copilot-cli: Release v1.34.1

Upgrades the tool to Go 1.23 to address CVE-2024-24790.

copilot-cli: Release v1.34.0

⚡️ Features and Enhancements

• Import internal ALBs for Backend Services (#5490)

You can now import your existing internal application load balancer (ALB) for a Backend Service if you don't want to use the environment-shared internal ALB that Copilot creates for your Backend Services with http enabled. Just specify the name or ARN of the ALB in the http.alb field,and Copilot will figure out if it has an HTTP listener, an HTTPS listener, or both. Copilot will then create the appropriate listener rules and target group to send traffic to your Backend Service!

❤️ Contributions

Thank you, contributors 🥰!

• @trivikr (#5822, #5828, #5829)
• @mathmul (#5831)
• @ikorecky (#5825)

copilot-cli: Release v1.33.4

🐛 Bug Fixes

• fix: uri root path checking (#5778)
• fix: default aurora-mysql engine version (#5813)

❤️ Contributions

Thank you, contributors 🥰!

• @Folyd (#5778)
• @ruzickap (#5813)

copilot-cli: Release v1.33.3

⬆️ Updates

• chore: update CDK version for CVE compliance (#5777)

🐛 Bug Fixes

• fix: allow EnvManagerRole to access the S3 bucket that holds tasks' env files (#5760)
• fix: add ListStacks permission to EnvManagerRole (#5761)

copilot-cli: Release v1.33.2

🐛 Bug Fixes

• fix: scheduled jobs' custom subnets should be rendered as strings (#5703)
• fix: enable copilot job package --diff and prevent output of full template (#5685)
• fix: check if docker is running for Windows (#5660)

copilot-cli: Release v1.33.1

🐛 Bug Fixes

• Correctly empty ECR repositories when deleting app regional resources. (#5617)
• Allow EFS volumes to have multiple mount points in a single service. (#5631)
• Fix incorrect indentation for runtime secrets in the request-driven service CloudFormation template. (#5635)
• Fix the copilot svc package command for a request-driven web service when image.build is used. (#5638)

❤️ Contributions

Thank you, contributors 🥰!

• @isleys (#5632)

copilot-cli: Release v1.33.0

⚡️ Features and Enhancements

• run local --use-task-role: Elevate your local testing experience with the ECS Task Role using the new --use-task-role flag (#5529)

  The copilot run local command now includes a --use-task-role flag. When activated, Copilot will fetch IAM permissions from your deployed service and seamlessly inject them into the containers created by run local. This ensures that your containers mirror the same permissions as they would in the cloud, facilitating more accurate testing.

  If you prefer not to utilize the TaskRole permissions or if Copilot encounters issues retrieving them, you can disable this feature by setting --use-task-role=false.

• run local depends_on support: Local run containers now respect depends_on in your service manifests (#5509)

  Enhancing the run local feature! Previously, copilot run local initiated the startup and removal of all containers without a specific order. With this improvement, container actions are aligned with your depends_on configuration in your service manifests.

• Allow variable escaping in manifest: Escape interpolated variables in your manifests with the latest update (#5516)

  Now, you have the flexibility to escape interpolated variables in your manifests. Use the following syntax to prevent Copilot from resolving ${name} using the local environment:

  command: echo hello \${name}
  variable:
    name: world

• run local --watch skips files specified by .dockerignore: --watch flag now respects .dockerignore and Copilot will not watch these files (#5565)

• Upgrade Lambda Node.js version to 20.x: as Node.js 16 has been End-of-Life since Sep. 2023 (#5583)

🐛 Bug Fixes

• Allow decryption of secrets with CMK (#5576): In v1.32.1, a security patch restricted kms:Decrypt to ECS Execution Role and AppRunner Instance Role. This affected users with managed KMS keys. Now, any KMS key with correct copilot-application and copilot-environment tags is allowed for seamless deployment.
• response_time should respect imported ALB (#5564)
• Check for ubuntu based distro to install SSM Plugin (#5571)
• run local --proxy should work when Service Connect is disabled (#5604)

❤️ Contributions

Thank you, contributors 🥰!

• @bencehornak (#5516, #5514)
• @craigjbass (#5513)
• @otty246 (#5510)

copilot-cli: Release v1.32.1

🐛 Bug Fixes

• Refer to correct TargetGroup name for imported ALB. (#5478)
• Add quotes to fix the invalid template for svc package for static site. (#5498)
• Avoid panicking by initializing required client for static site. (#5530)
• Fix KMS access denied errors when downloading the static env file. (#5514)
• Fix the permission error when the pipeline CodeBuild tries to get the public public hosted zone ID for the domain. (#5540)
• Account for TLS termination in exposed port validation. (#5549)
• Respect image.location URI for containers. (#5555)

copilot-cli: Release v1.32.0

⚡️ Features and Enhancements

• run local --proxy: Proxy outbound requests from your local containers to the environment VPC using --proxy! (#5412)

  We are enhancing the run local feature released in v1.30.0: the --proxy flag proxies outbound requests to your environment VPC. This feature gives you higher fidelity for your local testing using run local – the containers on your local machine can now talk to the other services in the VPC and talk to your RDS database through the cluster or instance endpoints.

• run local --watch: Listen to changes to your workspace and automatically restart the containers (#5413)

  Another enhancement to the run local feature! Test your services using run local while making changes to your code, and Copilot will automatically restart the local containers. You can test your service with the new changes without having to kill the original process and run run local again.
  The flag --watch is great by itself, but extremely useful if you use --proxy: it saves you quite a bit of the overhead time to set up the proxy.

• Import an application load balancer: Place an existing ALB in front of your service (#5438)

  Bring your own application load balancer if you don't like the default shared application load balancer of your environment! Just specify the name or the ARN of the application load balancer in the http.alb field, and Copilot will figure out whether it has an HTTP listener, an HTTPS listener, or both. Copilot will then create listener rules on the listeners it finds, and optionally upserts A records for your alias to the respective hosted zones if any are specified!

  http:
    alb: myALB # Or arn:aws:elasticloadbalancing:us-west-2:1234567890:loadbalancer/app/myALB/12345abcde
    path: '/'
    alias:
       - name: example.com
         hosted_zone: Z08230443CW11KE6JBNUA
    allowed_source_ips: ["192.0.2.0/24", "198.51.100.10/32", "67.170.82.49/32"]

• Support addons for Static Site (#5384): you can now use addons to add additional resources to your Static Site workload, the same way as you would for any other services!

• Support docker build args in task run --build-args (#5377)

  Pass additional build args to build the image using --build-args!

  $ copilot task run --build-args GO_VERSION=1.19
  

• Enforce KMS encryption on the pipeline artifact buckets (#5329): Any new applications will start using the KMS key managed by Copilot as the default encryption key – instead of the S3-managed key – for your pipeline artifact buckets. It also rejects any s3:PutObject actions that disable server-side encryption. This change should not affect any existing applications, and can be optionally applied to your existing application by running copilot app upgrade to meet compliance requirements.

• Enforce HTTPS on the pipeline artifact buckets (#5393): Reject any access to pipeline artifact buckets that are not secure. Any new applications will come with this configuration. For existing applications, run copilot app upgrade to get the extra protection.

🐛 Bug Fixes

• Remove sts:AssumeRole permission for the ECS task roles or the App Runner instance roles (#5423): Previously, there was a bug where the ECS tasks roles were given permission to assume roles that are tagged with the application name and the environment name. We are removing this permission for better security posture. We recommend that you redeploy your Load-Balanced Web Services, Backend Services, Worker Services, Request-Driven Web Service, and Scheduled Job to apply this fix.

❤️ Contributions

Thank you, contributors 🥰!

• @briercliffe (#5377)
• @FlorianSW (#5329)

copilot-cli: Release v1.31.0

⚡️ Features and Enhancements

• NLB enhancements: You can now add security groups to Copilot-managed NLBs. NLBs also support the UDP protocol. (#5284)

  Previously, the nlb field in a Load-Balanced Web Service supported only tcp or tls traffic. Now, you can listen to udp traffic as well!

  nlb:
    port: 8080/udp
    healthcheck:
            port: 80 # This needs to be a tcp port
    additional_listeners:
      - port: 8081/udp
         healthcheck:
            port: 80 # This needs to be a tcp port
  

  Note that you will need to specify a health check port on your container that accepts TCP traffic, as health check using udp protocol isn't supported today.

• Better task failure logs: Copilot will show more descriptive information during deployments when tasks fail, allowing for better troubleshooting. (#5249)

  copilot [noun] deploy will now display the ECS task stopped reasons within your CloudFormation deployment progress tracker:

    - An ECS service to run and maintain your tasks in the environment cluster
      Deployments                                                                                                              
                 Revision  Rollout        Desired  Running  Failed  Pending                                                            
        PRIMARY  11        [in progress]  1        0        1       0                                                                  
        ACTIVE   8         [completed]    1        1        0       0                                                                  
      Latest 2 stopped tasks                                                                                                   
        TaskId    CurrentStatus   DesiredStatus                                                                                        
        6b1d6e32  DEPROVISIONING  STOPPED                                                                                              
        9802d212  STOPPED         STOPPED                                                                                              
  
      ✘ Latest 2 tasks stopped reason                                                                                 
        - [6b1d6e32,9802d212]: Essential container in task exited                                                                      
  
      Troubleshoot task stopped reason                                                                                         
        1. You can run `copilot svc logs --previous` to see the logs of the last stopped task.                                
        2. You can visit this article: https://repost.aws/knowledge-center/ecs-task-stopped.          
  

• copilot deploy enhancements: You can now deploy multiple workloads at once, or deploy all local workloads, with --all. (#5324)

  copilot deploy now supports deploying multiple workloads with one command, with optional ordering. You can specify multiple workloads with the --name flag, use the new --all flag in conjunction with --init-wkld to initialize and deploy all local workloads, and you can now provide a "deployment order" tag when specifying service names.

  $ copilot deploy --all -n fe/1 -n worker/2 # Deploy "fe" first, and then "worker".
  

• Import an ACM certificate for your Static Site: You can now bring your own ACM certificate for your Static Site service. (#5285 )

  To import an ACM certificate for your static site, simply specify the below fields in your static site manifest:

  http:
    alias: example.com
    certificate: "arn:aws:acm:us-east-1:1234567890:certificate/e5a6e114-b022-45b1-9339-38fbfd6db3e2"
  

• copilot [env/svc] init improvements: these init commands no longer complain if you are initiating an existing service/job/environment already managed by the same workspace. In addition, copilot env init will no longer ask you to select an AWS profile if you have not configured one. (#5242 and #5202)

• Enable versioning on S3 buckets: Copilot now enables versioning on all of the S3 buckets created by Copilot. (#5289)

🐛 Bug Fixes

• Panic when running copilot svc status against a service that is already stopped. (#5336)

❤️ Contributions

Thank you, contributors 🥰!

• @tjhorner (#4980)
• @build-with-aws-copilot (#5063)