copilot-cli
copilot-cli copied to clipboard
aws
Support for environment-specific app domains
description
We're trying to setup a multi-account, multi-domain deployment where we have a single (global) Application account and then each Copilot Environment (eg. dev, test, staging, production) is deployed into a separate AWS account w/ a custom domain registered in that account.
To produce the following environment --> domain map:
dev --> service1.myapp.dev
test --> service1.myapp.net
staging --> service1.myapp.io
production --> service1.myapp.com
Our reasoning behind using a separate domain per environment is for security - to hedge against subdomain takeover attacks and to take advantage of the site isolation protections that are becoming more prevalent in modern browsers.
current behavior
Trying to do a copilot svc deploy with ENV.http.alias set to a custom domain without that domain registered in the application causes the following error and aborts deployment.
✘ To use `http.alias`, your application must be associated with a domain: `copilot app init --domain example.com`.
✘ deploy service <service-name> to environment staging: alias specified when application is not associated with a domain
desired behavior
Ideally what I'd like to do is register all the possible custom domains using copilot app init myapp --domain myapp.dev,myapp.net,myapp.io,myapp.com and then specify the domain for each environment by setting ENV.http.alias in the Copilot Service manifest, or have the ability to toggle off the check for the application/custom domain during copilot svc deploy.
references
- https://canitakeyoursubdomain.name/
- https://www.chromium.org/developers/design-documents/site-isolation/
- https://blog.mozilla.org/security/2021/05/18/introducing-site-isolation-in-firefox/
@programmablemike: This feature is now possible in v1.18.0: https://github.com/aws/copilot-cli/releases/tag/v1.18.0 🎉 by importing an existing certificate.
We'll keep the issue open to be able to take a domain as environment inputs with #3522
Hi all, I really tired when trying to find to implement separated PRD domain with DEV domain, especially with add-on, it's totally useless when try to use some Output like HostedZone, Subdomain from Parent Stack. (it's not available in ENV stack with imported certs)
I believe, if Copilot could support multi-domain, or multi-app in the same repo should be better.
Thank you!
I believe, if Copilot could support multi-domain, or multi-app in the same repo should be better.
Responding on Gitter. For folks that are interested feel free navigate there.
+1 to reopen this. Love copilot, but an option to use at least one domain per environment would really help.
PS: The gitter link above is not working for me.
@fruwe Gitter redid how they locate a message so all of the old links don't work anymore it seems :( But I believe this was the thread that I wanted to share. The question that I posted there was meant to understand the other user's specific use case better, so it probably does not apply to you. But if you have any input on that, I'd appreciate it as well!
Thanks for the quick reply. I am trying to migrate to copilot, first staging, later production.
The two envs are using two distinct domains.
http.alias would have been quite convenient. There was even documentation mentioning multiple aliases and one of them was a completely different TLD.
Anyway, it would be great to be able to specify the domain, but in the meantime I will do it manually〜
Am I understanding correctly that this requires running copilot env init --import-cert-arns arn:aws:acm:us-east-1... which means you have to create a fresh env?
@rmarops nope! You can use specify your cert ARN in the environment manifest under http.public.certificates (or http.private.certificates, or cdn.certificates, depending on which ALB / CDN you want to secure)
hey @Lou1415926, I've tried this but im not sure if i am missing a step https://github.com/aws/copilot-cli/discussions/5474