⚡️ Features and Enhancements
-
run local --proxy: Proxy outbound requests from your local containers to the environment VPC using--proxy! (#5412)We are enhancing the
run localfeature released in v1.30.0: the--proxyflag proxies outbound requests to your environment VPC. This feature gives you higher fidelity for your local testing usingrun local– the containers on your local machine can now talk to the other services in the VPC and talk to your RDS database through the cluster or instance endpoints. -
run local --watch: Listen to changes to your workspace and automatically restart the containers (#5413)Another enhancement to the
run localfeature! Test your services usingrun localwhile making changes to your code, and Copilot will automatically restart the local containers. You can test your service with the new changes without having to kill the original process and runrun localagain.
The flag--watchis great by itself, but extremely useful if you use--proxy: it saves you quite a bit of the overhead time to set up the proxy. -
Import an application load balancer: Place an existing ALB in front of your service (#5438)
Bring your own application load balancer if you don't like the default shared application load balancer of your environment! Just specify the name or the ARN of the application load balancer in the
http.albfield, and Copilot will figure out whether it has an HTTP listener, an HTTPS listener, or both. Copilot will then create listener rules on the listeners it finds, and optionally upserts A records for your alias to the respective hosted zones if any are specified!http: alb: myALB # Or arn:aws:elasticloadbalancing:us-west-2:1234567890:loadbalancer/app/myALB/12345abcde path: '/' alias: - name: example.com hosted_zone: Z08230443CW11KE6JBNUA allowed_source_ips: ["192.0.2.0/24", "198.51.100.10/32", "67.170.82.49/32"]
-
Support addons for Static Site (#5384): you can now use addons to add additional resources to your Static Site workload, the same way as you would for any other services!
-
Support docker build args in
task run --build-args(#5377)Pass additional build args to build the image using
--build-args!$ copilot task run --build-args GO_VERSION=1.19 -
Enforce KMS encryption on the pipeline artifact buckets (#5329): Any new applications will start using the KMS key managed by Copilot as the default encryption key – instead of the S3-managed key – for your pipeline artifact buckets. It also rejects any
s3:PutObjectactions that disable server-side encryption. This change should not affect any existing applications, and can be optionally applied to your existing application by runningcopilot app upgradeto meet compliance requirements. -
Enforce HTTPS on the pipeline artifact buckets (#5393): Reject any access to pipeline artifact buckets that are not secure. Any new applications will come with this configuration. For existing applications, run
copilot app upgradeto get the extra protection.
🐛 Bug Fixes
- Remove
sts:AssumeRolepermission for the ECS task roles or the App Runner instance roles (#5423): Previously, there was a bug where the ECS tasks roles were given permission to assume roles that are tagged with the application name and the environment name. We are removing this permission for better security posture. We recommend that you redeploy your Load-Balanced Web Services, Backend Services, Worker Services, Request-Driven Web Service, and Scheduled Job to apply this fix.
❤️ Contributions
Thank you, contributors 🥰!