AWS Copilot v1.22: Try out IAM Permissions Boundaries and more!
Posted On: Sep 27, 2022
The AWS Copilot core team is announcing the Copilot v1.22 release.
Special thanks to @jterry75, @gabrielcostasilva, @shingos, and @hkford who contributed to this release. Our public сommunity сhat is growing and has over 300 people online and over 2.4k stars on GitHub. Thanks to every one of you who shows love and support for AWS Copilot.
Copilot v1.22 brings several new features and improvements:
- IAM Role Permissions Boundary: See detailed section.
- FIFO SNS/SQS: See detailed section.
- CloudFront TLS Termination: You can now use CloudFront to perform faster TLS termination! See detailed section.
- TLS connection between the Application Load Balancer and Fargate tasks: Copilot now sets the target group's protocol and health check protocol to HTTPS if the target container's port is set to
443. See manifest sample
What’s AWS Copilot?
The AWS Copilot CLI is a tool for developers to build, release, and operate production ready containerized applications on AWS. From getting started, pushing to staging, and releasing to production, Copilot can help manage the entire lifecycle of your application development. At the foundation of Copilot is AWS CloudFormation, which enables you to provision infrastructure as code. Copilot provides pre-defined CloudFormation templates and user-friendly workflows for different types of micro service architectures, enabling you to focus on developing your application, instead of writing deployment scripts.
See the section Overview for a more detailed introduction to AWS Copilot.
IAM Role Permissions Boundary
Whether you have an AWS Organizations Service Control Policy that requires an attached permissions boundary for IAM role creation, or simply want to add some guardrails to your application, Copilot can help. By using the
--permissions-boundary flag with the
copilot app init command, you can specify an existing IAM policy name. That policy will get attached to any and all IAM roles that Copilot creates (within that application) as a permissions boundary.
If you init your application with the name of a permissions boundary specified:
copilot app init --permissions-boundary examplePermissionsBoundaryPolicy
ExampleIAMRole: Type: AWS::IAM::Role Properties: PermissionsBoundary: 'arn:aws:iam::123456789012:policy/examplePermissionsBoundaryPolicy'
To have strict message ordering and message deduplication for your publish-subscribe architecture, you can now use SNS FIFO Topics and SQS FIFO Queues.
You can configure your manifest to have SNS FIFO Topics for your services.
You can specify
fifo: true in your service manifest under
publish.topics as shown below and Copilot will create a SNS FIFO topic for you.
publish: topics: - name: mytopic fifo: true
Alternatively, you can also specify the advanced SNS FIFO Topic configuration as:
publish: topics: - name: mytopic fifo: content_based_deduplication: true
For the full specification of FIFO topics, see manifest specification
SQS FIFO queues for worker services
You can specify
fifo: true in your worker service manifest under
subscribe.queue as shown below and Copilot will create a FIFO SQS Queue and Subscriptions for you.
subscribe: topics: - name: mytopic service: myservice queue: fifo: true # topics specific SQS FIFO queue queue: fifo: true # Configure the default SQS queue to be FIFO.
subscribe: topics: - name: mytopic service: myservice queue: fifo: content_based_deduplication: true deduplication_scope: messageGroup throughput_limit: perMessageGroupId queue: fifo: high_throughput: true
CloudFront TLS Termination
You can now configure your env manifest to have CloudFront terminate TLS for your Load Balanced Web Services (LBWS):
cdn: terminate_tls: true
The configuration above uses CloudFront for TLS termination, which means the traffic from
CF → ALB → ECS will be HTTP only. This brings faster TLS termination and shorter page loading for viewers, since the CloudFront edges are usually geographically closer to them.
However, if your services have HTTPS enabled (you have either an app domain or imported certificates in the environment), you must turn off ALB http redirect by updating your Load Balanced Web Service manifests.
http: redirect_to_https: false
And then redeploy the services with
svc deploy before using
env deploy to enable CloudFront TLS termination.