

Alternatively, if you're configuring a Copilot-generated VPC:

network:
  vpc:
    cidr: '10.0.0.0/16'
    subnets:
      public:
        - cidr: '10.0.0.0/24'
          az: 'us-east-2a'
        - cidr: '10.0.1.0/24'
          az: 'us-east-2b'

network.vpc.subnets.public Array of Subnets
A list of public subnets configuration.

network.vpc.subnets.private Array of Subnets
A list of private subnets configuration.

network.vpc.subnets.<type>.id String
The ID of the subnet to import. This field is mutually exclusive with cidr and az.

network.vpc.subnets.<type>.cidr String
An IPv4 CIDR block assigned to the subnet. This field is mutually exclusive with id.

network.vpc.subnets.<type>.az String
The Availability Zone name assigned to the subnet. The az field is optional, by default Availability Zones are assigned in alphabetical order. This field is mutually exclusive with id.

network.vpc.security_group Map
Rules for the environment's security group.

network:
  vpc:
    security_group:
      ingress:
        - ip_protocol: tcp
          ports: 80  
          cidr: 0.0.0.0/0

network.vpc.security_group.ingress Array of Security Group Rules
A list of inbound security group rules.

network.vpc.security_group.egress Array of Security Group Rules
A list of outbound security group rules.

network.vpc.security_group.<type>.ip_protocol String
The IP protocol name or number.

network.vpc.security_group.<type>.ports String or Integer
The port range or number for the security group rule.

ports: 0-65535

or

ports: 80

network.vpc.security_group.<type>.cidr String
The IPv4 address range, in CIDR format.

network.vpc.flow_logs Boolean or Map
If you specify 'true', Copilot will enable VPC flow logs to capture information about the IP traffic going in and out of the environment VPC. The default value for VPC flow logs is 14 days (2 weeks).

network:
  vpc:
    flow_logs: on

You can customize the number of days for retention:

network:
  vpc:
    flow_logs:
      retention: 30

network.vpc.flow_logs.retention String The number of days to retain the log events. See this page for all accepted values.

cdn Boolean or Map
The cdn section contains parameters related to integrating your service with a CloudFront distribution. To enable the CloudFront distribution, specify cdn: true.

cdn.certificate String
A certificate by which to enable HTTPS traffic on a CloudFront distribution. CloudFront requires imported certificates to be in the us-east-1 region. For example:

cdn:
  certificate: "arn:aws:acm:us-east-1:1234567890:certificate/e5a6e114-b022-45b1-9339-38fbfd6db3e2"

cdn.static_assets Map
Optional. Configuration for static assets associated with CloudFront.

cdn.static_assets.alias String
Additional HTTPS domain alias to use for static assets.

cdn.static_assets.location String
DNS domain name of the S3 bucket (for example, EXAMPLE-BUCKET.s3.us-west-2.amazonaws.com).

cdn.static_assets.path String
The path pattern (for example, static/*) that specifies which requests should be forwarded to the S3 bucket.

cdn.terminate_tls Boolean
Enable TLS termination for CloudFront.

http Map
The http section contains parameters to configure the public load balancer shared by Load Balanced Web Services and the internal load balancer shared by Backend Services.

http.public Map
Configuration for the public load balancer.

http.public.certificates Array of Strings
List of public AWS Certificate Manager certificate ARNs.
By attaching public certificates to your load balancer, you can associate your Load Balanced Web Services with a domain name and reach them with HTTPS. See the Developing/Domains guide to learn more about how to redeploy services using http.alias.

http.public.access_logs Boolean or Map
Enable Elastic Load Balancing access logs.
If you specify true, Copilot will create an S3 bucket where the Public Load Balancer will store access logs.

http:
  public:
    access_logs: true

You can customize the log prefix:

http:
  public:
    access_logs:
      prefix: access-logs

It is also possible to use your own S3 bucket instead of letting Copilot creates one for you:

http:
  public:
    access_logs:
      bucket_name: my-bucket
      prefix: access-logs

http.public.access_logs.bucket_name String
The name of an existing S3 bucket in which to store the access logs.

http.public.access_logs.prefix String
The prefix for the log objects.

http.public.ssl_policy String
Optional. Specify an SSL policy for the HTTPS listener of your Public Load Balancer, when applicable.

http.public.ingress MapModified in v1.23.0
Ingress rules to restrict the Public Load Balancer's traffic.

http:
  public:
    ingress:
      cdn: true

"http.public.ingress" was previously "http.public.security_groups.ingress"

This field was http.public.security_groups.ingress until v1.23.0. This change cascaded to a child field cdn (the only child field at the time), which was previously http.public.security_groups.ingress.restrict_to.cdn. For more, see the blog post for v1.23.0.

http.public.ingress.cdn BooleanModified in v1.23.0
Restrict ingress traffic for the public load balancer to come from a CloudFront distribution.

http.public.ingress.source_ips Array of Strings
Restrict public load balancer ingress traffic to source IPs.

http:
  public:
    ingress:
      source_ips: ["192.0.2.0/24", "198.51.100.10/32"]  

http.private Map
Configuration for the internal load balancer.

http.private.certificates Array of Strings
List of AWS Certificate Manager certificate ARNs.
By attaching public or private certificates to your load balancer, you can associate your Backend Services with a domain name and reach them with HTTPS. See the Developing/Domains guide to learn more about how to redeploy services using http.alias.

http.private.subnets Array of Strings The subnet IDs to place the internal load balancer in.

http.private.ingress MapModified in v1.23.0
Ingress rules to allow for the internal load balancer.

http:
  private:
    ingress:
      vpc: true  # Enable incoming traffic within the VPC to the internal load balancer.

"http.private.ingress" was previously "http.private.security_groups.ingress"

This field was http.private.security_groups.ingress until v1.23.0. This change cascaded to a child field vpc (the only child field at the time), which was previously http.private.security_groups.ingress.from_vpc. For more, see the blog post for v1.23.0.

http.private.ingress.vpc BooleanModified in v1.23.0
Enable traffic from within the VPC to the internal load balancer.

http.private.ssl_policy String
Optional. Specify an SSL policy for the HTTPS listener of your Internal Load Balancer, when applicable.

observability Map
The observability section lets you configure ways to collect data about the services and jobs deployed in your environment.

observability.container_insights Bool
Whether to enable CloudWatch container insights in your environment's ECS cluster.