AWS Copilot v1.21: CloudFront is here!

Posted On: Aug 17, 2022

The AWS Copilot core team is announcing the Copilot v1.21 release.
Special thanks to @dave-moser, @dclark, and @apopa57 who contributed to this release. Our public сommunity сhat is growing and has over 300 people online and over 2.4k stars on GitHub. Thanks to every one of you who shows love and support for AWS Copilot.

Copilot v1.21 brings several new features and improvements:

• Integrate CloudFront with Application Load Balancer: You can now deploy CloudFront in front of your Load Balanced Web Services! See detailed section to learn more.
• Configure environment security group: Configure your environment security group rules through environment manifest. See detailed section.
• ELB access log support: Enable elastic load balancing access logs for your Load Balanced Web Service. See detailed section.
• job logs improvements: You can now follow logs and view state machine execution logs for your jobs. See detailed Section
• Package addon CloudFormation templates before deployments: Copilot will now package addon templates on copilot svc deploy. This means Copilot can now deploy AWS Lambda functions alongside your containerized services! Read more about how to get started in Copilot's documentation.

What’s AWS Copilot?

The AWS Copilot CLI is a tool for developers to build, release, and operate production ready containerized applications on AWS. From getting started, pushing to staging, and releasing to production, Copilot can help manage the entire lifecycle of your application development. At the foundation of Copilot is AWS CloudFormation, which enables you to provision infrastructure as code. Copilot provides pre-defined CloudFormation templates and user-friendly workflows for different types of micro service architectures, enabling you to focus on developing your application, instead of writing deployment scripts.

See the section Overview for a more detailed introduction to AWS Copilot.

CloudFront Integration

One of our first major additions to the Copilot environment manifest! CloudFront is an AWS Content Delivery Network (CDN) which helps people deploy their applications across the globe, and now you can enable a distribution by simply setting cdn: true in your environment manifest and running copilot env deploy.

Currently supported features

• A distribution deployed in front of your public Application Load Balancer (ALB)
• ALB ingress restricted to the CloudFront distribution to protect from DDoS attack
• HTTPS traffic through an imported certificate, or a Copilot-managed certificate

CloudFront with HTTPS

Copilot makes this process easy! If you have an application initialized with a --domain specified during app init, the required certificate will be created for you and no additional actions are required.

If you import your own certificates for your hosted zone, we'll walk you through importing the correct certificate for CloudFront.

Info

CloudFront requires certificates to be in the us-east-1 region. When importing a certificate, make sure to create your certificate in this region.

First, create a certificate in the us-east-1 region for your application with AWS Certificate Manager. You must add each domain associated with your application to this certificate. Once you've validated the certificate, you can add a field to your environment manifest to import the certificate for CloudFront:

cdn:
  certificate: arn:aws:acm:us-east-1:${AWS_ACCOUNT_ID}:certificate/13245665-h74x-4ore-jdnz-avs87dl11jd

Run copilot env deploy, then you can create an A-record in Route 53 which points to the CloudFront distribution created by Copilot. Just select to point the record to an Alias in the console, then select to route traffic to a CloudFront distribution resource type, and enter the CloudFront DNS from the deployed distribution.

Restricting traffic to CloudFront

To restrict public traffic to come through the CloudFront distribution, there's a new field in http for your public load balancer:

http:
  public:
    security_groups:
      ingress:
        restrict_to:
          cdn: true

Specifying this will modify the Load Balancer's security group to only accept traffic from CloudFront.

Configure Environment Security Group

You can now configure your environment security group rules through environment manifest.
Sample security group rules template inside environment manifest is given below.

network:
  vpc:
    security_group:
      ingress:
        - ip_protocol: tcp
          ports: 80
          cidr: 0.0.0.0/0
      egress:
        - ip_protocol: tcp
          ports: 0-65535
          cidr: 0.0.0.0/0

For the complete specification, see the environment manifest.

ELB Access Logs Support

You can now enable Elastic Load Balancing access logs that capture detailed information about requests sent to your load balancer. There are a few ways to enable access logs:

1. You can specify access_logs: true in your environment manifest as shown below and Copilot will create an S3 bucket where the Public Load Balancer will store access logs.

   name: qa
   type: Environment
   
   http:
     public:
       access_logs: true 
   

   You can also view the bucket name with copilot env show --resources command.

2. You can also bring in your own bucket and prefix. Copilot will use those bucket details to enable access logs. You can do that by specifying the following configuration in your environment manifest.

   name: qa
   type: Environment
   
   http:
    public:
      access_logs:
        bucket_name: my-bucket
        prefix: my-prefix
   

   When importing your own bucket, you need to make sure that the bucket exists and has the required bucket policy for the load balancer to write access logs to it.

job logs

At long last, you can now view and follow logs for executions of your scheduled jobs. You can choose how many invocations of the job to view, filter logs by specific task IDs, and choose whether to view state machine execution logs. For example, you can view logs from the last invocation of the job and all the state machine execution data:

$ copilot job logs --include-state-machine
Which application does your job belong to? [Use arrows to move, type to filter, ? for more help]
> app1
  app2
Which job's logs would you like to show? [Use arrows to move, type to filter, ? for more help]
> emailer (test)
  emailer (prod)
Application: app1
Job: emailer
states/app1-test-emailer {"id":"1","type":"ExecutionStarted","details": ...
states/app1-test-emailer {"id":"2","type":"TaskStateEntered","details": ...
states/app1-test-emailer {"id":"3","type":"TaskScheduled","details": ...
states/app1-test-emailer {"id":"4","type":"TaskStarted","details": ...
states/app1-test-emailer {"id":"5","type":"TaskSubmitted","details": ...
copilot/emailer/d476069 Gathered recipients
copilot/emailer/d476069 Prepared email body 
copilot/emailer/d476069 Attached headers
copilot/emailer/d476069 Sent all emails
states/app1-test-emailer {"id":"6","type":"TaskSucceeded","details": ...
states/app1-test-emailer {"id":"7","type":"TaskStateExited","details": ...
states/app1-test-emailer {"id":"8","type":"ExecutionSucceeded","details": ...

or follow the logs of a task you've just invoked with copilot job run:

$ copilot job run -n emailer && copilot job logs -n emailer --follow

What’s next?

Download the new Copilot CLI version by following the link below and leave your feedback on GitHub or our Community Chat:

• Download the latest CLI version
• Try our Getting Started Guide
• Read full release notes on GitHub