`redirect_to_https: false` and `tls_termination: true` Not working

[mvn-bachhuynh-dn]

Hi all,
I faced two issue with newest version 1.22.1 (actually, I could not run on 1.21.0, so I update it to 1.22.1)

1. Could not use redirect_to_https: false:
   I put it in my service manifest already:

# The manifest for the "api" service.
# Read the full specification for the "Load Balanced Web Service" type at:
#  https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/

# Your service name will be used in naming your resources like log groups, ECS services, etc.
name: api
type: Load Balanced Web Service

# Distribute traffic to your service.
http:
  # Requests to this path will be forwarded to your service.
  # To match all requests you can use the "/" path.
  path: '/'
  # You can specify a custom health check path. The default is "/".
  healthcheck: '/health-check'

# Configuration for your containers and service.
image:
  # Docker build arguments. For additional overrides: https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#image-build
  build: 
    dockerfile: dockers/AWS.Dockerfile
    context: .
    args:
      BUILDKIT_INLINE_CACHE: 1
  # Port exposed through your container to route traffic to it.
  port: 3000

cpu: 256 # Number of CPU units for the task.
memory: 512 # Amount of memory in MiB used by the task.
count: 1 # Number of tasks that should be running in your service.
exec: true # Enable running commands in your container.

#secrets:                      # Pass secrets from AWS Systems Manager (SSM) Parameter Store.
#  GITHUB_TOKEN: GITHUB_TOKEN  # The key is the name of the environment variable, the value is the name of the SSM parameter.
secrets:
  SERVER_ID: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/SERVER_ID
  APP_NAME: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/APP_NAME
  APP_PORT: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/APP_PORT

# You can override any of the values defined above by environment.
environments:
  #  test:
  #    count: 2               # Number of tasks to run for the "test" environment.
  #    deployment:            # The deployment strategy for the "test" environment.
  #       rolling: 'recreate' # Stops existing tasks before new ones are started for faster deployments.
  dev:
    deployment:
      rolling: default
    http:
      alias: api.dev.quick.slabss.com

  prd:
    deployment:
      rolling: default
    http:
      alias:
        - name: api.prd.xxxx.com
      redirect_to_https: false

And I run this command to test
copilot svc package -n api -e prd --output-dir './infrastructure'

here is the result

{
  "Parameters": {
    "AddonsTemplateURL": "",
    "AppName": "xxxx",
    "ContainerImage": "",
    "ContainerPort": "3000",
    "DNSDelegated": "true",
    "EnvFileARN": "",
    "EnvName": "prd",
    "HTTPSEnabled": "true",
    "LogRetention": "30",
    "RulePath": "/",
    "Stickiness": "false",
    "TargetContainer": "api",
    "TargetPort": "3000",
    "TaskCPU": "256",
    "TaskCount": "2",
    "TaskMemory": "512",
    "WorkloadName": "api"
  },
  "Tags": {
    "copilot-application": "xxxx",
    "copilot-environment": "prd",
    "copilot-service": "api"
  }
}

please focus on: "HTTPSEnabled": "true", => copilot could not compile manifest with the option to false

2. Could not use tls_termination: true
   Here my env manifest

name: prd
type: Environment

# Import your own VPC and subnets or configure how they should be created.
network:
  vpc:
    id: vpc-0fb7032a4983d7fa0
    subnets:
      public:
        - id: subnet-072981b5af6ae44df
        - id: subnet-07b08e3e124033341

cdn:
  tls_termination: true

http:
  public:
    security_groups:
      ingress:
        restrict_to:
          cdn: true

here is the output of the command: copilot env package -a quick -n prd --output-dir './environment'

✘ unmarshal environment manifest for "prd": unmarshal environment manifest: unable to unmarshal cdn field into bool or composite-style map

When change

cdn:
  tls_termination: true

to

cdn: true

that command could be run, and output

{
  "Parameters": {
    "ALBWorkloads": "api",
    "Aliases": "{\"api\":[\"api.prd.quick.slabss.com\"]}",
    "AppDNSDelegationRole": "arn:aws:iam::443171139711:role/quick-DNSDelegationRole",
    "AppDNSName": "slabss.com",
    "AppName": "quick",
    "CreateHTTPSListener": "true",
    "CreateInternalHTTPSListener": "false",
    "EFSWorkloads": "",
    "EnvironmentName": "prd",
    "InternalALBWorkloads": "",
    "NATWorkloads": "",
    "ServiceDiscoveryEndpoint": "prd.quick.local",
    "ToolsAccountPrincipalARN": "arn:aws:iam::443171139711:root"
  },
  "Tags": {
    "copilot-application": "quick",
    "copilot-environment": "prd"
  }
}

So. what am I wrong, or it is a bug?

Thank you so much!

[dannyrandall]

Hey @mvn-bachhuynh-dn! For 2, it looks like we documented the field wrong 😅. The field name is actually:

cdn:
  terminate_tls: true

Could you try that instead and see if you're still having issues?

[dannyrandall]

For your first question about HTTPSEnabled: when you disable the redirect from HTTP -> HTTPS, Copilot will set HTTPSEnabled to true because it still creates a listener rule on the HTTPS listener for the ALB. The only change after setting redirect_to_https: false is that the HTTP listener no longer redirects to HTTPS, instead forwarding traffic to your service.

In other words, after setting redirect_to_https: false, your service is reachable through the load balancer using both HTTP and HTTPS.

Does that make sense?

[mvn-bachhuynh-dn]

oh! It's working...but another error:

I don't understand about this, why it not automatic generate cert for cdn, because if I use
cdn: true the Copilot will automatic create cert, use the cert for CDN.

[mvn-bachhuynh-dn]

Hi @dannyrandall,
If we don't use HTTPS on ALB, why don't we make Copilot don't create the listener rule?
Because when we combine with

http:
  public:
    security_groups:
      ingress:
        restrict_to:
          cdn: true

No any direct request to ALB any more.

[dannyrandall]

When you created your app, did you use app init --domain? I think there might be a bug if you imported a domain and want to enable CDN TLS Termination - we require a cert (shown in your error), but we create one for you if you've imported a domain.

why don't we make Copilot don't create the listener rule?

I think that we could do that in this situation (CDN terminate TLS+ALB restricted ingress) and it would be fine. Is there a concern with creating the HTTPS listener rule?

[mvn-bachhuynh-dn]

Hi @dannyrandall ,
I just think about that if any configurations are not for any purpose, just delete it ;-)

[huanjani]

This fix is now released in v1.23.0: https://github.com/aws/copilot-cli/releases/tag/v1.23.0! 🎉