Unable to deploy service with storage

[gartmeier]

I recently updated my Copilot CLI to v1.26.0 and started a new application from scratch.

After initiating the storage, I'm unable to deploy the service:

$ copilot storage init -n assets -t S3 -w pspdfkit
$ copilot env deploy
$ copilot svc deploy --name pspdfkit
Only found one environment, defaulting to: eu
✔ Proposing infrastructure changes for stack pdf-eu-pspdfkit
✘ deploy service pspdfkit to environment eu: deploy service: parse cloudformation template for resource descriptions: decode resource Metadata for description: yaml: unmarshal errors:
  line 14: cannot unmarshal !Sub `` into string

The problem appears to be caused by the format of the generated access policy addon in copilot/pspdfkit/addons/assets-access-policy.yml:

Parameters:
  App:
    Type: String
    Description: Your application's name.
  Env:
    Type: String
    Description: The environment name your service, job, or workflow is being deployed to.
  Name:
    Type: String
    Description: Your workload's name.
Resources:
  assetsBucketAccessPolicy:
    Metadata:
      'aws:copilot:description': !Sub
        - 'An IAM managed policy for your service to access the ${Bucket} bucket of  your environment'
        - Bucket: { Fn::ImportValue: { Fn::Sub: "${App}-${Env}-assetsBucketName" }}
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: !Sub
        - Grants CRUD access to the S3 bucket ${Bucket}
        - Bucket: { Fn::ImportValue: { Fn::Sub: "${App}-${Env}-assetsBucketName" }}
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: S3ObjectActions
            Effect: Allow
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:PutObjectACL
              - s3:PutObjectTagging
              - s3:DeleteObject
              - s3:RestoreObject
            Resource: !Sub
              - ${ BucketARN }/*
              - BucketARN: { Fn::ImportValue: { Fn::Sub: "${App}-${Env}-assetsBucketARN" }}
          - Sid: S3ListAction
            Effect: Allow
            Action: s3:ListBucket
            Resource:
              Fn::ImportValue: !Sub "${App}-${Env}-assetsBucketARN"

Outputs:
  assetsNameBucketName:
    # Injected as ASSETS_NAME_BUCKET_NAME environment variable into your main container.
    Description: "The name of a user-defined bucket."
    Value: { Fn::ImportValue: { Fn::Sub: "${App}-${Env}-assetsBucketName" }}
  assetsBucketAccessPolicy:
    Description: "The IAM::ManagedPolicy to attach to the task role"
    Value: !Ref assetsBucketAccessPolicy

If I comment the Resources->assetsBucketAccessPolicy->Metadata block`, I can deploy the service.

Any idea why the Copilot CLI is unable to parse the YAML generated by itself?

[iamhopaul123]

Thank you @gartmeier for reporting the bug. Looks like the CloudFormation deployment is not blocked and it is just we won't be able to show the deployment progress anymore. Will send out a quick fix soon.

If I comment the Resources->assetsBucketAccessPolicy->Metadata block`, I can deploy the service.

Glad you've found the workaround for this issue. Thank you for reporting the bug!

[iamhopaul123]

Also if the metadata is removed, it won't be shown up in the progress tracker when you deploy the service. Instead, it can be updated as 'aws:copilot:description': 'An IAM managed policy for your service to access the bucket of your environment'