copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

Create environments using a VPC in a different AWS account

Open efekarakus opened this issue 2 years ago • 6 comments

See discussion below for details.

Organizations that create VPCs in a central AWS accounts need to create copilot applications and environments in different AWS accounts. Today, the env creation fail during the service discovery namespace creation because the VPC is in a different account than the namespace.

Discussed in https://github.com/aws/copilot-cli/discussions/3537

Originally posted by kajamhercules May 5, 2022 Hi, trying to use copilot in an environment with shared VPC. From what I could see, currently copilot does not support shared VPC. For the environment it is trying to create servicediscavery namespace association and it is failing due to shared VPC (account has to own VPC in order to create association). I'm missing something? Any chance to include support for shared VPC in future releases?

efekarakus avatar May 06 '22 19:05 efekarakus

We have bumped into this issue, so it has unfortunately ruled out using copilot for now. +1 from us therefore

dacarey avatar Oct 27 '22 10:10 dacarey

Hey @dacarey. What specific problem do you have with this issue btw? Is it because you want to import an VPC in the other account or it's because you want to share the same VPC for different environments?

iamhopaul123 avatar Oct 31 '22 17:10 iamhopaul123

Hey @efekarakus and @iamhopaul123 ,

I've just discovered Copilot and it looks like a great tool for many of our workloads but due to us using Resource Access Manager to share our VPC it means that it cannot create the Cloud Map namespace in the VPC and our applications will not deploy.

This error message will probably make the issue more clear:

Error CANNOT_CREATE_HOSTED_ZONE: The VPC: vpc-xxxxxx in region ap-southeast-x that you provided is not authorized to make the association. (Service: AmazonRoute53; Status Code: 400; Error Code: InvalidVPCId; Request ID: xxxxxxxxxxxxx; Proxy: null)

Any updates on this feature would be great.

Damon-Work avatar Dec 05 '22 07:12 Damon-Work

Hello @Damon-Work the use case totally makes sense to me. Could you upvote the issue as well?

iamhopaul123 avatar Dec 05 '22 20:12 iamhopaul123

Hello all!

copilot released yaml patch overrides in v1.27(guide). As a workaround, You can use yaml patch overrides to remove the service discovery. But they need to create a new namespace in the account with a temporary VPC in the account where services are deployed.

You can apply following overrides.

  1. Removing environment resources for service discovery using copilot env override 
- op: remove
  path: /Resources/ServiceDiscoveryNamespace
- op: remove
  path: /Outputs/ServiceDiscoveryNamespaceID
  1. Remove settings of service discovery from workload template using copilot svc override and also replace the namespace with the new namespace created. In the below yamlpatches replace mynamespace with the newly created namespace.
- op: remove
  path: /Resources/DiscoveryService
- op: remove
  path: /Resources/Service/Properties/ServiceRegistries
- op: remove
  path: /Outputs/DiscoveryServiceARN
- op: replace
  path: /Resources/Service/Properties/ServiceConnectConfiguration/Namespace
  value: mynamespace
- op: replace
  path: /Resources/TaskDefinition/Properties/ContainerDefinitions/0/Environment/1/Value
  value: mynamespace

KollaAdithya avatar May 12 '23 20:05 KollaAdithya

KollaAdithya's solution worked for me as well, but it was unclear to me that I had to create the namespace myself:

  • Visit CloudMap
  • Create namespace
  • API calls only is fine
  • use that namespace in the overrides/cfn.patches.yml that was created by copilot svc override instead of 'mynamespace'

trent-abc avatar Jan 24 '24 01:01 trent-abc