Environment

List of all available properties for a 'Environment' manifest.
To learn more about Copilot environments, see Environments concept page.

Sample environment manifests
name: prod
type: Environment
observability:
  container_insights: true
name: imported
type: Environment
network:
  vpc:
    id: 'vpc-12345'
    subnets:
      public:
        - id: 'subnet-11111'
        - id: 'subnet-22222'
      private:
        - id: 'subnet-33333'
        - id: 'subnet-44444'
name: qa
type: Environment
network:
  vpc:
    cidr: '10.0.0.0/16'
    subnets:
      public:
        - cidr: '10.0.0.0/24'
          az: 'us-east-2a'
        - cidr: '10.0.1.0/24'
          az: 'us-east-2b'
      private:
        - cidr: '10.0.3.0/24'
          az: 'us-east-2a'
        - cidr: '10.0.4.0/24'
          az: 'us-east-2b'
name: prod-pdx
type: Environment
http:
  public: # Apply an existing certificate to your public load balancer.
    certificates:
      - arn:aws:acm:${AWS_REGION}:${AWS_ACCOUNT_ID}:certificate/13245665-cv8f-adf3-j7gd-adf876af95
name: onprem
type: Environment
network:
  vpc:
    id: 'vpc-12345'
    subnets:
      private:
        - id: 'subnet-11111'
        - id: 'subnet-22222'
        - id: 'subnet-33333'
        - id: 'subnet-44444'
http:
  private: # Apply an existing certificate to your private load balancer.
    certificates:
      - arn:aws:acm:${AWS_REGION}:${AWS_ACCOUNT_ID}:certificate/13245665-cv8f-adf3-j7gd-adf876af95
    subnets: ['subnet-11111', 'subnet-22222']
name: cloudfront
type: Environment
cdn: true
http:
  public:
    security_groups:
     ingress:
       restrict_to:
         cdn: true

name String
The name of your environment.

type String
Must be set to 'Environment'.

network Map
The network section contains parameters for importing an existing VPC or configuring the Copilot-generated VPC.

network.vpc Map
The vpc section contains parameters to configure CIDR settings and subnets.

network.vpc.id String
The ID of the VPC to import. This field is mutually exclusive with cidr.

network.vpc.cidr String
An IPv4 CIDR block to associate with the Copilot-generated VPC. This field is mutually exclusive with id.

network.vpc.subnets Map
Configure public and private subnets in a VPC.

For example, if you're importing an existing VPC:

network:
  vpc:
    id: 'vpc-12345'
    public:
      - id: 'subnet-11111'
      - id: 'subnet-22222'
Alternatively, if you're configuring a Copilot-generated VPC:
network:
  vpc:
    cidr: '10.0.0.0/16'
    subnets:
      public:
        - cidr: '10.0.0.0/24'
          az: 'us-east-2a'
        - cidr: '10.0.1.0/24'
          az: 'us-east-2b'

network.vpc.subnets.public Array of Subnets
A list of public subnets configuration.

network.vpc.subnets.private Array of Subnets
A list of private subnets configuration.

network.vpc.subnets.<type>.id String
The ID of the subnet to import. This field is mutually exclusive with cidr and az.

network.vpc.subnets.<type>.cidr String
An IPv4 CIDR block assigned to the subnet. This field is mutually exclusive with id.

network.vpc.subnets.<type>.az String
The Availability Zone name assigned to the subnet. The az field is optional, by default Availability Zones are assigned in alphabetical order. This field is mutually exclusive with id.

network.vpc.security_group Map
Rules for the environment's security group.

network:
  vpc:
    security_group:
      ingress:
        - ip_protocol: tcp
          ports: 80  
          cidr: 0.0.0.0/0
network.vpc.security_group.ingress Array of Security Group Rules
A list of inbound security group rules.

network.vpc.security-group.egress Array of Security Group Rules
A list of outbound security group rules.

network.vpc.security_group.<type>.ip_protocol String
The IP protocol name or number.

network.vpc.security_group.<type>.ports String or Integer
The port range or number for the security group rule.

ports: 0-65535

or

ports: 80

network.vpc.security_group.<type>.cidr String
The IPv4 address range, in CIDR format.

cdn Boolean or Map
The cdn section contains parameters related to integrating your service with a CloudFront distribution. To enable the CloudFront distribution, specify cdn: true.

cdn.certificate String
A certificate by which to enable HTTPS traffic on a CloudFront distribution. CloudFront requires imported certificates to be in the us-east-1 region. For example:

cdn:
  certificate: "arn:aws:acm:us-east-1:1234567890:certificate/e5a6e114-b022-45b1-9339-38fbfd6db3e2"

cdn.tls_termination Boolean
Enable TLS termination for CloudFront.

http Map
The http section contains parameters to configure the public load balancer shared by Load Balanced Web Services and the internal load balancer shared by Backend Services.

http.public Map
Configuration for the public load balancer.

http.public.certificates Array of Strings
List of public AWS Certificate Manager certificate ARNs.
By attaching public certificates to your load balancer, you can associate your Load Balanced Web Services with a domain name and reach them with HTTPS. See the Developing/Domains guide to learn more about how to redeploy services using http.alias.

http.public.access_logs Boolean or Map
Enable Elastic Load Balancing access logs.
If you specify true, Copilot will create an S3 bucket where the Public Load Balancer will store access logs.

http:
  public:
    access_logs: true
You can customize the log prefix:
http:
  public:
    access_logs:
      prefix: access-logs

It is also possible to use your own S3 bucket instead of letting Copilot creates one for you:

http:
  public:
    access_logs:
      bucket_name: my-bucket
      prefix: access-logs

http.public.access_logs.bucket_name String
The name of an existing S3 bucket in which to store the access logs.

http.public.access_logs.prefix String
The prefix for the log objects.

http.public.security_groups Map
Configure security groups to add to the public load balancer.

http.public.security_groups.ingress Map
Ingress rules to allow for the public load balancer.

http:
  public:
    security_groups:
      ingress:
        restrict_to:
          cdn: true

http.public.security_groups.ingress.restrict_to Map
Ingress rules to restrict the Public Load Balancer's traffic.

http.public.security_groups.ingress.restrict_to.cdn Boolean
Restrict ingress traffic for the public load balancer to come from a CloudFront distribution.

http.private Map
Configuration for the internal load balancer.

http.private.certificates Array of Strings
List of AWS Certificate Manager certificate ARNs.
By attaching public or private certificates to your load balancer, you can associate your Backend Services with a domain name and reach them with HTTPS. See the Developing/Domains guide to learn more about how to redeploy services using http.alias.

http.private.subnets Array of Strings
The subnet IDs to place the internal load balancer in.

http.private.security_groups Map
Configure security groups to add to the internal load balancer.

http.private.security_groupsingress Map
Ingress rules to allow for the internal load balancer.

http:
  private:
    security_groups:
      ingress: # Enable incoming traffic within the VPC to the internal load balancer.
        from_vpc: true

http.private.security_groups.ingress.from_vpc Boolean
Enable traffic from within the VPC to the internal load balancer.

observability Map
The observability section lets you configure ways to collect data about the services and jobs deployed in your environment.

observability.container_insights Bool
Whether to enable CloudWatch container insights in your environment's ECS cluster.