feat(network): allow imported VPCs with zero public subnets (#2356)

Previously, if users imported their own VPC resources, Copilot assumed they were bringing exactly two public and two private subnets and would error out if this was not the case.

These changes allow for more flexibility, with the warning that load-balanced web services cannot be deployed in an environment with fewer than two public subnets, as the Load Balancer requires two in different AZs. 
I believe we do not need to warn users that it's impossible to deploy workloads with 'private' network placement specified if their VPC does not have private subnets, and the same with 'public.'

I have manually tested:
- importing a console-generated VPC with 0 subnets
- importing a console-generated VPC with 1 public subnet
- importing a console-generated VPC with 1 private subnet
- importing a Copilot-generated VPC with: 1 public, 2 public, 1 private, 2 private, 1 public + 1 private
- deploying a load-balanced web service (public placement) to the five configs above
- deploying a backend service (public placement) to the five configs above
- deploying a load-balanced web service (private placement) to the five configs above
- deploying a backend service (private placement) to the five configs above

To-do:
- [x] Make the same changes for jobs
- [x] Make sure `env update` works without public subnets
- [x] Make sure these changes are backwards-compatible with previously imported VPCs

To-do in a future PR: 
- Create a docs page for custom envs (#2224)

Addresses #2079, #2233.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Author: huanjani

internal/pkg/aws/cloudformation/testdata/parse/lb-web-svc.yaml

@@ -131,16 +131,9 @@ Resources:
         AwsvpcConfiguration:
           AssignPublicIp: ENABLED
           Subnets:
-            - Fn::Select:
-                - 0
-                - Fn::Split:
-                    - ','
-                    - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
-            - Fn::Select:
-                - 1
-                - Fn::Split:
-                    - ','
-                    - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
+            Fn::Split:
+              - ','
+              - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
           SecurityGroups:
             - Fn::ImportValue: !Sub '${AppName}-${EnvName}-EnvironmentSecurityGroup'
       DeploymentConfiguration:

internal/pkg/cli/env_init.go

@@ -44,7 +44,7 @@ const (
     - New IAM Roles to manage services and jobs in your environment
 `
 	envInitVPCSelectPrompt            = "Which VPC would you like to use?"
-	envInitPublicSubnetsSelectPrompt  = "Which public subnets would you like to use?"
+	envInitPublicSubnetsSelectPrompt  = "Which public subnets would you like to use?\nYou may choose to press 'Enter' to skip this step if the services and/or jobs you'll deploy to this environment are not internet-facing."
 	envInitPrivateSubnetsSelectPrompt = "Which private subnets would you like to use?"
 
 	envInitVPCCIDRPrompt         = "What VPC CIDR would you like to use?"
@@ -460,11 +460,15 @@ https://aws.amazon.com/premiumsupport/knowledge-center/ecs-pull-container-api-er
 		publicSubnets, err := o.selVPC.PublicSubnets(envInitPublicSubnetsSelectPrompt, "", o.importVPC.ID)
 		if err != nil {
 			if err == selector.ErrSubnetsNotFound {
-				log.Errorf(`No existing public subnets were found in VPC %s. You can either:
-- Create new public subnets and then import them.
-- Use the default Copilot environment configuration.`, o.importVPC.ID)
+				log.Warningf(`No existing public subnets were found in VPC %s.
+If you proceed without public subnets, you will not be able to deploy Load Balanced Web Services in this environment.
+`, o.importVPC.ID)
+			} else {
+				return fmt.Errorf("select public subnets: %w", err)
 			}
-			return fmt.Errorf("select public subnets: %w", err)
+		}
+		if len(publicSubnets) == 1 {
+			return errors.New("select public subnets: at least two public subnets must be selected to enable Load Balancing")
 		}
 		o.importVPC.PublicSubnetIDs = publicSubnets
 	}
@@ -478,6 +482,9 @@ https://aws.amazon.com/premiumsupport/knowledge-center/ecs-pull-container-api-er
 			}
 			return fmt.Errorf("select private subnets: %w", err)
 		}
+		if len(privateSubnets) == 1 {
+			return errors.New("select private subnets: at least two private subnets must be selected")
+		}
 		o.importVPC.PrivateSubnetIDs = privateSubnets
 	}
 	return nil

internal/pkg/cli/env_init_test.go

@@ -359,7 +359,7 @@ func TestInitEnvOpts_Ask(t *testing.T) {
 			},
 			wantedError: fmt.Errorf("select public subnets: some error"),
 		},
-		"fail to select private subnets": {
+		"fail to select TWO public subnets": {
 			inAppName: mockApp,
 			inEnv:     mockEnv,
 			inProfile: mockProfile,
@@ -371,12 +371,27 @@ func TestInitEnvOpts_Ask(t *testing.T) {
 				m.ec2Client.EXPECT().HasDNSSupport("mockVPC").Return(true, nil)
 				m.selVPC.EXPECT().PublicSubnets(envInitPublicSubnetsSelectPrompt, "", "mockVPC").
 					Return([]string{"mockPublicSubnet"}, nil)
+			},
+			wantedError: fmt.Errorf("select public subnets: at least two public subnets must be selected to enable Load Balancing"),
+		},
+		"fail to select private subnets": {
+			inAppName: mockApp,
+			inEnv:     mockEnv,
+			inProfile: mockProfile,
+			setupMocks: func(m initEnvMocks) {
+				m.sessProvider.EXPECT().FromProfile(gomock.Any()).Return(mockSession, nil)
+				m.prompt.EXPECT().SelectOne(envInitDefaultEnvConfirmPrompt, "", envInitCustomizedEnvTypes).
+					Return(envInitImportEnvResourcesSelectOption, nil)
+				m.selVPC.EXPECT().VPC(envInitVPCSelectPrompt, "").Return("mockVPC", nil)
+				m.ec2Client.EXPECT().HasDNSSupport("mockVPC").Return(true, nil)
+				m.selVPC.EXPECT().PublicSubnets(envInitPublicSubnetsSelectPrompt, "", "mockVPC").
+					Return([]string{"mockPublicSubnet", "anotherMockPublicSubnet"}, nil)
 				m.selVPC.EXPECT().PrivateSubnets(envInitPrivateSubnetsSelectPrompt, "", "mockVPC").
 					Return(nil, mockErr)
 			},
 			wantedError: fmt.Errorf("select private subnets: some error"),
 		},
-		"success with importing env resources with no flags": {
+		"fail to select TWO private subnets": {
 			inAppName: mockApp,
 			inEnv:     mockEnv,
 			inProfile: mockProfile,
@@ -387,19 +402,52 @@ func TestInitEnvOpts_Ask(t *testing.T) {
 				m.selVPC.EXPECT().VPC(envInitVPCSelectPrompt, "").Return("mockVPC", nil)
 				m.ec2Client.EXPECT().HasDNSSupport("mockVPC").Return(true, nil)
 				m.selVPC.EXPECT().PublicSubnets(envInitPublicSubnetsSelectPrompt, "", "mockVPC").
-					Return([]string{"mockPublicSubnet"}, nil)
+					Return([]string{"mockPublicSubnet", "anotherMockPublicSubnet"}, nil)
 				m.selVPC.EXPECT().PrivateSubnets(envInitPrivateSubnetsSelectPrompt, "", "mockVPC").
 					Return([]string{"mockPrivateSubnet"}, nil)
 			},
+			wantedError: fmt.Errorf("select private subnets: at least two private subnets must be selected"),
+		},
+		"success with selecting zero public subnets and two private subnets": {
+			inAppName: mockApp,
+			inEnv:     mockEnv,
+			inProfile: mockProfile,
+			setupMocks: func(m initEnvMocks) {
+				m.sessProvider.EXPECT().FromProfile(gomock.Any()).Return(mockSession, nil)
+				m.prompt.EXPECT().SelectOne(envInitDefaultEnvConfirmPrompt, "", envInitCustomizedEnvTypes).
+					Return(envInitImportEnvResourcesSelectOption, nil)
+				m.selVPC.EXPECT().VPC(envInitVPCSelectPrompt, "").Return("mockVPC", nil)
+				m.ec2Client.EXPECT().HasDNSSupport("mockVPC").Return(true, nil)
+				m.selVPC.EXPECT().PublicSubnets(envInitPublicSubnetsSelectPrompt, "", "mockVPC").
+					Return([]string{}, nil)
+				m.selVPC.EXPECT().PrivateSubnets(envInitPrivateSubnetsSelectPrompt, "", "mockVPC").
+					Return([]string{"mockPrivateSubnet", "anotherMockPrivateSubnet"}, nil)
+			},
+		},
+		"success with importing env resources with no flags": {
+			inAppName: mockApp,
+			inEnv:     mockEnv,
+			inProfile: mockProfile,
+			setupMocks: func(m initEnvMocks) {
+				m.sessProvider.EXPECT().FromProfile(gomock.Any()).Return(mockSession, nil)
+				m.prompt.EXPECT().SelectOne(envInitDefaultEnvConfirmPrompt, "", envInitCustomizedEnvTypes).
+					Return(envInitImportEnvResourcesSelectOption, nil)
+				m.selVPC.EXPECT().VPC(envInitVPCSelectPrompt, "").Return("mockVPC", nil)
+				m.ec2Client.EXPECT().HasDNSSupport("mockVPC").Return(true, nil)
+				m.selVPC.EXPECT().PublicSubnets(envInitPublicSubnetsSelectPrompt, "", "mockVPC").
+					Return([]string{"mockPublicSubnet", "anotherMockPublicSubnet"}, nil)
+				m.selVPC.EXPECT().PrivateSubnets(envInitPrivateSubnetsSelectPrompt, "", "mockVPC").
+					Return([]string{"mockPrivateSubnet", "anotherMockPrivateSubnet"}, nil)
+			},
 		},
 		"success with importing env resources with flags": {
 			inAppName: mockApp,
 			inEnv:     mockEnv,
 			inProfile: mockProfile,
 			inImportVPCVars: importVPCVars{
 				ID:               "mockVPCID",
-				PrivateSubnetIDs: []string{"mockPrivateSubnetID"},
-				PublicSubnetIDs:  []string{"mockPublicSubnetID"},
+				PrivateSubnetIDs: []string{"mockPrivateSubnetID", "anotherMockPrivateSubnetID"},
+				PublicSubnetIDs:  []string{"mockPublicSubnetID", "anotherMockPublicSubnetID"},
 			},
 			setupMocks: func(m initEnvMocks) {
 				m.sessProvider.EXPECT().FromProfile(gomock.Any()).Return(mockSession, nil)

internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml

@@ -322,16 +322,9 @@ Resources:
         Subnets:
           Fn::Join:
             - '","'
-            - - Fn::Select:
-                - 0
-                - Fn::Split:
-                  - ','
-                  - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
-              - Fn::Select:
-                - 1
-                - Fn::Split:
-                  - ','
-                  - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
+            - Fn::Split:
+              - ','
+              - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
         AssignPublicIp: ENABLED # Should be DISABLED if we use private subnets
         SecurityGroups:
           Fn::Join:

internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-prod.stack.yml

@@ -353,16 +353,9 @@ Resources:
         AwsvpcConfiguration:
           AssignPublicIp: ENABLED
           Subnets:
-            - Fn::Select:
-              - 0
-              - Fn::Split:
-                - ','
-                - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
-            - Fn::Select:
-              - 1
-              - Fn::Split:
-                - ','
-                - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
+            Fn::Split:
+              - ','
+              - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
           SecurityGroups:
             - Fn::ImportValue: !Sub '${AppName}-${EnvName}-EnvironmentSecurityGroup'
 

internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-staging.stack.yml

@@ -291,16 +291,9 @@ Resources:
         AwsvpcConfiguration:
           AssignPublicIp: ENABLED
           Subnets:
-            - Fn::Select:
-              - 0
-              - Fn::Split:
-                - ','
-                - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
-            - Fn::Select:
-              - 1
-              - Fn::Split:
-                - ','
-                - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
+            Fn::Split:
+              - ','
+              - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
           SecurityGroups:
             - Fn::ImportValue: !Sub '${AppName}-${EnvName}-EnvironmentSecurityGroup'
 

internal/pkg/deploy/cloudformation/stack/testdata/workloads/svc-test.stack.yml

@@ -346,16 +346,9 @@ Resources:
         AwsvpcConfiguration:
           AssignPublicIp: ENABLED
           Subnets:
-            - Fn::Select:
-              - 0
-              - Fn::Split:
-                - ','
-                - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
-            - Fn::Select:
-              - 1
-              - Fn::Split:
-                - ','
-                - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
+            Fn::Split:
+              - ','
+              - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
           SecurityGroups:
             - Fn::ImportValue: !Sub '${AppName}-${EnvName}-EnvironmentSecurityGroup'
       # This may need to be adjusted if the container takes a while to start up

internal/pkg/template/workload_test.go

@@ -163,14 +163,7 @@ func TestTemplate_ParseNetwork(t *testing.T) {
   AwsvpcConfiguration:
     AssignPublicIp: ENABLED
     Subnets:
-    - Fn::Select:
-      - 0
-      - Fn::Split:
-        - ','
-        - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
-    - Fn::Select:
-      - 1
-      - Fn::Split:
+      Fn::Split:
         - ','
         - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PublicSubnets'
     SecurityGroups:
@@ -186,14 +179,7 @@ func TestTemplate_ParseNetwork(t *testing.T) {
   AwsvpcConfiguration:
     AssignPublicIp: DISABLED
     Subnets:
-    - Fn::Select:
-      - 0
-      - Fn::Split:
-        - ','
-        - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PrivateSubnets'
-    - Fn::Select:
-      - 1
-      - Fn::Split:
+      Fn::Split:
         - ','
         - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PrivateSubnets'
     SecurityGroups:
@@ -213,14 +199,7 @@ func TestTemplate_ParseNetwork(t *testing.T) {
   AwsvpcConfiguration:
     AssignPublicIp: DISABLED
     Subnets:
-    - Fn::Select:
-      - 0
-      - Fn::Split:
-        - ','
-        - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PrivateSubnets'
-    - Fn::Select:
-      - 1
-      - Fn::Split:
+      Fn::Split:
         - ','
         - Fn::ImportValue: !Sub '${AppName}-${EnvName}-PrivateSubnets'
     SecurityGroups:

templates/environment/versions/cf-v1.4.0.yml

@@ -52,11 +52,11 @@ Resources:
   ServiceDiscoveryNamespace:
     Type: AWS::ServiceDiscovery::PrivateDnsNamespace
     Properties:
-        Name: !Sub ${AppName}.local
+      Name: !Sub ${AppName}.local
 {{- if .ImportVPC}}
-        Vpc: {{.ImportVPC.ID}}
+      Vpc: {{.ImportVPC.ID}}
 {{- else}}
-        Vpc: !Ref VPC
+      Vpc: !Ref VPC
 {{- end}}
   Cluster:
     Metadata:
@@ -285,22 +285,28 @@ Outputs:
 {{- end}}
     Export:
       Name: !Sub ${AWS::StackName}-VpcId
+{{- if not .ImportVPC}}
   PublicSubnets:
-{{- if .ImportVPC}}
-    Value: !Join [ ',', [ {{range $id := .ImportVPC.PublicSubnetIDs}}{{$id}}, {{end}}] ]
-{{- else}}
     Value: !Join [ ',', [ {{range $ind, $cidr := .VPCConfig.PublicSubnetCIDRs}}!Ref PublicSubnet{{inc $ind}}, {{end}}] ]
-{{- end}}
     Export:
       Name: !Sub ${AWS::StackName}-PublicSubnets
+{{- else if ne (len .ImportVPC.PublicSubnetIDs) 0}}
+  PublicSubnets:
+    Value: !Join [ ',', [ {{range $id := .ImportVPC.PublicSubnetIDs}}{{$id}}, {{end}}] ]
+    Export:
+      Name: !Sub ${AWS::StackName}-PublicSubnets
+{{- end}}
+{{- if not .ImportVPC}}
   PrivateSubnets:
-{{- if .ImportVPC}}
-    Value: !Join [ ',', [ {{range $id := .ImportVPC.PrivateSubnetIDs}}{{$id}}, {{end}}] ]
-{{- else}}
     Value: !Join [ ',', [ {{range $ind, $cidr := .VPCConfig.PrivateSubnetCIDRs}}!Ref PrivateSubnet{{inc $ind}}, {{end}}] ]
-{{- end}}
     Export:
       Name: !Sub ${AWS::StackName}-PrivateSubnets
+{{- else if ne (len .ImportVPC.PrivateSubnetIDs) 0}}
+  PrivateSubnets:
+    Value: !Join [ ',', [ {{range $id := .ImportVPC.PrivateSubnetIDs}}{{$id}}, {{end}}] ]
+    Export:
+      Name: !Sub ${AWS::StackName}-PrivateSubnets
+{{- end}}
   ServiceDiscoveryNamespaceID:
     Value: !GetAtt ServiceDiscoveryNamespace.Id
     Export:

templates/workloads/partials/cf/service-base-properties.yml

@@ -36,16 +36,9 @@ NetworkConfiguration:
   AwsvpcConfiguration:
     AssignPublicIp: {{.Network.AssignPublicIP}}
     Subnets:
-      - Fn::Select:
-        - 0
-        - Fn::Split:
-          - ','
-          - Fn::ImportValue: !Sub '${AppName}-${EnvName}-{{.Network.SubnetsType}}'
-      - Fn::Select:
-        - 1
-        - Fn::Split:
-          - ','
-          - Fn::ImportValue: !Sub '${AppName}-${EnvName}-{{.Network.SubnetsType}}'
+      Fn::Split:
+        - ','
+        - Fn::ImportValue: !Sub '${AppName}-${EnvName}-{{.Network.SubnetsType}}'
     SecurityGroups:
       - Fn::ImportValue: !Sub '${AppName}-${EnvName}-EnvironmentSecurityGroup'
       {{- range $sg := .Network.SecurityGroups}}