🐛 Bug Fixes

• Correctly empty ECR repositories when deleting app regional resources. (#5617)
• Allow EFS volumes to have multiple mount points in a single service. (#5631)
• Fix incorrect indentation for runtime secrets in the request-driven service CloudFormation template. (#5635)
• Fix the copilot svc package command for a request-driven web service when image.build is used. (#5638)

❤️ Contributions

Thank you, contributors 🥰!

• @isleys (#5632)

⚡️ Features and Enhancements

• run local --use-task-role: Elevate your local testing experience with the ECS Task Role using the new --use-task-role flag (#5529)

  The copilot run local command now includes a --use-task-role flag. When activated, Copilot will fetch IAM permissions from your deployed service and seamlessly inject them into the containers created by run local. This ensures that your containers mirror the same permissions as they would in the cloud, facilitating more accurate testing.

  If you prefer not to utilize the TaskRole permissions or if Copilot encounters issues retrieving them, you can disable this feature by setting --use-task-role=false.

• run local depends_on support: Local run containers now respect depends_on in your service manifests (#5509)

  Enhancing the run local feature! Previously, copilot run local initiated the startup and removal of all containers without a specific order. With this improvement, container actions are aligned with your depends_on configuration in your service manifests.

• Allow variable escaping in manifest: Escape interpolated variables in your manifests with the latest update (#5516)

  Now, you have the flexibility to escape interpolated variables in your manifests. Use the following syntax to prevent Copilot from resolving ${name} using the local environment:

  command: echo hello \${name}
  variable:
    name: world

• run local --watch skips files specified by .dockerignore: --watch flag now respects .dockerignore and Copilot will not watch these files (#5565)

• Upgrade Lambda Node.js version to 20.x: as Node.js 16 has been End-of-Life since Sep. 2023 (#5583)

🐛 Bug Fixes

• Allow decryption of secrets with CMK (#5576): In v1.32.1, a security patch restricted kms:Decrypt to ECS Execution Role and AppRunner Instance Role. This affected users with managed KMS keys. Now, any KMS key with correct copilot-application and copilot-environment tags is allowed for seamless deployment.
• response_time should respect imported ALB (#5564)
• Check for ubuntu based distro to install SSM Plugin (#5571)
• run local --proxy should work when Service Connect is disabled (#5604)

❤️ Contributions

Thank you, contributors 🥰!

• @bencehornak (#5516, #5514)
• @craigjbass (#5513)
• @otty246 (#5510)

🐛 Bug Fixes

• Refer to correct TargetGroup name for imported ALB. (#5478)
• Add quotes to fix the invalid template for svc package for static site. (#5498)
• Avoid panicking by initializing required client for static site. (#5530)
• Fix KMS access denied errors when downloading the static env file. (#5514)
• Fix the permission error when the pipeline CodeBuild tries to get the public public hosted zone ID for the domain. (#5540)
• Account for TLS termination in exposed port validation. (#5549)
• Respect image.location URI for containers. (#5555)

⚡️ Features and Enhancements

• run local --proxy: Proxy outbound requests from your local containers to the environment VPC using --proxy! (#5412)

  We are enhancing the run local feature released in v1.30.0: the --proxy flag proxies outbound requests to your environment VPC. This feature gives you higher fidelity for your local testing using run local – the containers on your local machine can now talk to the other services in the VPC and talk to your RDS database through the cluster or instance endpoints.

• run local --watch: Listen to changes to your workspace and automatically restart the containers (#5413)

  Another enhancement to the run local feature! Test your services using run local while making changes to your code, and Copilot will automatically restart the local containers. You can test your service with the new changes without having to kill the original process and run run local again.
  The flag --watch is great by itself, but extremely useful if you use --proxy: it saves you quite a bit of the overhead time to set up the proxy.

• Import an application load balancer: Place an existing ALB in front of your service (#5438)

  Bring your own application load balancer if you don't like the default shared application load balancer of your environment! Just specify the name or the ARN of the application load balancer in the http.alb field, and Copilot will figure out whether it has an HTTP listener, an HTTPS listener, or both. Copilot will then create listener rules on the listeners it finds, and optionally upserts A records for your alias to the respective hosted zones if any are specified!

  http:
    alb: myALB # Or arn:aws:elasticloadbalancing:us-west-2:1234567890:loadbalancer/app/myALB/12345abcde
    path: '/'
    alias:
       - name: example.com
         hosted_zone: Z08230443CW11KE6JBNUA
    allowed_source_ips: ["192.0.2.0/24", "198.51.100.10/32", "67.170.82.49/32"]

• Support addons for Static Site (#5384): you can now use addons to add additional resources to your Static Site workload, the same way as you would for any other services!

• Support docker build args in task run --build-args (#5377)

  Pass additional build args to build the image using --build-args!

  $ copilot task run --build-args GO_VERSION=1.19
  

• Enforce KMS encryption on the pipeline artifact buckets (#5329): Any new applications will start using the KMS key managed by Copilot as the default encryption key – instead of the S3-managed key – for your pipeline artifact buckets. It also rejects any s3:PutObject actions that disable server-side encryption. This change should not affect any existing applications, and can be optionally applied to your existing application by running copilot app upgrade to meet compliance requirements.

• Enforce HTTPS on the pipeline artifact buckets (#5393): Reject any access to pipeline artifact buckets that are not secure. Any new applications will come with this configuration. For existing applications, run copilot app upgrade to get the extra protection.

🐛 Bug Fixes

• Remove sts:AssumeRole permission for the ECS task roles or the App Runner instance roles (#5423): Previously, there was a bug where the ECS tasks roles were given permission to assume roles that are tagged with the application name and the environment name. We are removing this permission for better security posture. We recommend that you redeploy your Load-Balanced Web Services, Backend Services, Worker Services, Request-Driven Web Service, and Scheduled Job to apply this fix.

❤️ Contributions

Thank you, contributors 🥰!

• @briercliffe (#5377)
• @FlorianSW (#5329)

⚡️ Features and Enhancements

• NLB enhancements: You can now add security groups to Copilot-managed NLBs. NLBs also support the UDP protocol. (#5284)

  Previously, the nlb field in a Load-Balanced Web Service supported only tcp or tls traffic. Now, you can listen to udp traffic as well!

  nlb:
    port: 8080/udp
    healthcheck:
            port: 80 # This needs to be a tcp port
    additional_listeners:
      - port: 8081/udp
         healthcheck:
            port: 80 # This needs to be a tcp port
  

  Note that you will need to specify a health check port on your container that accepts TCP traffic, as health check using udp protocol isn't supported today.

• Better task failure logs: Copilot will show more descriptive information during deployments when tasks fail, allowing for better troubleshooting. (#5249)

  copilot [noun] deploy will now display the ECS task stopped reasons within your CloudFormation deployment progress tracker:

    - An ECS service to run and maintain your tasks in the environment cluster
      Deployments                                                                                                              
                 Revision  Rollout        Desired  Running  Failed  Pending                                                            
        PRIMARY  11        [in progress]  1        0        1       0                                                                  
        ACTIVE   8         [completed]    1        1        0       0                                                                  
      Latest 2 stopped tasks                                                                                                   
        TaskId    CurrentStatus   DesiredStatus                                                                                        
        6b1d6e32  DEPROVISIONING  STOPPED                                                                                              
        9802d212  STOPPED         STOPPED                                                                                              
  
      ✘ Latest 2 tasks stopped reason                                                                                 
        - [6b1d6e32,9802d212]: Essential container in task exited                                                                      
  
      Troubleshoot task stopped reason                                                                                         
        1. You can run `copilot svc logs --previous` to see the logs of the last stopped task.                                
        2. You can visit this article: https://repost.aws/knowledge-center/ecs-task-stopped.          
  

• copilot deploy enhancements: You can now deploy multiple workloads at once, or deploy all local workloads, with --all. (#5324)

  copilot deploy now supports deploying multiple workloads with one command, with optional ordering. You can specify multiple workloads with the --name flag, use the new --all flag in conjunction with --init-wkld to initialize and deploy all local workloads, and you can now provide a "deployment order" tag when specifying service names.

  $ copilot deploy --all -n fe/1 -n worker/2 # Deploy "fe" first, and then "worker".
  

• Import an ACM certificate for your Static Site: You can now bring your own ACM certificate for your Static Site service. (#5285 )

  To import an ACM certificate for your static site, simply specify the below fields in your static site manifest:

  http:
    alias: example.com
    certificate: "arn:aws:acm:us-east-1:1234567890:certificate/e5a6e114-b022-45b1-9339-38fbfd6db3e2"
  

• copilot [env/svc] init improvements: these init commands no longer complain if you are initiating an existing service/job/environment already managed by the same workspace. In addition, copilot env init will no longer ask you to select an AWS profile if you have not configured one. (#5242 and #5202)

• Enable versioning on S3 buckets: Copilot now enables versioning on all of the S3 buckets created by Copilot. (#5289)

🐛 Bug Fixes

• Panic when running copilot svc status against a service that is already stopped. (#5336)

❤️ Contributions

Thank you, contributors 🥰!

• @tjhorner (#4980)
• @build-with-aws-copilot (#5063)

🐛 Bug Fixes

• Remove the confirmation prompt for environment deployment in copilot deploy. (#5262)
• Make the confirmation prompt in copilot app delete default to false to avoid accidental app deletion (#5267)

⚡️ Features and Enhancements

• copilot run local to run your services locally (#5049, #5201, #5182)

  You can use copilot run local to test Copilot services on your local machine! To get started, deploy your service
  with copilot svc deploy. Once your service is deployed, you can test changes to your code without waiting for a deployment by running copilot run local. Copilot will build or pull your service's images, inject secrets and environment variables defined in your manifest, grab your current IAM session credentials, and run Docker containers on your machine with that data.
  See the blogpost for more info.

• Pipeline Pre- and Post-Deployment Actions (#5209, #5109)

  In pipelines, you can now use pre_deployments and post_deployments to define actions for your pipeline to run before or after your services or environments are deployed. This is helpful for running database migrations from within your pipeline!

• Use Ctrl-C to roll back in-progress deployments (#5213)

  While waiting for copilot [noun] deploy to finish, if you hit Ctrl-C, Copilot will roll back the current CloudFormation deployment. This is especially helpful if your Service is failing and you're stuck waiting for a CloudFormation deployment to fail!

• copilot deploy to init-alize and deploy services and environments (#5168, #5215)

  You can now use copilot deploy to deploy environments and initialize services and environments with local manifests. The guided workflow now includes uninitialized local workloads and environments. Getting started with Copilot is now as easy as git clone . && copilot deploy!

• Update exit code of copilot [noun] deploy to 0 if there are no changes (#5179)
• Support from_cfn for importing an EFS ID (#5156)
• Set default Static Site alias if app has an imported domain (#5191)
• Fall back to default credentials if no AWS config is present on copilot env init (#5202)

🐛 Bug Fixes

• Skip interpolating arrays of strings for nodes with a literal style (#5157)
• Better output when building a single image (#5148)
• Fix initializing jobs with copilot deploy (#5183)
• Empty Copilot-created S3 bucket for ALB Access Logs on copilot env delete (#5184)
• Fix searching for a cluster with the same name as a recently deleted cluster (#5204)
• Skip http validation if it's disabled (#5198)
• Block deleting an environment if it's currently used in a pipeline (#5246)

🐛 Bug Fixes

• Filter out non-active ECS services (#5152)

  The GetResources API for ECS recently changed to return non-active ECS services, causing an error when running Copilot commands after recently recreating a service. Copilot now validates that the service ARNs returned by GetResources are active.

• Prevent app upgrade followed by downgrade from removing ECR Repos (#5141)

  Copilot apps upgraded to v1.28 or v1.29 and subsequently downgraded to versions prior were running into an issue where ECR repos were getting removed from the app stack. After this fix, upgrading your app with v1.29.1+ and then downgrading will cause the older Copilot version to print out an error instead of removing any ECR repos.

• Explicitly block S3 public access (#5141)

  Though objects uploaded to Copilot-created S3 buckets have never been public, Copilot-created S3 buckets now explicitly block public access at the bucket level.

• Fix copilot init when app name is not set via flags (#5126)

• Validate sidecar image configuration (#5122)

⚡️ Features and Enhancements

• Pipeline CloudFormation template overrides (#5034)

  Copilot pipelines are much more nimble and extensible with CDK and YAML path overrides with copilot pipeline override! This feature provides a safe and easy way to modify your pipeline's CloudFormation template.
  A new --diff flag for copilot pipeline deploy enables you to preview changes to your CloudFormation template. (#4991)
  See the blogpost for more.

• Static Site enhancements

  • For more dynamic development, Copilot will now invalidate the CloudFront edge cache each time you redeploy a Static Site workload, enabling you to see and deliver your updated content right away. (#5035)
  • copilot svc show for Static Site workloads includes a tree representation of your S3 bucket's contents. (#4966)

  View sample output

  Service name: static-site
  About
  
    Application  my-app
    Name         static-site
    Type         Static Site
  
  Routes
  
    Environment  URL
    -----------  ---
    test         https://d399t9j1xbplme.cloudfront.net/
  
  S3 Bucket Objects
  
    Environment  test
  .
  ├── ReadMe.md
  ├── error.html
  ├── index.html
  ├── Images
  │   ├── SomeImage.PNG
  │   └── AnotherImage.PNG
  ├── css
  │   ├── Style.css
  │   ├── all.min.css
  │   └── bootstrap.min.css
  └── images
      └── bg-masthead.jpg

  • copilot svc status for Static Site workloads includes the S3 bucket's object count and total size. (#4985)

• Prevent clashes between Copilot versions by disallowing downgrading (unless explicitly enabled with the new --allow-downgrade flag for init, deploy, and package commands) (#5064)
• Support Yarn for CDK overrides (#5076)
• Enable interpolation of lists of strings in Copilot manifests (#4993)
• Allow passing an existing permissions boundary's ARN when running copilot app init (as an alternative to the permissions boundary name (#4981)
• Recommend splitting domains/conditions into different listener rules if the quota (five per rule) is detected. (#4961)

🐛 Bug Fixes


• copilot svc package now applies overrides for Static Site workload types (#4952)
• prevent exceeding CloudWatch Logs Resource Policy size when running copilot job logs by adding policies to each environment (#4979)
• Static Site CloudFormation manifests quote aliases so asterisks render properly in CloudFormation templates (#5003)
• Distinguish between active and non-active ECS clusters to avoid clashes (#5062)

❤️ Contributions

Thank you, contributors 🥰!

• @tjhorner (#4980)
• @build-with-aws-copilot (#5063)

⚡️ Features and Enhancements

• Static Site service type (#4621)

With the new Static Site service type, you can now deploy and host static websites with Amazon S3. You can specify local files to be uploaded to an S3 bucket with the Static Site service manifest.

name: example
type: Static Site
http:
  alias: 'example.com'
files:
  - source: src/someDirectory
    recursive: true
  - source: someFile.html

To learn more on how to deploy your static website using the Static Site service, see the manifest specification.
For the announcement, check out the blog post.

• Add --diff-yes flag to copilot [noun] deploy(#4832)

Copilot [noun] deploy now has the new flag --diff-yes; you can specify the flag to automatically print the difference between your local changes and the latest deployed template.

• Container Images Parallel Build (#4760)

Previously, Copilot built and pushed main container and sidecar container images sequentially.
You can now build main container and sidecar container images in parallel. With parallel build, you can reduce the
overall time it takes to build and push container images to Amazon ECR.

🐛 Bug Fixes


• Use LogicalID-safe name for sidecars env file parameter from the CloudFormation template (#4714)
• Remove CloudWatch alarm-based rollbacks from ECS services in the GovCloud region (#4782)
• Remove Docker runtime version from the buildspec in the pipeline CloudFormation template (#4723)
• Keep parameter descriptions consistent across environment addons in the CloudFormation template (#4813)
• Add Darwin ARM binary for Session Manager plugin installation (#4916)
• Do not require a workspace summary when running copilot app delete (#4863)
• Update custom domain records in parallel to fix the CustomDomainFunction lambda timeout (#4772).
• Fix file not found error for CDK override ON Windows (#4807)
• Use a more portable CDK executable for CDK overrides (#4808)
• Separate out grace_period for ALB and NLB (#4734)
• Separate out deregistration_delay for ALB and NLB (#4740)

❤️ Contributions

Thank you, contributors 🥰!

• @interu (#4816, #4741)
• @0xO0O0 (#4723)
• @andreas-bergstrom (#4873)