AWS Copilot v1.22: Try out IAM Permissions Boundaries and more!

Posted On: Sep 27, 2022

The AWS Copilot core team is announcing the Copilot v1.22 release.
Special thanks to @jterry75, @gabrielcostasilva, @shingos, and @hkford who contributed to this release. Our public сommunity сhat is growing and has over 300 people online and over 2.4k stars on GitHub. Thanks to every one of you who shows love and support for AWS Copilot.

Copilot v1.22 brings several new features and improvements:

• IAM Role Permissions Boundary: See detailed section.
• FIFO SNS/SQS: See detailed section.
• CloudFront TLS Termination: You can now use CloudFront to perform faster TLS termination! See detailed section.
• TLS connection between the Application Load Balancer and Fargate tasks: Copilot now sets the target group's protocol and health check protocol to HTTPS if the target container's port is set to 443. See manifest sample

What’s AWS Copilot?

The AWS Copilot CLI is a tool for developers to build, release, and operate production ready containerized applications on AWS. From getting started, pushing to staging, and releasing to production, Copilot can help manage the entire lifecycle of your application development. At the foundation of Copilot is AWS CloudFormation, which enables you to provision infrastructure as code. Copilot provides pre-defined CloudFormation templates and user-friendly workflows for different types of micro service architectures, enabling you to focus on developing your application, instead of writing deployment scripts.

See the section Overview for a more detailed introduction to AWS Copilot.

IAM Role Permissions Boundary

Whether you have an AWS Organizations Service Control Policy that requires an attached permissions boundary for IAM role creation, or simply want to add some guardrails to your application, Copilot can help. By using the --permissions-boundary flag with the copilot app init command, you can specify an existing IAM policy name. That policy will get attached to any and all IAM roles that Copilot creates (within that application) as a permissions boundary.

If you init your application with the name of a permissions boundary specified:

copilot app init --permissions-boundary examplePermissionsBoundaryPolicy

The permissions boundary will be attached to every IAM role created in the app:

ExampleIAMRole:
  Type: AWS::IAM::Role
  Properties:
    PermissionsBoundary: 'arn:aws:iam::123456789012:policy/examplePermissionsBoundaryPolicy'

FIFO SNS/SQS

To have strict message ordering and message deduplication for your publish-subscribe architecture, you can now use SNS FIFO Topics and SQS FIFO Queues.

You can configure your manifest to have SNS FIFO Topics for your services.

You can specify fifo: true in your service manifest under publish.topics as shown below and Copilot will create a SNS FIFO topic for you.

publish:
  topics:
    - name: mytopic
      fifo: true

Alternatively, you can also specify the advanced SNS FIFO Topic configuration as:

publish:
  topics:
    - name: mytopic
      fifo:
        content_based_deduplication: true

For the full specification of FIFO topics, see manifest specification

SQS FIFO queues for worker services

You can specify fifo: true in your worker service manifest under subscribe.topics.queue or subscribe.queue as shown below and Copilot will create a FIFO SQS Queue and Subscriptions for you.

subscribe:
  topics:
    - name: mytopic
      service: myservice
      queue: 
        fifo: true # topics specific SQS FIFO queue
  queue:
    fifo: true # Configure the default SQS queue to be FIFO.

Alternatively, you can also specify the advanced FIFO SQS Queue configuration as:

subscribe:
  topics:
    - name: mytopic
      service: myservice
      queue:
        fifo:
          content_based_deduplication: true
          deduplication_scope: messageGroup
          throughput_limit: perMessageGroupId
  queue:
    fifo:
      high_throughput: true

For the full specification of FIFO queues, see manifest specification

CloudFront TLS Termination

You can now configure your env manifest to have CloudFront terminate TLS for your Load Balanced Web Services (LBWS):

cdn:
  terminate_tls: true

The configuration above uses CloudFront for TLS termination, which means the traffic from CF → ALB → ECS will be HTTP only. This brings faster TLS termination and shorter page loading for viewers, since the CloudFront edges are usually geographically closer to them.

However, if your services have HTTPS enabled (you have either an app domain or imported certificates in the environment), you must turn off ALB http redirect by updating your Load Balanced Web Service manifests.

http:
  redirect_to_https: false

And then redeploy the services with svc deploy before using env deploy to enable CloudFront TLS termination.

What’s next?

Download the new Copilot CLI version by following the link below and leave your feedback on GitHub or our Community Chat:

• Download the latest CLI version
• Try our Getting Started Guide
• Read full release notes on GitHub