chore: enable NLB, TLS termination, and NLB aliases (#3142)

This PR:
1. Enable rendering NLB template if `nlb` is specified in manifest
2. Enable TLS termination, using a certificate managed by Copilot custom resource that is dedicated to the service
3. Enable alias for NLB

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.

Author: Lou1415926

…ources/lib/nlb-cert-validator-updater.js …custom-resources/lib/nlb-cert-manager.jscf-custom-resources/lib/nlb-cert-validator-updater.js renamed to cf-custom-resources/lib/nlb-cert-manager.js cf-custom-resources/lib/nlb-cert-validator-updater.js renamed to cf-custom-resources/lib/nlb-cert-manager.js

@@ -652,9 +652,9 @@ async function inUseByOtherServices(loadBalancerDNS, domainName, route53Client)
         ({hostedZoneID} = await domainResources(domainName));
     } catch (err) {
         if (err instanceof UnrecognizedDomainTypeError) {
-            console.log(`Found ${domainName} in subject alternative names. 
-It does not match any of these patterns: ".<env>.<app>.<domain>"， ".<app>.<domain>" or ".<domain>". 
-This is unexpected. We don't error out as it may not cause any issue.`);
+            console.log(`Found ${domainName} in subject alternative names. ` +
+"It does not match any of these patterns: '.<env>.<app>.<domain>'， '.<app>.<domain>' or '.<domain>'. " +
+"This is unexpected. We don't error out as it may not cause any issue.");
             return true; // This option has unrecognized pattern, we can't check if it is in use, so we assume it is in use.
         }
         throw err;

…/test/nlb-cert-validator-updater-test.js …-resources/test/nlb-cert-manager-test.jscf-custom-resources/test/nlb-cert-validator-updater-test.js renamed to cf-custom-resources/test/nlb-cert-manager-test.js cf-custom-resources/test/nlb-cert-validator-updater-test.js renamed to cf-custom-resources/test/nlb-cert-manager-test.js

@@ -8,7 +8,7 @@ const sinon = require("sinon");
 const nock = require("nock");
 let origLog = console.log;
 
-const { attemptsValidationOptionsReady } = require("../lib/nlb-cert-validator-updater");
+const { attemptsValidationOptionsReady } = require("../lib/nlb-cert-manager");
 
 describe("DNS Certificate Validation And Custom Domains for NLB", () => {
     // Mock requests.
@@ -44,7 +44,7 @@ describe("DNS Certificate Validation And Custom Domains for NLB", () => {
         // This workaround follows the comment here: https://github.com/dwyl/aws-sdk-mock/issues/206#issuecomment-640418772.
         jest.resetModules();
         AWS.setSDKInstance(require('aws-sdk'));
-        const imported = require("../lib/nlb-cert-validator-updater");
+        const imported = require("../lib/nlb-cert-manager");
         handler = imported.handler;
         reset = imported.reset;
         withDeadlineExpired = imported.withDeadlineExpired;

internal/pkg/cli/svc_deploy.go

@@ -606,17 +606,15 @@ func (o *deploySvcOpts) stackConfiguration() (cloudformation.StackConfiguration,
 	var conf cloudformation.StackConfiguration
 	switch t := mft.(type) {
 	case *manifest.LoadBalancedWebService:
-		if o.targetApp.Domain == "" && !t.Alias.IsEmpty() {
+		if o.targetApp.Domain == "" && t.HasAliases() {
 			log.Errorf(aliasUsedWithoutDomainFriendlyText)
 			return nil, errors.New("alias specified when application is not associated with a domain")
 		}
 
 		var opts []stack.LoadBalancedWebServiceOption
 
 		// TODO: https://github.com/aws/copilot-cli/issues/2918
-		// 1. Should error out if `nlb.alias` is specified with targetApp.Domain == ""
-		// 2. Should validate `nlb.alias` is specified
-		// 3. ALB block should not be executed if http is disabled
+		// 1. ALB block should not be executed if http is disabled
 		if o.targetApp.RequiresDNSDelegation() {
 			var appVersionGetter versionGetter
 			if appVersionGetter, err = o.newAppVersionGetter(o.appName); err != nil {
@@ -625,8 +623,21 @@ func (o *deploySvcOpts) stackConfiguration() (cloudformation.StackConfiguration,
 			if err = validateLBSvcAliasAndAppVersion(aws.StringValue(t.Name), t.Alias, o.targetApp, o.envName, appVersionGetter); err != nil {
 				return nil, err
 			}
+			if err = validateLBSvcAliasAndAppVersion(aws.StringValue(t.Name), t.NLBConfig.Aliases, o.targetApp, o.envName, appVersionGetter); err != nil {
+				return nil, err
+			}
 			opts = append(opts, stack.WithHTTPS())
-			opts = append(opts, stack.WithDNSDelegation())
+
+			var caller identity.Caller
+			caller, err = o.identity.Get()
+			if err != nil {
+				return nil, fmt.Errorf("get identity: %w", err)
+			}
+			opts = append(opts, stack.WithDNSDelegation(deploy.AppInformation{
+				Name:                o.targetEnvironment.App,
+				DNSName:             o.targetApp.Domain,
+				AccountPrincipalARN: caller.RootUserARN,
+			}))
 		}
 		if !t.NLBConfig.IsEmpty() {
 			cidrBlocks, err := o.publicCIDRBlocks()

internal/pkg/cli/svc_deploy_test.go

@@ -47,6 +47,7 @@ type deploySvcMocks struct {
 	mockSubnetLister       *mocks.MockvpcSubnetLister
 	mockS3Svc              *mocks.Mockuploader
 	mockAddons             *mocks.Mocktemplater
+	mockIdentity           *mocks.MockidentityService
 }
 
 type mockWorkloadMft struct {
@@ -766,6 +767,27 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 			},
 			wantErr: fmt.Errorf("alias is not compatible with application versions below %s", deploy.AliasLeastAppTemplateVersion),
 		},
+		"fail to enable nlb alias because of incompatible app version": {
+			inNLB: manifest.NetworkLoadBalancerConfiguration{
+				Port:    aws.String("80"),
+				Aliases: manifest.Alias{String: aws.String("mockAlias")},
+			},
+			inEnvironment: &config.Environment{
+				Name:   mockEnvName,
+				Region: "us-west-2",
+			},
+			inApp: &config.Application{
+				Name:   mockAppName,
+				Domain: "mockDomain",
+			},
+			mock: func(m *deploySvcMocks) {
+				m.mockWs.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
+				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
+				m.mockAppVersionGetter.EXPECT().Version().Return("v0.0.0", nil)
+				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+			},
+			wantErr: fmt.Errorf("alias is not compatible with application versions below %s", deploy.AliasLeastAppTemplateVersion),
+		},
 		"fail to enable https alias because of invalid alias": {
 			inAliases: manifest.Alias{String: aws.String("v1.v2.mockDomain")},
 			inEnvironment: &config.Environment{
@@ -784,6 +806,27 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 			},
 			wantErr: fmt.Errorf(`alias "v1.v2.mockDomain" is not supported in hosted zones managed by Copilot`),
 		},
+		"fail to enable nlb alias because of invalid alias": {
+			inNLB: manifest.NetworkLoadBalancerConfiguration{
+				Port:    aws.String("80"),
+				Aliases: manifest.Alias{String: aws.String("v1.v2.mockDomain")},
+			},
+			inEnvironment: &config.Environment{
+				Name:   mockEnvName,
+				Region: "us-west-2",
+			},
+			inApp: &config.Application{
+				Name:   mockAppName,
+				Domain: "mockDomain",
+			},
+			mock: func(m *deploySvcMocks) {
+				m.mockWs.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
+				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
+				m.mockAppVersionGetter.EXPECT().Version().Return("v1.0.0", nil)
+				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+			},
+			wantErr: fmt.Errorf(`alias "v1.v2.mockDomain" is not supported in hosted zones managed by Copilot`),
+		},
 		"error if fail to deploy service": {
 			inEnvironment: &config.Environment{
 				Name:   mockEnvName,
@@ -797,6 +840,9 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				m.mockWs.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
 				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
 				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+				m.mockIdentity.EXPECT().Get().Return(identity.Caller{
+					RootUserARN: "1234",
+				}, nil)
 				m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), gomock.Any(), gomock.Any()).Return(errors.New("some error"))
 			},
 			wantErr: fmt.Errorf("deploy service: some error"),
@@ -814,6 +860,9 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				m.mockWs.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
 				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
 				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+				m.mockIdentity.EXPECT().Get().Return(identity.Caller{
+					RootUserARN: "1234",
+				}, nil)
 				m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), gomock.Any(), gomock.Any()).Return(cloudformation.NewMockErrChangeSetEmpty())
 			},
 			wantErr: fmt.Errorf("deploy service: change set with name mockChangeSet for stack mockStack has no changes"),
@@ -832,6 +881,9 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				m.mockWs.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
 				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
 				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+				m.mockIdentity.EXPECT().Get().Return(identity.Caller{
+					RootUserARN: "1234",
+				}, nil)
 				m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), gomock.Any(), gomock.Any()).
 					Return(nil)
 				m.mockServiceUpdater.EXPECT().LastUpdatedAt(mockAppName, mockEnvName, mockSvcName).
@@ -853,6 +905,9 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				m.mockWs.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
 				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
 				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+				m.mockIdentity.EXPECT().Get().Return(identity.Caller{
+					RootUserARN: "1234",
+				}, nil)
 				m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), gomock.Any(), gomock.Any()).
 					Return(nil)
 				m.mockServiceUpdater.EXPECT().LastUpdatedAt(mockAppName, mockEnvName, mockSvcName).
@@ -877,6 +932,9 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 					Return(cloudformation.NewMockErrChangeSetEmpty())
 				m.mockServiceUpdater.EXPECT().LastUpdatedAt(mockAppName, mockEnvName, mockSvcName).
 					Return(mockBeforeTime, nil)
+				m.mockIdentity.EXPECT().Get().Return(identity.Caller{
+					RootUserARN: "1234",
+				}, nil)
 				m.mockSpinner.EXPECT().Start(fmt.Sprintf(fmtForceUpdateSvcStart, mockSvcName, mockEnvName))
 				m.mockServiceUpdater.EXPECT().ForceUpdateService(mockAppName, mockEnvName, mockSvcName).Return(mockError)
 				m.mockSpinner.EXPECT().Stop(log.Serrorf(fmtForceUpdateSvcFailed, mockSvcName, mockEnvName, mockError))
@@ -897,6 +955,9 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				m.mockWs.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
 				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
 				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+				m.mockIdentity.EXPECT().Get().Return(identity.Caller{
+					RootUserARN: "1234",
+				}, nil)
 				m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), gomock.Any(), gomock.Any()).
 					Return(cloudformation.NewMockErrChangeSetEmpty())
 				m.mockServiceUpdater.EXPECT().LastUpdatedAt(mockAppName, mockEnvName, mockSvcName).
@@ -931,8 +992,10 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
 				m.mockAppVersionGetter.EXPECT().Version().Return("v1.0.0", nil)
 				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+				m.mockIdentity.EXPECT().Get().Return(identity.Caller{
+					RootUserARN: "1234",
+				}, nil)
 				m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
-
 			},
 		},
 		"success with force update": {
@@ -949,6 +1012,9 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				m.mockWs.EXPECT().ReadWorkloadManifest(mockSvcName).Return([]byte{}, nil)
 				m.mockInterpolator.EXPECT().Interpolate("").Return("", nil)
 				m.mockEndpointGetter.EXPECT().ServiceDiscoveryEndpoint().Return("mockApp.local", nil)
+				m.mockIdentity.EXPECT().Get().Return(identity.Caller{
+					RootUserARN: "1234",
+				}, nil)
 				m.mockServiceDeployer.EXPECT().DeployService(gomock.Any(), gomock.Any(), gomock.Any()).
 					Return(cloudformation.NewMockErrChangeSetEmpty())
 				m.mockServiceUpdater.EXPECT().LastUpdatedAt(mockAppName, mockEnvName, mockSvcName).
@@ -976,6 +1042,7 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 				mockInterpolator:       mocks.NewMockinterpolator(ctrl),
 				mockEnvDescriber:       mocks.NewMockenvDescriber(ctrl),
 				mockSubnetLister:       mocks.NewMockvpcSubnetLister(ctrl),
+				mockIdentity:           mocks.NewMockidentityService(ctrl),
 			}
 			tc.mock(m)
 
@@ -993,6 +1060,7 @@ func TestSvcDeployOpts_deploySvc(t *testing.T) {
 					return m.mockAppVersionGetter, nil
 				},
 				endpointGetter:    m.mockEndpointGetter,
+				identity:          m.mockIdentity,
 				targetApp:         tc.inApp,
 				targetEnvironment: tc.inEnvironment,
 				newInterpolator: func(app, env string) interpolator {

internal/pkg/deploy/cloudformation/stack/lb_web_svc.go

@@ -10,6 +10,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/cloudformation"
 	"github.com/aws/copilot-cli/internal/pkg/addon"
+	"github.com/aws/copilot-cli/internal/pkg/deploy"
 	"github.com/aws/copilot-cli/internal/pkg/manifest"
 	"github.com/aws/copilot-cli/internal/pkg/template"
 	"github.com/aws/copilot-cli/internal/pkg/template/override"
@@ -20,6 +21,7 @@ const (
 	lbWebSvcRulePriorityGeneratorPath = "custom-resources/alb-rule-priority-generator.js"
 	desiredCountGeneratorPath         = "custom-resources/desired-count-delegation.js"
 	envControllerPath                 = "custom-resources/env-controller.js"
+	nlbCertManagerPath                = "custom-resources/nlb-cert-validator-updater.js"
 )
 
 // Parameter logical IDs for a load balanced web service.
@@ -52,6 +54,7 @@ type LoadBalancedWebService struct {
 	// should always be false; hence they could have different values at this time.
 	dnsDelegationEnabled   bool
 	publicSubnetCIDRBlocks []string
+	appInfo                deploy.AppInformation
 
 	parser loadBalancedWebSvcReadParser
 }
@@ -76,9 +79,10 @@ func WithNLB(cidrBlocks []string) func(s *LoadBalancedWebService) {
 }
 
 // WithDNSDelegation enables DNS delegation for a LoadBalancedWebService.
-func WithDNSDelegation() func(s *LoadBalancedWebService) {
+func WithDNSDelegation(app deploy.AppInformation) func(s *LoadBalancedWebService) {
 	return func(s *LoadBalancedWebService) {
 		s.dnsDelegationEnabled = true
+		s.appInfo = app
 	}
 }
 
@@ -187,37 +191,45 @@ func (s *LoadBalancedWebService) Template() (string, error) {
 		allowedSourceIPs = append(allowedSourceIPs, string(ipNet))
 	}
 
+	nlbConfig, err := s.convertNetworkLoadBalancer()
+	if err != nil {
+		return "", err
+	}
 	content, err := s.parser.ParseLoadBalancedWebService(template.WorkloadOpts{
-		Variables:                s.manifest.TaskConfig.Variables,
-		Secrets:                  s.manifest.TaskConfig.Secrets,
-		Aliases:                  aliases,
-		NestedStack:              addonsOutputs,
-		AddonsExtraParams:        addonsParams,
-		Sidecars:                 sidecars,
-		LogConfig:                convertLogging(s.manifest.Logging),
-		DockerLabels:             s.manifest.ImageConfig.Image.DockerLabels,
-		Autoscaling:              autoscaling,
-		CapacityProviders:        capacityProviders,
-		DesiredCountOnSpot:       desiredCountOnSpot,
-		ExecuteCommand:           convertExecuteCommand(&s.manifest.ExecuteCommand),
-		WorkloadType:             manifest.LoadBalancedWebServiceType,
-		HealthCheck:              convertContainerHealthCheck(s.manifest.ImageConfig.HealthCheck),
-		HTTPHealthCheck:          convertHTTPHealthCheck(&s.manifest.HealthCheck),
-		DeregistrationDelay:      deregistrationDelay,
-		AllowedSourceIps:         allowedSourceIPs,
-		RulePriorityLambda:       rulePriorityLambda.String(),
-		DesiredCountLambda:       desiredCountLambda.String(),
-		EnvControllerLambda:      envControllerLambda.String(),
-		Storage:                  convertStorageOpts(s.manifest.Name, s.manifest.Storage),
-		Network:                  convertNetworkConfig(s.manifest.Network),
-		EntryPoint:               entrypoint,
-		Command:                  command,
-		DependsOn:                convertDependsOn(s.manifest.ImageConfig.Image.DependsOn),
-		CredentialsParameter:     aws.StringValue(s.manifest.ImageConfig.Image.Credentials),
-		ServiceDiscoveryEndpoint: s.rc.ServiceDiscoveryEndpoint,
-		Publish:                  publishers,
-		Platform:                 convertPlatform(s.manifest.Platform),
-		HTTPVersion:              convertHTTPVersion(s.manifest.ProtocolVersion),
+		Variables:                    s.manifest.TaskConfig.Variables,
+		Secrets:                      s.manifest.TaskConfig.Secrets,
+		Aliases:                      aliases,
+		NestedStack:                  addonsOutputs,
+		AddonsExtraParams:            addonsParams,
+		Sidecars:                     sidecars,
+		LogConfig:                    convertLogging(s.manifest.Logging),
+		DockerLabels:                 s.manifest.ImageConfig.Image.DockerLabels,
+		Autoscaling:                  autoscaling,
+		CapacityProviders:            capacityProviders,
+		DesiredCountOnSpot:           desiredCountOnSpot,
+		ExecuteCommand:               convertExecuteCommand(&s.manifest.ExecuteCommand),
+		WorkloadType:                 manifest.LoadBalancedWebServiceType,
+		HealthCheck:                  convertContainerHealthCheck(s.manifest.ImageConfig.HealthCheck),
+		HTTPHealthCheck:              convertHTTPHealthCheck(&s.manifest.HealthCheck),
+		DeregistrationDelay:          deregistrationDelay,
+		AllowedSourceIps:             allowedSourceIPs,
+		RulePriorityLambda:           rulePriorityLambda.String(),
+		DesiredCountLambda:           desiredCountLambda.String(),
+		EnvControllerLambda:          envControllerLambda.String(),
+		NLBCertManagerFunctionLambda: nlbConfig.certManagerLambda,
+		Storage:                      convertStorageOpts(s.manifest.Name, s.manifest.Storage),
+		Network:                      convertNetworkConfig(s.manifest.Network),
+		EntryPoint:                   entrypoint,
+		Command:                      command,
+		DependsOn:                    convertDependsOn(s.manifest.ImageConfig.Image.DependsOn),
+		CredentialsParameter:         aws.StringValue(s.manifest.ImageConfig.Image.Credentials),
+		ServiceDiscoveryEndpoint:     s.rc.ServiceDiscoveryEndpoint,
+		Publish:                      publishers,
+		Platform:                     convertPlatform(s.manifest.Platform),
+		HTTPVersion:                  convertHTTPVersion(s.manifest.ProtocolVersion),
+		NLB:                          nlbConfig.settings,
+		AppDNSName:                   nlbConfig.appDNSName,
+		AppDNSDelegationRole:         nlbConfig.appDNSDelegationRole,
 	})
 	if err != nil {
 		return "", err
@@ -247,6 +259,10 @@ func (s *LoadBalancedWebService) httpLoadBalancerTarget() (targetContainer *stri
 	return
 }
 
+func (s *LoadBalancedWebService) containerPort() string {
+	return strconv.FormatUint(uint64(aws.Uint16Value(s.manifest.ImageConfig.Port)), 10)
+}
+
 // Parameters returns the list of CloudFormation parameters used by the template.
 func (s *LoadBalancedWebService) Parameters() ([]*cloudformation.Parameter, error) {
 	wkldParams, err := s.ecsWkld.Parameters()
@@ -257,7 +273,7 @@ func (s *LoadBalancedWebService) Parameters() ([]*cloudformation.Parameter, erro
 	return append(wkldParams, []*cloudformation.Parameter{
 		{
 			ParameterKey:   aws.String(LBWebServiceContainerPortParamKey),
-			ParameterValue: aws.String(strconv.FormatUint(uint64(aws.Uint16Value(s.manifest.ImageConfig.Port)), 10)),
+			ParameterValue: aws.String(s.containerPort()),
 		},
 		{
 			ParameterKey:   aws.String(LBWebServiceRulePathParamKey),