[Design] Copilot CloudFront Integration

[CaptainCarpensir]

This issue is a design proposal to add CloudFront integration into Copilot.

CloudFront is a content delivery network which allows users to deploy their applications globally, and securely. Introducing Copilot support for this eases development, and gives users more use cases for Copilot.

Problem Statement

Currently, Copilot has no internal integration with global content delivery. In order to setup these features, users have to work with AWS APIs or Consoles outside of Copilot. To continue the cycle of build, release, and operate, we want to deliver CloudFront support with Copilot for users who wish to introduce CloudFront into their applications without requiring them to spend time on creating the CloudFront infrastructure manually.

Proposal

Adding cdn: field to environment manifests being introduced in #3522.

Users will configure CloudFront through a field in the environment manifest. All cases and customization will be handled in this field. Copilot will handle all the infrastructure work of setting up a CloudFront deployment for the user. The user will then be able to configure how the CloudFront distribution interacts with the rest of their application via subfields of the cdn.

Initially we plan to create a default CloudFront distribution by specifying cdn.

cdn: true

Then, for further customization, fields which cover http and https support, as well as tls_termination and http/https redirect.

cdn
  http:
    path: "api" # This is part of the subdomain of the CloudFront/Route 53 domain name
    redirect: true

cdn:
  tls_termination: true

Then we also plan to support additional static S3 bucket origins.

cdn:
  static:
    # Must be a bucket regional domain name
    path: "static" # Default is *
    location: cf-s3-ecs-demo-bucket.s3.us-west-2.amazonaws.com

Milestones

• First, CloudFront will be generated as a distribution in front the Application Load Balancers generated by a deployed LBWS.
• Second, we will allow users to hook previously created S3 buckets onto the CloudFront distribution.
• Lastly, we will allow the user to specify using TLS termination at CloudFront.

These features cover the initial design of CloudFront integration with Copilot, which has been requested before in #1313

---

We hope this feature will benefit you, and we're happy to receive any feedback you have!

[afgallo]

Hi @CaptainCarpensir I'd love to see this feature added to Copilot. We currently achieve a similar outcome by creating the CF distribution via an add-on. If I may suggest something else, the ability to lock down the ALB to accept connections from CF only would be amazing too. More info here: #3699

[CaptainCarpensir]

Hello @afgallo! Yes, we do plan to set the ALB security group to only allow ingress from the CloudFront distribution created by Copilot. This is one of the requirements we've set to meet for the project. I'll list them in their entirety so people can see the full detail of what we plan here:

Requirements:

1. Users should be able to use Copilot to integrate CF with LBWS
2. Set proper origin and routing behavior for CF distribution
3. Users should be able to specify an S3 origin for fast content delivery
4. CF distribution requires one and only default behavior (similar to a default target group for an LB listener)
5. TLS termination
6. HTTPS support
7. Users should be able to specify custom domains
8. Users should be able to use existing certificates for the CF distribution
9. Copilot should display the correct URL when CF is enabled
10. Users should be able to enable AWS Shield for extra security
11. ALB shouldn’t be accessible publicly when CF is enabled
12. CF caching should conform to the ALB guideline’s requirements