copilot-cli
copilot-cli copied to clipboard
aws
Suggestion: Add ability to override settings of CloudFormation resources
While the auto-generated CloudFormation templates work well to get started, there are many scenarios where we want to override settings of the resources.
At the moment, the only override supported is for Task Definition.
Would be great if a similar method to that of Serverless Framework can be implemented for all resources:
You can override the specific CloudFormation resource to apply your own options (place all such extensions at resources.extensions section). For example, if you want to set AWS::Logs::LogGroup retention time to 30 days, override it with above table's Name Template.
functions: write-post: handler: handler.writePost events: - http: method: post path: ${self:service}/api/posts/new cors: true resources: extensions: WriteDashPostLogGroup: Properties: RetentionInDays: '30'
https://www.serverless.com/framework/docs/providers/aws/guide/resources#override-aws-cloudformation-resource
Hi @qtangs ! Your request makes sense to me. We wanted to limit the scope of CFN template override, partly because it is easily an unprotected operation that could make it difficult for Copilot to keep the modified resource maintained. May I ask what are the resources that you are looking to modify?
For now, we have these 2 restrictions in our organization that copilot cannot satisfy:
- IAM roles can only be created with Permissions Boundary. So we need the ability to attach Permissions Boundary policies to all IAM roles created by copilot.
- NAT Gateway cannot be created via IAC, require approval and manual action by admins. Thus we need to exclude the NAT Gateway in copilot CFN templates while keeping the attachments and routing rules.
Gotcha. Thanks for your response!
IAM roles can only be created with Permissions Boundary. So we need the ability to attach Permissions Boundary policies to all IAM roles created by copilot.
This could be a feature request for us - it'd be cool if Copilot could support creating IAM roles with Permission Boundary. I've created a feature request at #2986. Would you mind giving it a thumbs up to help us prioritize the task? Also, feel free to leave your comments there if you have anything to add!
NAT Gateway cannot be created via IAC, require approval and manual action by admins. Thus we need to exclude the NAT Gateway in copilot CFN templates while keeping the attachments and routing rules.
I wonder if you could achieve this by importing your own VPC during environment creation?
Thanks @Lou1415926. Have added the thumbs up.
I wonder if you could achieve this by importing your own VPC during environment creation?
This works, I just tested it. So when using an existing VPC, Copilot doesn't add a NAT gateway even though network.vpc.placement is set to private. Thanks for the suggestion.
Would the original request still be taken for consideration? I can foresee other instances where ability to override would come in handy. Not everyone needs it, but good for more advanced use cases.
Yes, it will be taken into consideration. We limited the scope of override to task definition, while waiting to gather more information on how people would like to extend the functionality - your request is exactly something we'd like to hear 😄
