List of all available properties for a `'Environment'` manifest.
To learn more about Copilot environments, see [Environments](../concepts/environments.en.md) concept page.
???+ note "Sample environment manifests"
=== "Basic"
```yaml
name: prod
type: Environment
observability:
container_insights: true
```
=== "Imported VPC"
```yaml
name: imported
type: Environment
network:
vpc:
id: 'vpc-12345'
subnets:
public:
- id: 'subnet-11111'
- id: 'subnet-22222'
private:
- id: 'subnet-33333'
- id: 'subnet-44444'
```
=== "Configured VPC"
```yaml
name: qa
type: Environment
network:
vpc:
cidr: '10.0.0.0/16'
subnets:
public:
- cidr: '10.0.0.0/24'
az: 'us-east-2a'
- cidr: '10.0.1.0/24'
az: 'us-east-2b'
private:
- cidr: '10.0.3.0/24'
az: 'us-east-2a'
- cidr: '10.0.4.0/24'
az: 'us-east-2b'
```
=== "With public certificates"
```yaml
name: prod-pdx
type: Environment
http:
public: # Apply an existing certificate to your public load balancer.
certificates:
- arn:aws:acm:${AWS_REGION}:${AWS_ACCOUNT_ID}:certificate/13245665-cv8f-adf3-j7gd-adf876af95
```
=== "Private"
```yaml
name: onprem
type: Environment
network:
vpc:
id: 'vpc-12345'
subnets:
private:
- id: 'subnet-11111'
- id: 'subnet-22222'
- id: 'subnet-33333'
- id: 'subnet-44444'
http:
private: # Apply an existing certificate to your private load balancer.
certificates:
- arn:aws:acm:${AWS_REGION}:${AWS_ACCOUNT_ID}:certificate/13245665-cv8f-adf3-j7gd-adf876af95
subnets: ['subnet-11111', 'subnet-22222']
```
=== "Content delivery network"
```yaml
name: cloudfront
type: Environment
cdn: true
http:
public:
ingress:
cdn: true
```
`name` String
The name of your environment.
`type` String
Must be set to `'Environment'`.
`network` Map
The network section contains parameters for importing an existing VPC or configuring the Copilot-generated VPC.
network.`vpc` Map
The vpc section contains parameters to configure CIDR settings and subnets.
network.vpc.`id` String
The ID of the VPC to import. This field is mutually exclusive with `cidr`.
network.vpc.`cidr` String
An IPv4 CIDR block to associate with the Copilot-generated VPC. This field is mutually exclusive with `id`.
network.vpc.`subnets` Map
Configure public and private subnets in a VPC.
For example, if you're importing an existing VPC:
```yaml
network:
vpc:
id: 'vpc-12345'
subnets:
public:
- id: 'subnet-11111'
- id: 'subnet-22222'
```
Alternatively, if you're configuring a Copilot-generated VPC:
```yaml
network:
vpc:
cidr: '10.0.0.0/16'
subnets:
public:
- cidr: '10.0.0.0/24'
az: 'us-east-2a'
- cidr: '10.0.1.0/24'
az: 'us-east-2b'
```
network.vpc.subnets.`public` Array of Subnets
A list of public subnets configuration.
network.vpc.subnets.`private` Array of Subnets
A list of private subnets configuration.
network.vpc.subnets..`id` String
The ID of the subnet to import. This field is mutually exclusive with `cidr` and `az`.
network.vpc.subnets..`cidr` String
An IPv4 CIDR block assigned to the subnet. This field is mutually exclusive with `id`.
network.vpc.subnets..`az` String
The Availability Zone name assigned to the subnet. The `az` field is optional, by default Availability Zones are assigned in alphabetical order.
This field is mutually exclusive with `id`.
network.vpc.`security_group` Map
Rules for the environment's security group.
```yaml
network:
vpc:
security_group:
ingress:
- ip_protocol: tcp
ports: 80
cidr: 0.0.0.0/0
```
network.vpc.security_group.`ingress` Array of Security Group Rules
A list of inbound security group rules.
network.vpc.security-group.`egress` Array of Security Group Rules
A list of outbound security group rules.
network.vpc.security_group..`ip_protocol` String
The IP protocol name or number.
network.vpc.security_group..`ports` String or Integer
The port range or number for the security group rule.
```yaml
ports: 0-65535
```
or
```yaml
ports: 80
```
network.vpc.security_group..`cidr` String
The IPv4 address range, in CIDR format.
network.vpc.`flow_logs` Boolean or Map
If you specify 'true', Copilot will enable VPC flow logs to capture information about the IP traffic going in and out of the environment VPC.
The default value for VPC flow logs is 14 days (2 weeks).
```yaml
network:
vpc:
flow_logs: on
```
You can customize the number of days for retention:
```yaml
network:
vpc:
flow_logs:
retention: 30
```
network.vpc.flow_logs.`retention` String
The number of days to retain the log events. See [this page](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#cfn-logs-loggroup-retentionindays) for all accepted values.
`cdn` Boolean or Map
The cdn section contains parameters related to integrating your service with a CloudFront distribution. To enable the CloudFront distribution, specify `cdn: true`.
cdn.`certificate` String
A certificate by which to enable HTTPS traffic on a CloudFront distribution.
CloudFront requires imported certificates to be in the `us-east-1` region. For example:
```yaml
cdn:
certificate: "arn:aws:acm:us-east-1:1234567890:certificate/e5a6e114-b022-45b1-9339-38fbfd6db3e2"
```
cdn.`static_assets` Map
Optional. Configuration for static assets associated with CloudFront.
cdn.static_assets.`alias` String
Additional HTTPS domain alias to use for static assets.
cdn.static_assets.`location` String
DNS domain name of the S3 bucket (for example, `EXAMPLE-BUCKET.s3.us-west-2.amazonaws.com`).
cdn.static_assets.`path` String
The path pattern (for example, `static/*`) that specifies which requests should be forwarded to the S3 bucket.
cdn.`terminate_tls` Boolean
Enable TLS termination for CloudFront.
`http` Map
The http section contains parameters to configure the public load balancer shared by [Load Balanced Web Services](./lb-web-service.en.md)
and the internal load balancer shared by [Backend Services](./backend-service.en.md).
http.`public` Map
Configuration for the public load balancer.
http.public.`certificates` Array of Strings
List of [public AWS Certificate Manager certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) ARNs.
By attaching public certificates to your load balancer, you can associate your Load Balanced Web Services with a domain name and reach them with HTTPS.
See the [Developing/Domains](../developing/domain.en.md#use-domain-in-your-existing-validated-certificates) guide to learn more about how to redeploy services using [`http.alias`](./lb-web-service.en.md#http-alias).
http.public.`access_logs` Boolean or Map
Enable [Elastic Load Balancing access logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html).
If you specify `true`, Copilot will create an S3 bucket where the Public Load Balancer will store access logs.
```yaml
http:
public:
access_logs: true
```
You can customize the log prefix:
```yaml
http:
public:
access_logs:
prefix: access-logs
```
It is also possible to use your own S3 bucket instead of letting Copilot creates one for you:
```yaml
http:
public:
access_logs:
bucket_name: my-bucket
prefix: access-logs
```
http.public.access_logs.`bucket_name` String
The name of an existing S3 bucket in which to store the access logs.
http.public.access_logs.`prefix` String
The prefix for the log objects.
http.public.`ssl_policy` String
Optional. Specify an SSL policy for the HTTPS listener of your Public Load Balancer, when applicable.
http.public.`ingress` MapModified in [v1.23.0](../../blogs/release-v123.en.md#move-misplaced-http-fields-in-environment-manifest-backward-compatible)
Ingress rules to restrict the Public Load Balancer's traffic.
```yaml
http:
public:
ingress:
cdn: true
```
???- note " "http.public.ingress" was previously "http.public.security_groups.ingress""
This field was `http.public.security_groups.ingress` until [v1.23.0](../../blogs/release-v123.en.md).
This change cascaded to a child field [`cdn`](#http-public-ingress-cdn) (the only child field at the time), which was previously `http.public.security_groups.ingress.restrict_to.cdn`.
For more, see [the blog post for v1.23.0](../../blogs/release-v123.en.md#move-misplaced-http-fields-in-environment-manifest-backward-compatible).
http.public.ingress.`cdn` BooleanModified in [v1.23.0](../../blogs/release-v123.en.md#move-misplaced-http-fields-in-environment-manifest-backward-compatible)
Restrict ingress traffic for the public load balancer to come from a CloudFront distribution.
http.public.ingress.`source_ips` Array of Strings
Restrict public load balancer ingress traffic to source IPs.
```yaml
http:
public:
ingress:
source_ips: ["192.0.2.0/24", "198.51.100.10/32"]
```
http.`private` Map
Configuration for the internal load balancer.
http.private.`certificates` Array of Strings
List of [AWS Certificate Manager certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs.html) ARNs.
By attaching public or private certificates to your load balancer, you can associate your Backend Services with a domain name and reach them with HTTPS.
See the [Developing/Domains](../developing/domain.en.md#use-domain-in-your-existing-validated-certificates) guide to learn more about how to redeploy services using [`http.alias`](./backend-service.en.md#http-alias).
http.private.`subnets` Array of Strings
The subnet IDs to place the internal load balancer in.
http.private`ingress` MapModified in [v1.23.0](../../blogs/release-v123.en.md#move-misplaced-http-fields-in-environment-manifest-backward-compatible)
Ingress rules to allow for the internal load balancer.
```yaml
http:
private:
ingress:
vpc: true # Enable incoming traffic within the VPC to the internal load balancer.
```
???- note " "http.private.ingress" was previously "http.private.security_groups.ingress""
This field was `http.private.security_groups.ingress` until [v1.23.0](../../blogs/release-v123.en.md).
This change cascaded to a child field [`vpc`](#http-private-ingress-vpc) (the only child field at the time),
which was previously `http.private.security_groups.ingress.from_vpc`.
For more, see [the blog post for v1.23.0](../../blogs/release-v123.en.md#move-misplaced-http-fields-in-environment-manifest-backward-compatible).
http.private.ingress.`vpc` BooleanModified in [v1.23.0](../../blogs/release-v123.en.md#move-misplaced-http-fields-in-environment-manifest-backward-compatible)
Enable traffic from within the VPC to the internal load balancer.
http.private.`ssl_policy` String
Optional. Specify an SSL policy for the HTTPS listener of your Internal Load Balancer, when applicable.
`observability` Map
The observability section lets you configure ways to collect data about the services and jobs deployed in your environment.
observability.`container_insights` Bool
Whether to enable [CloudWatch container insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html) in your environment's ECS cluster.