copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

[Design] Copilot CloudFront Integration

Open CaptainCarpensir opened this issue 3 years ago • 6 comments

This issue is a design proposal to add CloudFront integration into Copilot.

CloudFront is a content delivery network which allows users to deploy their applications globally, and securely. Introducing Copilot support for this eases development, and gives users more use cases for Copilot.

Problem Statement

Currently, Copilot has no internal integration with global content delivery. In order to setup these features, users have to work with AWS APIs or Consoles outside of Copilot. To continue the cycle of build, release, and operate, we want to deliver CloudFront support with Copilot for users who wish to introduce CloudFront into their applications without requiring them to spend time on creating the CloudFront infrastructure manually.

Proposal

Adding cdn: field to environment manifests being introduced in #3522.

Users will configure CloudFront through a field in the environment manifest. All cases and customization will be handled in this field. Copilot will handle all the infrastructure work of setting up a CloudFront deployment for the user. The user will then be able to configure how the CloudFront distribution interacts with the rest of their application via subfields of the cdn.

Initially we plan to create a default CloudFront distribution by specifying cdn.

cdn: true

Then, for further customization, fields which cover http and https support, as well as tls_termination and http/https redirect.

cdn
  http:
    path: "api" # This is part of the subdomain of the CloudFront/Route 53 domain name
    redirect: true

cdn:
  tls_termination: true

Then we also plan to support additional static S3 bucket origins.

cdn:
  static:
    # Must be a bucket regional domain name
    path: "static" # Default is *
    location: cf-s3-ecs-demo-bucket.s3.us-west-2.amazonaws.com

Milestones

  • First, CloudFront will be generated as a distribution in front the Application Load Balancers generated by a deployed LBWS.
  • Second, we will allow users to hook previously created S3 buckets onto the CloudFront distribution.
  • Lastly, we will allow the user to specify using TLS termination at CloudFront.

These features cover the initial design of CloudFront integration with Copilot, which has been requested before in #1313

We hope this feature will benefit you, and we're happy to receive any feedback you have!

CaptainCarpensir avatar Jun 28 '22 21:06 CaptainCarpensir

Hi @CaptainCarpensir I'd love to see this feature added to Copilot. We currently achieve a similar outcome by creating the CF distribution via an add-on. If I may suggest something else, the ability to lock down the ALB to accept connections from CF only would be amazing too. More info here: https://github.com/aws/copilot-cli/discussions/3699

afgallo avatar Jun 29 '22 04:06 afgallo

Hello @afgallo! Yes, we do plan to set the ALB security group to only allow ingress from the CloudFront distribution created by Copilot. This is one of the requirements we've set to meet for the project. I'll list them in their entirety so people can see the full detail of what we plan here:

Requirements:

  1. Users should be able to use Copilot to integrate CF with LBWS
  2. Set proper origin and routing behavior for CF distribution
  3. Users should be able to specify an S3 origin for fast content delivery
  4. CF distribution requires one and only default behavior (similar to a default target group for an LB listener)
  5. TLS termination
  6. HTTPS support
  7. Users should be able to specify custom domains
  8. Users should be able to use existing certificates for the CF distribution
  9. Copilot should display the correct URL when CF is enabled
  10. Users should be able to enable AWS Shield for extra security
  11. ALB shouldn’t be accessible publicly when CF is enabled
  12. CF caching should conform to the ALB guideline’s requirements

CaptainCarpensir avatar Jun 30 '22 17:06 CaptainCarpensir

The first milestone for CloudFront is now released in v1.21! 🥳

Blog: https://aws.github.io/copilot-cli/blogs/release-v121/#cloudfront-integration Release notes: https://github.com/aws/copilot-cli/releases/tag/v1.21.0

efekarakus avatar Aug 17 '22 17:08 efekarakus

Hi @CaptainCarpensir, Could I know the date you release this:

cdn:
  static:
    # Must be a bucket regional domain name
    path: "static" # Default is *
    location: cf-s3-ecs-demo-bucket.s3.us-west-2.amazonaws.com

Because I need it at the moment :-D.

mvn-bachhuynh-dn avatar Sep 27 '22 08:09 mvn-bachhuynh-dn

TLS termination is now released in v1.22 🚀 !

For the blog post: https://aws.github.io/copilot-cli/blogs/release-v122/ Release notes: https://github.com/aws/copilot-cli/releases/tag/v1.22.0

efekarakus avatar Sep 27 '22 17:09 efekarakus

@mvn-bachhuynh-dn We'll update this thread when we release that feature!:+1: Glad to see you're ready to use it!😊

dannyrandall avatar Sep 27 '22 18:09 dannyrandall

Hello all! You can now use an existing s3 bucket with CloudFront for static content delivery in v1.25.0 🎉🚀!

Lou1415926 avatar Jan 17 '23 20:01 Lou1415926

Is Lambda@Edge supported?

boosh avatar Mar 08 '23 13:03 boosh

Hi @boosh !

Not yet unfortunately, I think the lambda function can be created with environment addons but Copilot would need to surface the LambdaFunctionAssociations field.

If you don't mind can you expand on your usecase for Lambda@Edge so that we can ensure we provide an adequate user experience around it?

(sample template: https://gist.github.com/jed/56b1f58297d374572bc51c59394c7e7f)

efekarakus avatar Mar 08 '23 16:03 efekarakus

Yes sure. I want to implement the dynamic lambda at edge use case to render web content from DynamoDB at the edge. I was wondering whether I could use copilot since, as you say, it seems to support packaging code for lambdas and also Cloudfront.

boosh avatar Mar 08 '23 16:03 boosh