[Bug]: Backend Service on Apprunner is ignroing the security groups I define on the service

[LiamDotPro]

Description:

When using the following my custom groups are never defined on the app runner deployment:

network:
  vpc:
    placement: private
    security_groups:
    deny_default: true
    groups: [ sg-021be4f595b2a7c79, sg-021a5462b70d2176d ]

I instead always get the default security groups, I've tried this on two separate deployments and the same thing occurs.

Details:

version: v1.33.2, built for darwin
AWS EU Region 2
MacOS

Observed result:

My service deploys correctly with no faults, but the custom security groups are not added. I am deploying into a predefined VPC and this is working correctly.

Expected result:

My security groups to be added.

Debugging:

I tried a mixture of adding deny_default, tried different ways of defining the security groups including as strings etc, just can't get it to add the correctly.

[LiamDotPro]

Kind of related is that if it we're possible to select a preconfigured connector this would also remove my issue, although of course it's just another point of failure if I'm using the same one for multiple instances. Without being able to apply these custom security groups it makes my app runner instance unaccessible from other services.

[huanjani]

Hi, @LiamDotPro!

Configuring your security groups is possible for ECS services (Backend and Load Balanced Web Services), but not for App Runner services (Request-Driven Web Services). https://aws.github.io/copilot-cli/docs/manifest/rd-web-service/

Thanks!

[LiamDotPro]

@huanjani Thanks for the feedback, is it possible to then turn this into a feature request? It seems entirely possible to configure specific security groups onto app runner in cloudformation so I suppose it's possible with copilot?