Load Balanced Web Service
List of all available properties for a 'Load Balanced Web Service' manifest. To learn about Copilot services, see the Services concept page.
Sample internet-facing service manifests
name: 'frontend'
type: 'Load Balanced Web Service'
image:
build: './frontend/Dockerfile'
port: 8080
http:
path: '/'
healthcheck: '/_healthcheck'
cpu: 256
memory: 512
count: 3
exec: true
variables:
LOG_LEVEL: info
secrets:
GITHUB_TOKEN: GITHUB_TOKEN
DB_SECRET:
secretsmanager: '${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/mysql'
name: 'frontend'
type: 'Load Balanced Web Service'
image:
build: './frontend/Dockerfile'
port: 8080
http:
path: '/'
alias: 'example.com'
environments:
qa:
http:
alias: # The "qa" environment imported a certificate.
- name: 'qa.example.com'
hosted_zone: Z0873220N255IR3MTNR4
# For example, we might want to warm up our Java service before accepting external traffic.
name: 'frontend'
type: 'Load Balanced Web Service'
image:
build:
dockerfile: './frontend/Dockerfile'
context: './frontend'
port: 80
http:
path: '/'
healthcheck:
path: '/_deephealthcheck'
port: 8080
success_codes: '200,301'
healthy_threshold: 4
unhealthy_threshold: 2
interval: 15s
timeout: 10s
grace_period: 2m
deregistration_delay: 50s
stickiness: true
allowed_source_ips: ["10.24.34.0/23"]
cpu: 2048
memory: 4096
count: 3
storage:
ephemeral: 100
network:
vpc:
placement: 'private'
name: 'frontend'
type: 'Load Balanced Web Service'
http:
path: '/'
image:
location: aws_account_id.dkr.ecr.us-west-2.amazonaws.com/frontend:latest
port: 80
cpu: 512
memory: 1024
count:
range: 1-10
cooldown:
in: 60s
out: 30s
cpu_percentage: 70
requests: 30
response_time: 2s
# See https://aws.github.io/copilot-cli/docs/developing/publish-subscribe/
name: 'orders'
type: 'Load Balanced Web Service'
image:
build: Dockerfile
port: 80
http:
path: '/'
alias: 'orders.example.com'
variables:
DDB_TABLE_NAME: 'orders'
publish:
topics:
- name: 'products'
- name: 'orders'
fifo: true
name: 'frontend'
type: 'Load Balanced Web Service'
image:
build: Dockerfile
port: 8080
http: false
nlb:
alias: 'example.com'
port: 80/tcp
target_container: envoy
network:
vpc:
placement: 'private'
sidecars:
envoy:
port: 80
image: aws_account_id.dkr.ecr.us-west-2.amazonaws.com/envoy:latest
# See http://localhost:8000/copilot-cli/docs/developing/storage/#file-systems
name: 'frontend'
type: 'Load Balanced Web Service'
image:
build: Dockerfile
port: 80
depends_on:
bootstrap: success
http:
path: '/'
storage:
volumes:
wp:
path: /bitnami/wordpress
read_only: false
efs: true
# Hydrate the file system with some content using the bootstrap container.
sidecars:
bootstrap:
image: aws_account_id.dkr.ecr.us-west-2.amazonaws.com/bootstrap:v1.0.0
essential: false
mount_points:
- source_volume: wp
path: /bitnami/wordpress
read_only: false
name: 'frontend'
type: 'Load Balanced Web Service'
image:
build: Dockerfile
port: 8080
http:
alias: 'example.com'
path: '/'
healthcheck:
path: '/_health'
# The envoy container's port is 443 resulting in the protocol and health check protocol to be to "HTTPS"
# so that the load balancer establishes TLS connections with the Fargate tasks using certificates that you
# install on the envoy container. These certificates can be self-signed.
target_container: envoy
sidecars:
envoy:
port: 443
image: aws_account_id.dkr.ecr.us-west-2.amazonaws.com/envoy-proxy-with-selfsigned-certs:v1
network:
vpc:
placement: 'private'
name: 'frontend'
type: 'Load Balanced Web Service'
image:
build: './frontend/Dockerfile'
port: 8080
nlb:
port: 8080/tcp # Traffic on port 8080/tcp is forwarded to the main container, on port 8080.
additional_rules:
- port: 8084/tcp # Traffic on port 8084/tcp is forwarded to the main container, on port 8084.
- port: 8085/tcp # Traffic on port 8085/tcp is forwarded to the sidecar "envoy", on port 3000.
target_port: 3000
target_container: envoy
http:
path: '/'
target_port: 8083 # Traffic on "/" is forwarded to the main container, on port 8083.
additional_rules:
- path: 'customerdb'
target_port: 8081 # Traffic on "/customerdb" is forwarded to the main container, on port 8083.
- path: 'admin'
target_port: 8082 # Traffic on "/admin" is forwarded to the sidecar "envoy", on port 8082.
target_container: envoy
sidecars:
envoy:
port: 80
image: aws_account_id.dkr.ecr.us-west-2.amazonaws.com/envoy-proxy-with-selfsigned-certs:v1
name String
The name of your service.
type String
The architecture type for your service. A Load Balanced Web Service is an internet-facing service that's behind a load balancer, orchestrated by Amazon ECS on AWS Fargate.
http Boolean or Map
The http section contains parameters related to integrating your service with an Application Load Balancer.
To disable the Application Load Balancer, specify http: false. Note that for a Load-Balanced Web Service,
at least one of Application Load Balancer or Network Load Balancer must be enabled.
http.path String
Requests to this path will be forwarded to your service. Each listener rule should listen on a unique path.
http.healthcheck String or Map
If you specify a string, Copilot interprets it as the path exposed in your container to handle target group health check requests. The default is "/".
http:
healthcheck: '/'
http:
healthcheck:
path: '/'
port: 8080
success_codes: '200'
healthy_threshold: 3
unhealthy_threshold: 2
interval: 15s
timeout: 10s
grace_period: 60s
http.healthcheck.path String
The destination that the health check requests are sent to.
http.healthcheck.port Integer
The port that the health check requests are sent to. The default is image.port, or the port exposed by http.target_container, if set.
If the port exposed is 443, then the health check protocol is automatically set to HTTPS.
http.healthcheck.success_codes String
The HTTP status codes that healthy targets must use when responding to an HTTP health check. You can specify values between 200 and 499. You can specify multiple values (for example, "200,202") or a range of values (for example, "200-299"). The default is 200.
http.healthcheck.healthy_threshold Integer
The number of consecutive health check successes required before considering an unhealthy target healthy. The default is 5. Range: 2-10.
http.healthcheck.unhealthy_threshold Integer
The number of consecutive health check failures required before considering a target unhealthy. The default is 2. Range: 2-10.
http.healthcheck.interval Duration
The approximate amount of time, in seconds, between health checks of an individual target. The default is 30s. Range: 5s–300s.
http.healthcheck.timeout Duration
The amount of time, in seconds, during which no response from a target means a failed health check. The default is 5s. Range 5s-300s.
http.healthcheck.grace_period Duration
The amount of time to ignore failing target group healthchecks on container start. The default is 60s. This can be useful to fix deployment issues for containers which take a while to become healthy and begin listening for incoming connections, or to speed up deployment of containers guaranteed to start quickly.
http.deregistration_delay Duration
The amount of time to wait for targets to drain connections during deregistration. The default is 60s. Setting this to a larger value gives targets more time to gracefully drain connections, but increases the time required for new deployments. Range 0s-3600s.
http.target_container String
A sidecar container that requests are routed to instead of the main service container.
If the target container's port is set to 443, then the protocol is set to HTTPS so that the load balancer establishes
TLS connections with the Fargate tasks using certificates that you install on the target container.
http.target_port String
Optional. The container port that receives traffic. By default, this will be image.port if the target container is the main container,
or sidecars.<name>.port if the target container is a sidecar.
http.stickiness Boolean
Indicates whether sticky sessions are enabled.
http.allowed_source_ips Array of Strings
CIDR IP addresses permitted to access your service.
http:
allowed_source_ips: ["192.0.2.0/24", "198.51.100.10/32"]
http.alias String or Array of Strings or Array of Maps
HTTPS domain alias of your service.
# String version.
http:
alias: example.com
# Alternatively, as an array of strings.
http:
alias: ["example.com", "v1.example.com"]
# Alternatively, as an array of maps.
http:
alias:
- name: example.com
hosted_zone: Z0873220N255IR3MTNR4
- name: v1.example.com
hosted_zone: AN0THE9H05TED20NEID
hosted_zone StringID of your existing hosted zone; can only be used with
http.alias. If you have an environment with imported certificates, you can specify the hosted zone into which Copilot should insert the A record once the load balancer is created.
http:
alias: example.com
hosted_zone: Z0873220N255IR3MTNR4
# Also see http.alias array of maps example, above.
redirect_to_https BooleanAutomatically redirect the Application Load Balancer from HTTP to HTTPS. By default it is
true.
http.version String
The HTTP(S) protocol version. Must be one of 'grpc', 'http1', or 'http2'. If omitted, then 'http1' is assumed.
If using gRPC, please note that a domain must be associated with your application.
http.additional_rules Array of Maps
Configure multiple ALB listener rules.
http.additional_rules.path String
Requests to this path will be forwarded to your service. Each listener rule should listen on a unique path.
<span class="parent-field">http.additional_rules.</span><a id="http-additional-rules-healthcheck" href="#http-additional-rules-healthcheck" class="field">`healthcheck`</a> <span class="type">String or Map</span>
If you specify a string, Copilot interprets it as the path exposed in your container to handle target group health check requests. The default is "/".
```yaml
http:
additional_rules:
- healthcheck: '/'
```
You can also specify healthcheck as a map:
```yaml
http:
additional_rules:
- healthcheck:
path: '/'
port: 8080
success_codes: '200'
healthy_threshold: 3
unhealthy_threshold: 2
interval: 15s
timeout: 10s
```
http.additional_rules.healthcheck.path String
The destination that the health check requests are sent to.
http.additional_rules.healthcheck.port Integer
The port that the health check requests are sent to. The default is image.port, or the port exposed by http.target_container, if set.
If the port exposed is 443, then the health check protocol is automatically set to HTTPS.
http.additional_rules.healthcheck.success_codes String
The HTTP status codes that healthy targets must use when responding to an HTTP health check. You can specify values between 200 and 499. You can specify multiple values (for example, "200,202") or a range of values (for example, "200-299"). The default is 200.
http.additional_rules.healthcheck.healthy_threshold Integer
The number of consecutive health check successes required before considering an unhealthy target healthy. The default is 5. Range: 2-10.
http.additional_rules.healthcheck.unhealthy_threshold Integer
The number of consecutive health check failures required before considering a target unhealthy. The default is 2. Range: 2-10.
http.additional_rules.healthcheck.interval Duration
The approximate amount of time, in seconds, between health checks of an individual target. The default is 30s. Range: 5s–300s.
http.additional_rules.healthcheck.timeout Duration
The amount of time, in seconds, during which no response from a target means a failed health check. The default is 5s. Range 5s-300s.
http.additional_rules.deregistration_delay Duration
The amount of time to wait for targets to drain connections during deregistration. The default is 60s. Setting this to a larger value gives targets more time to gracefully drain connections, but increases the time required for new deployments. Range 0s-3600s.
http.additional_rules.target_container String
A sidecar container that requests are routed to instead of the main service container.
If the target container's port is set to 443, then the protocol is set to HTTPS so that the load balancer establishes
TLS connections with the Fargate tasks using certificates that you install on the target container.
http.additional_rules.target_port String
The container port that receives traffic. Specify this field if the container port is different from image.port for the main container or sidecar.port for the sidecar containers.
http.additional_rules.stickiness Boolean
Indicates whether sticky sessions are enabled.
http.additional_rules.allowed_source_ips Array of Strings
CIDR IP addresses permitted to access your service.
http:
additional_rules:
- allowed_source_ips: ["192.0.2.0/24", "198.51.100.10/32"]
http.additional_rules.alias String or Array of Strings or Array of Maps
HTTPS domain alias of your service.
# String version.
http:
additional_rules:
- alias: example.com
# Alternatively, as an array of strings.
http:
additional_rules:
- alias: ["example.com", "v1.example.com"]
# Alternatively, as an array of maps.
http:
additional_rules:
- alias:
- name: example.com
hosted_zone: Z0873220N255IR3MTNR4
- name: v1.example.com
hosted_zone: AN0THE9H05TED20NEID
hosted_zone StringID of your existing hosted zone; can only be used with
http.alias and http.additional_rules.alias. If you have an environment with imported certificates, you can specify the hosted zone into which Copilot should insert the A record once the load balancer is created.
http:
additional_rules:
- alias: example.com
hosted_zone: Z0873220N255IR3MTNR4
# Also see http.alias array of maps example, above.
redirect_to_https BooleanAutomatically redirect the Application Load Balancer from HTTP to HTTPS. By default it is
true.
http.additional_rules.version String
The HTTP(S) protocol version. Must be one of 'grpc', 'http1', or 'http2'. If omitted, then 'http1' is assumed.
If using gRPC, please note that a domain must be associated with your application.
nlb Map
The nlb section contains parameters related to integrating your service with a Network Load Balancer.
The Network Load Balancer is enabled only if you specify the nlb field. Note that for a Load-Balanced Web Service,
at least one of Application Load Balancer and Network Load Balancer must be enabled.
nlb.port String
Required. The port and protocol for the Network Load Balancer to listen on.
Accepted protocols include tcp and tls. If the protocol is not specified, tcp is used by default. For example:
nlb:
port: 80
tcp requests. This is the same as
nlb:
port: 80/tcp
You can easily enable TLS termination. For example:
nlb:
port: 443/tls
nlb.healthcheck Map
Specify the health check configuration for your Network Load Balancer.
nlb:
healthcheck:
port: 80
healthy_threshold: 3
unhealthy_threshold: 2
interval: 15s
timeout: 10s
nlb.healthcheck.port String
The port that the health check requests are sent to. Specify this if your health check should be performed on a different port than the container target port.
nlb.healthcheck.healthy_threshold Integer
The number of consecutive health check successes required before considering an unhealthy target healthy. The default is 3. Range: 2-10.
nlb.healthcheck.unhealthy_threshold Integer
The number of consecutive health check failures required before considering a target unhealthy. The default is 3. Range: 2-10.
nlb.healthcheck.grace_period Duration
The amount of time to ignore failing target group healthchecks on container start. The default is 60s. This can be useful to fix deployment issues for containers which take a while to become healthy and begin listening for incoming connections, or to speed up deployment of containers guaranteed to start quickly.
Info
Per the docs at the time of this writing, 'unhealthy threshold' is required to be equal to 'healthy threshold' for a Network Load Balancer.
nlb.healthcheck.interval Duration
The approximate amount of time, in seconds, between health checks of an individual target. The value can be 10s or 30s. The default is 30s.
nlb.healthcheck.timeout Duration
The amount of time, in seconds, during which no response from a target means a failed health check. The default is 10s.
nlb.target_container String
A sidecar container that takes the place of a service container.
nlb.target_port Integer
The container port that receives traffic. Specify this field if the container port is different from nlb.port, the listener port.
nlb.ssl_policy String
The security policy that defines which protocols and ciphers are supported. To learn more, see this doc.
nlb.stickiness Boolean
Indicates whether sticky sessions are enabled.
nlb.alias String or Array of Strings
Domain aliases for your service.
# String version.
nlb:
alias: example.com
# Alteratively, as an array of strings.
nlb:
alias: ["example.com", "v1.example.com"]
additional_listeners Array of MapsConfigure multiple NLB listeners.
nlb.additional_listeners Map
nlb.additional_listeners.port String
Required. The additional port and protocol for the Network Load Balancer to listen on.
Accepted protocols include tcp and tls. If the protocol is not specified, tcp is used by default.
nlb.additional_listeners.healthcheck Map
Specify the health check configuration for your additional listener on the Network Load Balancer.
nlb:
additional_listeners:
- healthcheck:
port: 80
healthy_threshold: 3
unhealthy_threshold: 2
interval: 15s
timeout: 10s
nlb.additional_listeners.healthcheck.port String
The port that the health check requests are sent to. Specify this if your health check should be performed on a different port than the container target port.
nlb.additional_listeners.healthcheck.healthy_threshold Integer
The number of consecutive health check successes required before considering an unhealthy target healthy. The default is 3. Range: 2-10.
nlb.additional_listeners.healthcheck.unhealthy_threshold Integer
The number of consecutive health check failures required before considering a target unhealthy. The default is 3. Range: 2-10.
nlb.additional_listeners.healthcheck.interval Duration
The approximate amount of time, in seconds, between health checks of an individual target. The value can be 10s or 30s. The default is 30s.
nlb.additional_listeners.healthcheck.timeout Duration
The amount of time, in seconds, during which no response from a target means a failed health check. The default is 10s.
nlb.additional_listeners.target_container String
A sidecar container that takes the place of a service container.
nlb.additional_listeners.target_port Integer
The container port that receives traffic. Specify this field if the container port is different from nlb.port, the listener port.
nlb.additional_listeners.ssl_policy String
The security policy that defines which protocols and ciphers are supported. To learn more, see this doc.
nlb.additional_listeners.stickiness Boolean
Indicates whether sticky sessions are enabled.
image Map
The image section contains parameters relating to the Docker build configuration or referring to an existing container image.
image.build String or Map
Build a container from a Dockerfile with optional arguments. Mutually exclusive with image.location.
If you specify a string, Copilot interprets it as the path to your Dockerfile. It will assume that the dirname of the string you specify should be the build context. The manifest:
image:
build: path/to/dockerfile
$ docker build --file path/to/dockerfile path/to
You can also specify build as a map:
image:
build:
dockerfile: path/to/dockerfile
context: context/dir
target: build-stage
cache_from:
- image:tag
args:
key: value
$ docker build --file path/to/dockerfile --target build-stage --cache-from image:tag --build-arg key=value context/dir.
You can omit fields and Copilot will do its best to understand what you mean. For example, if you specify context but not dockerfile, Copilot will run Docker in the context directory and assume that your Dockerfile is named "Dockerfile." If you specify dockerfile but no context, Copilot assumes you want to run Docker in the directory that contains dockerfile.
All paths are relative to your workspace root.
image.location String
Instead of building a container from a Dockerfile, you can specify an existing image name. Mutually exclusive with image.build.
The location field follows the same definition as the image parameter in the Amazon ECS task definition.
Warning
If you are passing in a Windows image, you must add platform: windows/x86_64 to your manifest.
If you are passing in an ARM architecture-based image, you must add platform: linux/arm64 to your manifest.
image.credentials String
An optional credentials ARN for a private repository. The credentials field follows the same definition as the credentialsParameter in the Amazon ECS task definition.
image.labels Map
An optional key/value map of Docker labels to add to the container.
image.depends_on Map
An optional key/value map of Container Dependencies to add to the container. The key of the map is a container name and the value is the condition to depend on. Valid conditions are: start, healthy, complete, and success. You cannot specify a complete or success dependency on an essential container.
For example:
image:
build: ./Dockerfile
depends_on:
nginx: start
startup: success
nginx sidecar has started and the startup container has completed successfully.
image.port Integer
The port exposed in your Dockerfile. Copilot should parse this value for you from your EXPOSE instruction.
If the port is set to 443, then the protocol is set to HTTPS so that the load balancer establishes
TLS connections with the Fargate tasks using certificates that you install on the container.
image.healthcheck Map
Optional configuration for container health checks.
image.healthcheck.command Array of Strings
The command to run to determine if the container is healthy.
The string array can start with CMD to execute the command arguments directly, or CMD-SHELL to run the command with the container's default shell.
image.healthcheck.interval Duration
Time period between health checks, in seconds. Default is 10s.
image.healthcheck.retries Integer
Number of times to retry before container is deemed unhealthy. Default is 2.
image.healthcheck.timeout Duration
How long to wait before considering the health check failed, in seconds. Default is 5s.
image.healthcheck.start_period Duration
Length of grace period for containers to bootstrap before failed health checks count towards the maximum number of retries. Default is 0s.
cpu Integer
Number of CPU units for the task. See the Amazon ECS docs for valid CPU values.
memory Integer
Amount of memory in MiB used by the task. See the Amazon ECS docs for valid memory values.
platform String or Map
Operating system and architecture (formatted as [os]/[arch]) to pass with docker build --platform. For example, linux/arm64 or windows/x86_64. The default is linux/x86_64.
Override the generated string to build with a different valid osfamily or architecture. For example, Windows users might change the string
platform: windows/x86_64
WINDOWS_SERVER_2019_CORE, using a map:
platform:
osfamily: windows_server_2019_full
architecture: x86_64
platform:
osfamily: windows_server_2022_core
architecture: x86_64
platform:
osfamily: windows_server_2022_full
architecture: x86_64
count Integer or Map
The number of tasks that your service should maintain.
If you specify a number:
count: 5
count.spot Integer
If you want to use Fargate Spot capacity to run your services, you can specify a number under the spot subfield:
count:
spot: 5
Info
Fargate Spot is not supported for containers running on ARM architecture.
Alternatively, you can specify a map for setting up autoscaling:
count:
range: 1-10
cooldown:
in: 30s
out: 60s
cpu_percentage: 70
memory_percentage:
value: 80
cooldown:
in: 80s
out: 160s
requests: 10000
response_time: 2s
count.range String or Map
You can specify a minimum and maximum bound for the number of tasks your service should maintain, based on the values you specify for the metrics.
count:
range: n-m
MinCapacity of n and MaxCapacity of m.
Alternatively, if you wish to scale your service onto Fargate Spot instances, specify min and max under range and then specify spot_from with the desired count you wish to start placing your services onto Spot capacity. For example:
count:
range:
min: 1
max: 10
spot_from: 3
This will set your range as 1-10 as above, but will place the first two copies of your service on dedicated Fargate capacity. If your service scales to 3 or higher, the third and any additional copies will be placed on Spot until the maximum is reached.
count.range.min Integer
The minimum desired count for your service using autoscaling.
count.range.max Integer
The maximum desired count for your service using autoscaling.
count.range.spot_from Integer
The desired count at which you wish to start placing your service using Fargate Spot capacity providers.
count.cooldown Map
Cooldown scaling fields that are used as the default cooldown for all autoscaling fields specified.
count.cooldown.in Duration
The cooldown time for autoscaling fields to scale up the service.
count.cooldown.out Duration
The cooldown time for autoscaling fields to scale down the service.
The following options cpu_percentage, memory_percentage, requests and response_time are autoscaling fields for count which can be defined either as the value of the field, or as a Map containing advanced information about the field's value and cooldown:
value: 50
cooldown:
in: 30s
out: 60s
count.cpu_percentage Integer or Map
Scale up or down based on the average CPU your service should maintain.
count.memory_percentage Integer or Map
Scale up or down based on the average memory your service should maintain.
count.requests Integer or Map
Scale up or down based on the request count handled per task.
count.response_time Duration or Map
Scale up or down based on the service average response time.
exec Boolean
Enable running commands in your container. The default is false. Required for $ copilot svc exec.
deployment Map
The deployment section contains parameters to control how many tasks run during the deployment and the ordering of stopping and starting tasks.
deployment.rolling String
Rolling deployment strategy. Valid values are
"default": Creates new tasks as many as the desired count with the updated task definition, before stopping the old tasks. Under the hood, this translates to setting theminimumHealthyPercentto 100 andmaximumPercentto 200."recreate": Stop all running tasks and then spin up new tasks. Under the hood, this translates to setting theminimumHealthyPercentto 0 andmaximumPercentto 100.
deployment.rollback_alarms Array of Strings or Map
Info
If an alarm is in "In alarm" state at the beginning of a deployment, Amazon ECS will NOT monitor alarms for the duration of that deployment. For more details, read the docs here.
As a list of strings, the names of existing CloudWatch alarms to associate with your service that may trigger a deployment rollback.
deployment:
rollback_alarms: ["MyAlarm-ELB-4xx", "MyAlarm-ELB-5xx"]
deployment:
rollback_alarms:
cpu_utilization: 70 // Percentage value at or above which alarm is triggered.
memory_utilization: 50 // Percentage value at or above which alarm is triggered.
entrypoint String or Array of Strings
Override the default entrypoint in the image.
# String version.
entrypoint: "/bin/entrypoint --p1 --p2"
# Alteratively, as an array of strings.
entrypoint: ["/bin/entrypoint", "--p1", "--p2"]
command String or Array of Strings
Override the default command in the image.
# String version.
command: ps au
# Alteratively, as an array of strings.
command: ["ps", "au"]
network Map
The network section contains parameters for connecting to AWS resources in a VPC.
network.connect Bool or Map
Enable Service Connect for your service, which makes the traffic between services load balanced and more resilient. Defaults to false.
When using it as a map, you can specify which alias to use for this service. Note that the alias must be unique within the environment.
network.connect.alias String
A custom DNS name for this service exposed to Service Connect. Defaults to the service name.
network.vpc Map
Subnets and security groups attached to your tasks.
network.vpc.placement String or Map
When using it as a string, the value must be one of 'public' or 'private'. Defaults to launching your tasks in public subnets.
Info
If you launch tasks in 'private' subnets and use a Copilot-generated VPC, Copilot will automatically add NAT Gateways to your environment for internet connectivity. (See pricing.) Alternatively, when running copilot env init, you can import an existing VPC with NAT Gateways, or one with VPC endpoints for isolated workloads. See our custom environment resources page for more.
When using it as a map, you can specify in which subnets Copilot should launch ECS tasks. For example:
network:
vpc:
placement:
subnets: ["SubnetID1", "SubnetID2"]
network.vpc.placement.subnets Array of Strings or Map
As a list of strings, the subnet IDs where Copilot should launch ECS tasks.
As a map, the name-value pairs by which to filter your subnets. Note that the filters are joined with an AND, and the values for each filter are joined by an OR. For example, both subnets with tag set org: bi and type: public, and subnets with tag set org: bi and type: private will be matched by
network:
vpc:
placement:
subnets:
from_tags:
org: bi
type:
- public
- private
network.vpc.placement.subnetsfrom_tags Map of String and String or Array of Strings
Tag sets by which to filter subnets where Copilot should launch ECS tasks.
network.vpc.security_groups Array of Strings or Map
Additional security group IDs associated with your tasks.
network:
vpc:
security_groups: [sg-0001, sg-0002]
Map form:
network:
vpc:
security_groups:
deny_default: true
groups: [sg-0001, sg-0002]
network.vpc.security_groups.from_cfn String
The name of a CloudFormation stack export.
network.vpc.security_groups.deny_default Boolean
Disable the default security group that allows ingress from all services in your environment.
network.vpc.security_groups.groups Array of Strings
Additional security group IDs associated with your tasks.
network.vpc.security_groups.groupsfrom_cfn String
The name of a CloudFormation stack export.
variables Map
Key-value pairs that represent environment variables that will be passed to your service. Copilot will include a number of environment variables by default for you.
variables.from_cfn String
The name of a CloudFormation stack export.
env_file String
The path to a file from the root of your workspace containing the environment variables to pass to the main container. For more information about the environment variable file, see Considerations for specifying environment variable files.
secrets Map
Key-value pairs that represent secret values from AWS Systems Manager Parameter Store or AWS Secrets Manager that will be securely passed to your service as environment variables.
secrets.from_cfn String
The name of a CloudFormation stack export.
storage Map
The Storage section lets you specify external EFS volumes for your containers and sidecars to mount. This allows you to access persistent storage across availability zones in a region for data processing or CMS workloads. For more detail, see the storage page. You can also specify extensible ephemeral storage at the task level.
storage.ephemeral Int
Specify how much ephemeral task storage to provision in GiB. The default value and minimum is 20 GiB. The maximum size is 200 GiB. Sizes above 20 GiB incur additional charges.
To create a shared filesystem context between an essential container and a sidecar, you can use an empty volume:
storage:
ephemeral: 100
volumes:
scratch:
path: /var/data
read_only: false
sidecars:
mySidecar:
image: public.ecr.aws/my-image:latest
mount_points:
- source_volume: scratch
path: /var/data
read_only: false
storage.readonly_fs Boolean
Specify true to give your container read-only access to its root file system.
storage.volumes Map
Specify the name and configuration of any EFS volumes you would like to attach. The volumes field is specified as a map of the form:
volumes:
<volume name>:
path: "/etc/mountpath"
efs:
...
storage.volumes.<volume> Map
Specify the configuration of a volume.
storage.volumes.<volume>.path String
Required. Specify the location in the container where you would like your volume to be mounted. Must be fewer than 242 characters and must consist only of the characters a-zA-Z0-9.-_/.
storage.volumes.<volume>.read_only Boolean
Optional. Defaults to true. Defines whether the volume is read-only or not. If false, the container is granted elasticfilesystem:ClientWrite permissions to the filesystem and the volume is writable.
storage.volumes.<volume>.efs Boolean or Map
Specify more detailed EFS configuration. If specified as a boolean, or using only the uid and gid subfields, creates a managed EFS filesystem and dedicated Access Point for this workload.
// Simple managed EFS
efs: true
// Managed EFS with custom POSIX info
efs:
uid: 10000
gid: 110000
storage.volumes.<volume>.efs.id String
Required. The ID of the filesystem you would like to mount.
storage.volumes.<volume>.efs.root_dir String
Optional. Defaults to /. Specify the location in the EFS filesystem you would like to use as the root of your volume. Must be fewer than 255 characters and must consist only of the characters a-zA-Z0-9.-_/. If using an access point, root_dir must be either empty or / and auth.iam must be true.
storage.volumes.<volume>.efs.uid Uint32
Optional. Must be specified with gid. Mutually exclusive with root_dir, auth, and id. The POSIX UID to use for the dedicated access point created for the managed EFS filesystem.
storage.volumes.<volume>.efs.gid Uint32
Optional. Must be specified with uid. Mutually exclusive with root_dir, auth, and id. The POSIX GID to use for the dedicated access point created for the managed EFS filesystem.
storage.volumes.<volume>.efs.auth Map
Specify advanced authorization configuration for EFS.
storage.volumes.<volume>.efs.auth.iam Boolean
Optional. Defaults to true. Whether or not to use IAM authorization to determine whether the volume is allowed to connect to EFS.
storage.volumes.<volume>.efs.auth.access_point_id String
Optional. Defaults to "". The ID of the EFS access point to connect to. If using an access point, root_dir must be either empty or / and auth.iam must be true.
publish Map
The publish section allows services to publish messages to one or more SNS topics.
publish:
topics:
- name: orderEvents
In the example above, this manifest declares an SNS topic named orderEvents that other worker services deployed to the Copilot environment can subscribe to. An environment variable named COPILOT_SNS_TOPIC_ARNS is injected into your workload as a JSON string.
In JavaScript, you could write:
const {orderEvents} = JSON.parse(process.env.COPILOT_SNS_TOPIC_ARNS)
publish.topics Array of topics
List of topic objects.
publish.topics.topic Map
Holds configuration for a single SNS topic.
publish.topics.topic.name String
Required. The name of the SNS topic. Must contain only upper and lowercase letters, numbers, hyphens, and underscores.
publish.topics.topic.fifo Boolean or Map
FIFO (first in, first out) SNS topic configuration.
If you specify true, Copilot will create the topic with FIFO ordering.
publish:
topics:
- name: mytopic
fifo: true
Alternatively, you can also configure advanced SNS FIFO topic settings.
publish:
topics:
- name: mytopic
fifo:
content_based_deduplication: true
publish.topics.topic.fifo.content_based_deduplication Boolean
If the message body is guaranteed to be unique for each published message, you can enable content-based deduplication for the SNS FIFO topic.
logging Map
The logging section contains log configuration. You can also configure parameters for your container's FireLens log driver in this section (see examples here).
logging.retention Integer
Optional. The number of days to retain the log events. See this page for all accepted values. If omitted, the default is 30.
logging.image Map
Optional. The Fluent Bit image to use. Defaults to public.ecr.aws/aws-observability/aws-for-fluent-bit:stable.
logging.destination Map
Optional. The configuration options to send to the FireLens log driver.
logging.enableMetadata Map
Optional. Whether to include ECS metadata in logs. Defaults to true.
logging.secretOptions Map
Optional. The secrets to pass to the log configuration.
logging.configFilePath Map
Optional. The full config file path in your custom Fluent Bit image.
logging.env_file String
The path to a file from the root of your workspace containing the environment variables to pass to the logging sidecar container. For more information about the environment variable file, see Considerations for specifying environment variable files.
observability Map
The observability section lets you configure ways to measure your service's current state. Currently, only tracing configuration is supported.
For more details, see the observability page.
observability.tracing String
The vendor to use for tracing. Currently, only awsxray is supported.
taskdef_overrides Array of Rules
The taskdef_overrides section allows users to apply overriding rules to their ECS Task Definitions (see examples here).
taskdef_overrides.path String
Required. Path to the Task Definition field to override.
taskdef_overrides.value Any
Required. Value of the Task Definition field to override.
environments Map
The environment section lets you override any value in your manifest based on the environment you're in. In the example manifest above, we're overriding the count parameter so that we can run 2 copies of our service in our 'prod' environment, and 2 copies using Fargate Spot capacity in our 'staging' environment.