docs: update blog post section for environment manifest fix (#4138)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.
aws · Oct 31, 2022 · 4f0c876 · 4f0c876
1 parent 12617ed
commit 4f0c876
Showing 1 changed file with 132 additions and 0 deletions.
diff --git a/site/content/blogs/release-v123.en.md b/site/content/blogs/release-v123.en.md
@@ -56,6 +56,138 @@ If you'd like to a send traffic to your environment, set [`network.vpc.placement
 
 ## Move misplaced `http` fields in environment manifest (backward-compatible!)
 
+In [Copilot v1.23.0](https://github.com/aws/copilot-cli/releases/tag/v1.23.0), we are fixing the hierarchy
+under the `http` field in the environment manifest.
+
+### What is getting fixed, and why?
+Back in [Copilot v1.20.0](https://aws.github.io/copilot-cli/blogs/release-v120/), we released the environment manifest,
+bringing all the benefits of infrastructure as code to environments. At the time, its `http` field hierarchy looked like:
+```yaml
+name: test
+type: Environment
+
+http:
+  public:
+    security_groups:
+      ingress:         # [Flaw 1]
+        restrict_to:   # [Flaw 2]
+          cdn: true
+  private:
+    security_groups:
+      ingress:         # [Flaw 1]
+        from_vpc: true # [Flaw 2]
+```
+There are two flaws in this hierarchy design:
+
+1. **Putting `ingress` under `security_groups` is ambiguous.** Each security group has its own ingress - it is unclear what
+   the "ingress" of several security groups means. *(Here, it was meant to configure the ingress of
+   the default security group that Copilot applies to an Application Load Balancer.)*
+
+2. **`restrict_to` is redundant.** It should be clearly implied that the `ingress` under `http.public` is restrictive,
+   and the `ingress` under `http.private` is permissive. The `"from"` in `from_vpc` also suffers from the same redundancy issue.
+
+To illustrate - fixing them would give us an environment manifest that looks like:
+```yaml
+name: test
+type: Environment
+
+http:
+  public:
+    ingress:
+      cdn: true
+  private:
+    ingress:
+      vpc: true
+```
+
+### What do I need to do?
+
+The short answer: nothing for now.
+
+#### (Recommended) Adapt your manifest to the corrected hierarachy
+While your existing manifest will keep working (we will get to this later), it is recommended that you update your manifest to the corrected hierarchy. 
+Below are snippets detailing how to update each of the fields impacted:
+
+???+ note "Adapt your environment manifest to the corrected hierarchy"
+
+    === "CDN for public ALB"
+
+        ```yaml
+        # If you have
+        http:
+          public:
+            security_groups:
+              ingress:      
+                restrict_to: 
+                  cdn: true
+        
+        # Then change it to
+        http:
+          public:
+            ingress:
+              cdn: true
+        ```
+
+    === "VPC ingress for private ALB"
+        ```yaml
+        # If you have
+        http:
+          private:
+            security_groups:
+              ingress:      
+                from_vpc: true
+        
+        # Then change it to
+        http:
+          private:
+            ingress:
+              vpc: true
+        ```
+
+
+#### Your existing environment manifest will keep working
+It's okay if you don't adapt your environment manifest to the corrected hierarchy immediately. It will keep working - unless you modify your manifest so that it contains both `http.public.security_groups.ingress` (the flawed version) 
+and `http.public.ingress` (the corrected version).
+
+For example, say before the release of v1.23.0, your manifest looked like:
+```yaml
+# Flawed hierarchy but will keep working.
+http:
+  public:
+    security_groups:
+      ingress:      
+        restrict_to: 
+          cdn: true
+```
+The same manifest will keep working after v1.23.0.
+
+However, if at some point you modify the manifest to:
+```yaml
+# Error! Both flawed hierarchy and corrected hierarchy are present.
+http:
+  public:
+    security_groups:
+      ingress:      
+        restrict_to: 
+          cdn: true
+    ingress:
+      source_ips:
+        - 10.0.0.0/24
+        - 10.0.1.0/24
+```
+Copilot will detect that both  `http.public.security_groups.ingress` (the flawed version) and
+`http.public.ingress` exist in the manifest. It will error out, along with a friendly suggestion to update your manifest
+so that only `http.public.ingress`, the corrected version is present:
+```yaml
+# Same configuration but written in the corrected hierarchy.
+http:
+  public:
+    ingress:
+        cdn: true
+        source_ips:
+            - 10.0.0.0/24
+            - 10.0.1.0/24
+```
 ## What’s next?
 
 Download the new Copilot CLI version by following the link below and leave your feedback on [GitHub](https://github.com/aws/copilot-cli/) or our [Community Chat](https://gitter.im/aws/copilot-cli):