docs: job supports all network.vpc fields (#5706)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License.

internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-manifest.yml

@@ -69,10 +69,12 @@ sidecars:
 network:
   vpc:
     security_groups:
-      - sg-0c10c4fe23f5e5361
-      - sg-09295097b2a41b59d
-      - from_cfn: MyUserDBAccessSecurityGroup1
-      - from_cfn: MyUserDBAccessSecurityGroup2
+      deny_default: true
+      groups:
+        - sg-0c10c4fe23f5e5361
+        - sg-09295097b2a41b59d
+        - from_cfn: MyUserDBAccessSecurityGroup1
+        - from_cfn: MyUserDBAccessSecurityGroup2
 
 environments:
   test:

internal/pkg/deploy/cloudformation/stack/testdata/workloads/job-test.stack.yml

@@ -452,8 +452,7 @@ Resources:
         SecurityGroups:
           Fn::Join:
           - '","'
-          - - Fn::ImportValue: !Sub "${AppName}-${EnvName}-EnvironmentSecurityGroup"
-            - sg-0c10c4fe23f5e5361
+          - - sg-0c10c4fe23f5e5361
             - sg-09295097b2a41b59d
             - Fn::ImportValue: MyUserDBAccessSecurityGroup1
             - Fn::ImportValue: MyUserDBAccessSecurityGroup2

internal/pkg/template/templates/workloads/partials/cf/state-machine.yml

@@ -36,7 +36,7 @@ StateMachine:
       SecurityGroups:
         Fn::Join:
           - '","'
-          - - Fn::ImportValue: !Sub "${AppName}-${EnvName}-EnvironmentSecurityGroup"
+          - {{if not .Network.DenyDefaultSecurityGroup}}- Fn::ImportValue: !Sub "${AppName}-${EnvName}-EnvironmentSecurityGroup" {{end}}
             {{- range $sg := .Network.SecurityGroups}}
             {{- if not $sg.RequiresImport}}
             - {{$sg.Value}}

site/content/docs/include/network-vpc.en.md

@@ -0,0 +1,67 @@
+
+<span class="parent-field">network.</span><a id="network-vpc" href="#network-vpc" class="field">`vpc`</a> <span class="type">Map</span>    
+Subnets and security groups attached to your tasks.
+
+<span class="parent-field">network.vpc.</span><a id="network-vpc-placement" href="#network-vpc-placement" class="field">`placement`</a> <span class="type">String or Map</span>  
+When using it as a string, the value must be one of `'public'` or `'private'`. Defaults to launching your tasks in public subnets.
+
+!!! info
+    If you launch tasks in `'private'` subnets and use a Copilot-generated VPC, Copilot will automatically add NAT Gateways to your environment for internet connectivity. (See [pricing](https://aws.amazon.com/vpc/pricing/).) Alternatively, when running `copilot env init`, you can import an existing VPC with NAT Gateways, or one with VPC endpoints for isolated workloads. See our [custom environment resources](../developing/custom-environment-resources.en.md) page for more.
+
+When using it as a map, you can specify in which subnets Copilot should launch ECS tasks. For example:
+
+```yaml
+network:
+  vpc:
+    placement:
+      subnets: ["SubnetID1", "SubnetID2"]
+```
+
+<span class="parent-field">network.vpc.placement.</span><a id="network-vpc-placement-subnets" href="#network-vpc-placement-subnets" class="field">`subnets`</a> <span class="type">Array of Strings or Map</span>  
+As a list of strings, the subnet IDs where Copilot should launch ECS tasks.
+
+As a map, the name-value pairs by which to filter your subnets. Note that the filters are joined with an `AND`, and the values for each filter are joined by an `OR`. For example, both subnets with tag set `org: bi` and `type: public`, and subnets with tag set `org: bi` and `type: private` will be matched by
+
+```yaml
+network:
+  vpc:
+    placement:
+      subnets:
+        from_tags:
+          org: bi
+          type:
+            - public
+            - private
+```
+
+<span class="parent-field">network.vpc.placement.subnets</span><a id="network-vpc-placement-subnets-from-tags" href="#network-vpc-placement-subnets-from-tags" class="field">`from_tags`</a> <span class="type">Map of String and String or Array of Strings</span>  
+Tag sets by which to filter subnets where Copilot should launch ECS tasks.
+
+<span class="parent-field">network.vpc.</span><a id="network-vpc-security-groups" href="#network-vpc-security-groups" class="field">`security_groups`</a> <span class="type">Array of Strings or Map</span>  
+Additional security group IDs associated with your tasks.
+```yaml
+network:
+  vpc:
+    security_groups: [sg-0001, sg-0002]
+```
+Copilot includes a security group so containers within your environment can communicate with each other. To disable
+the default security group, you can specify the `Map` form:
+```yaml
+network:
+  vpc:
+    security_groups:
+      deny_default: true
+      groups: [sg-0001, sg-0002]
+```
+
+<span class="parent-field">network.vpc.security_groups.</span><a id="network-vpc-security-groups-from-cfn" href="#network-vpc-security-groups-from-cfn" class="field">`from_cfn`</a> <span class="type">String</span>  
+The name of a [CloudFormation stack export](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-exports.html).
+
+<span class="parent-field">network.vpc.security_groups.</span><a id="network-vpc-security-groups-deny-default" href="#network-vpc-security-groups-deny-default" class="field">`deny_default`</a> <span class="type">Boolean</span>  
+Disable the default security group that allows ingress from all services in your environment.
+
+<span class="parent-field">network.vpc.security_groups.</span><a id="network-vpc-security-groups-groups" href="#network-vpc-security-groups-groups" class="field">`groups`</a> <span class="type">Array of Strings</span>    
+Additional security group IDs associated with your tasks.
+
+<span class="parent-field">network.vpc.security_groups.groups</span><a id="network-vpc-security-groups-groups-from-cfn" href="#network-vpc-security-groups-groups-from-cfn" class="field">`from_cfn`</a> <span class="type">String</span>  
+The name of a [CloudFormation stack export](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-exports.html). 

site/content/docs/include/network.en.md

@@ -11,69 +11,4 @@ When using it as a map, you can specify which alias to use for this service. Not
 <span class="parent-field">network.connect.</span><a id="network-connect-alias" href="#network-connect-alias" class="field">`alias`</a> <span class="type">String</span>  
 A custom DNS name for this service exposed to Service Connect. Defaults to the service name.
 
-<span class="parent-field">network.</span><a id="network-vpc" href="#network-vpc" class="field">`vpc`</a> <span class="type">Map</span>    
-Subnets and security groups attached to your tasks.
-
-<span class="parent-field">network.vpc.</span><a id="network-vpc-placement" href="#network-vpc-placement" class="field">`placement`</a> <span class="type">String or Map</span>  
-When using it as a string, the value must be one of `'public'` or `'private'`. Defaults to launching your tasks in public subnets.
-
-!!! info
-    If you launch tasks in `'private'` subnets and use a Copilot-generated VPC, Copilot will automatically add NAT Gateways to your environment for internet connectivity. (See [pricing](https://aws.amazon.com/vpc/pricing/).) Alternatively, when running `copilot env init`, you can import an existing VPC with NAT Gateways, or one with VPC endpoints for isolated workloads. See our [custom environment resources](../developing/custom-environment-resources.en.md) page for more.
-
-When using it as a map, you can specify in which subnets Copilot should launch ECS tasks. For example:
-
-```yaml
-network:
-  vpc:
-    placement:
-      subnets: ["SubnetID1", "SubnetID2"]
-```
-
-<span class="parent-field">network.vpc.placement.</span><a id="network-vpc-placement-subnets" href="#network-vpc-placement-subnets" class="field">`subnets`</a> <span class="type">Array of Strings or Map</span>  
-As a list of strings, the subnet IDs where Copilot should launch ECS tasks.
-
-As a map, the name-value pairs by which to filter your subnets. Note that the filters are joined with an `AND`, and the values for each filter are joined by an `OR`. For example, both subnets with tag set `org: bi` and `type: public`, and subnets with tag set `org: bi` and `type: private` will be matched by
-
-```yaml
-network:
-  vpc:
-    placement:
-      subnets:
-        from_tags:
-          org: bi
-          type:
-            - public
-            - private
-```
-
-<span class="parent-field">network.vpc.placement.subnets</span><a id="network-vpc-placement-subnets-from-tags" href="#network-vpc-placement-subnets-from-tags" class="field">`from_tags`</a> <span class="type">Map of String and String or Array of Strings</span>  
-Tag sets by which to filter subnets where Copilot should launch ECS tasks.
-
-<span class="parent-field">network.vpc.</span><a id="network-vpc-security-groups" href="#network-vpc-security-groups" class="field">`security_groups`</a> <span class="type">Array of Strings or Map</span>  
-Additional security group IDs associated with your tasks.
-```yaml
-network:
-  vpc:
-    security_groups: [sg-0001, sg-0002]
-```
-Copilot includes a security group so containers within your environment can communicate with each other. To disable
-the default security group, you can specify the `Map` form:
-```yaml
-network:
-  vpc:
-    security_groups:
-      deny_default: true
-      groups: [sg-0001, sg-0002]
-```
-
-<span class="parent-field">network.vpc.security_groups.</span><a id="network-vpc-security-groups-from-cfn" href="#network-vpc-security-groups-from-cfn" class="field">`from_cfn`</a> <span class="type">String</span>  
-The name of a [CloudFormation stack export](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-exports.html).
-
-<span class="parent-field">network.vpc.security_groups.</span><a id="network-vpc-security-groups-deny-default" href="#network-vpc-security-groups-deny-default" class="field">`deny_default`</a> <span class="type">Boolean</span>  
-Disable the default security group that allows ingress from all services in your environment.
-
-<span class="parent-field">network.vpc.security_groups.</span><a id="network-vpc-security-groups-groups" href="#network-vpc-security-groups-groups" class="field">`groups`</a> <span class="type">Array of Strings</span>    
-Additional security group IDs associated with your tasks.
-
-<span class="parent-field">network.vpc.security_groups.groups</span><a id="network-vpc-security-groups-groups-from-cfn" href="#network-vpc-security-groups-groups-from-cfn" class="field">`from_cfn`</a> <span class="type">String</span>  
-The name of a [CloudFormation stack export](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-exports.html). 
+{% include 'network-vpc.en.md' %}

site/content/docs/include/network.ja.md

@@ -11,68 +11,4 @@ Map として利用すると、Service で利用するエイリアスを指定
 <span class="parent-field">network.connect.</span><a id="network-connect-alias" href="#network-connect-alias" class="field">`alias`</a> <span class="type">String</span>  
 Service Connect 経由で公開する Service のカスタム DNS　名です。デフォルトは Service 名です。
 
-<span class="parent-field">network.</span><a id="network-vpc" href="#network-vpc" class="field">`vpc`</a> <span class="type">Map</span>    
-タスクを配置するサブネットとアタッチされるセキュリティグループの設定です。
-
-<span class="parent-field">network.vpc.</span><a id="network-vpc-placement" href="#network-vpc-placement" class="field">`placement`</a> <span class="type">String or Map</span>  
-String として利用する場合、`public` あるいは `private` のどちらかを指定します。デフォルトではタスクはパブリックサブネットに配置されます。
-
-!!! info
-    Copilot が生成した VPC を利用して `private` サブネットにタスクを配置する場合、Copilot は Environment にインターネット接続用の NAT ゲートウェイを作成します。(価格は[こちら](https://aws.amazon.com/vpc/pricing/)。)あるいは `copilot env init` コマンドで既存の VPC をインポートして利用することや、分離されたワークロード用に VPC エンドポイントが構成された VPC を構成ができます。詳細は、[custom environment resources](../developing/custom-environment-resources.ja.md)を確認してください。
-
-Map として利用する場合、 Copilot が ECS タスクを起動するサブネットを指定します。例：
-
-```yaml
-network:
-  vpc:
-    placement:
-      subnets: ["SubnetID1", "SubnetID2"]
-```
-
-<span class="parent-field">network.vpc.placement.</span><a id="network-vpc-placement-subnets" href="#network-vpc-placement-subnets" class="field">`subnets`</a> <span class="type">Array of Strings or Map</span>  
-String のリストとする場合、Copilot が ECS タスクを起動するサブネット ID を指定します。
-
-Map の場合、サブネットをフィルタリングするための名前と値のペアを指定します。フィルタは `AND` で結合され、各フィルタの値は `OR` で結合されることに注意してください。例えば、タグセット `org: bi` と `type: public` を持つサブネットと、タグセット `org: bi` と `type: private` を持つサブネットの両方は、以下の方法でマッチングされることになります。
-
-```yaml
-network:
-  vpc:
-    placement:
-      subnets:
-        from_tags:
-          org: bi
-          type:
-            - public
-            - private
-```
-
-<span class="parent-field">network.vpc.placement.subnets</span><a id="network-vpc-placement-subnets-from-tags" href="#network-vpc-placement-subnets-from-tags" class="field">`from_tags`</a> <span class="type">Map of String and String or Array of Strings</span>  
-Copilot が ECS タスクを起動するサブネットをフィルタリングするためのタグセット。
-
-<span class="parent-field">network.vpc.</span><a id="network-vpc-security-groups" href="#network-vpc-security-groups" class="field">`security_groups`</a> <span class="type">Array of Strings or Map</span>  
-タスクに関連する追加のセキュリティグループ ID。
-```yaml
-network:
-  vpc:
-    security_groups: [sg-0001, sg-0002]
-```
-Copilot にはセキュリティグループが含まれており、Environment 内のコンテナ同士が通信できるようになっています。デフォルトのセキュリティグループを無効にするには、`Map` 形式で以下のように指定します。
-```yaml
-network:
-  vpc:
-    security_groups:
-      deny_default: true
-      groups: [sg-0001, sg-0002]
-```
-
-<span class="parent-field">network.vpc.security_groups.</span><a id="network-vpc-security-groups-from-cfn" href="#network-vpc-security-groups-from-cfn" class="field">`from_cfn`</a> <span class="type">String</span>  
-[CloudFormation スタックエクスポート](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/using-cfn-stack-exports.html)の名称。
-
-<span class="parent-field">network.vpc.security_groups.</span><a id="network-vpc-security-groups-deny-default" href="#network-vpc-security-groups-deny-default" class="field">`deny_default`</a> <span class="type">Boolean</span>  
-Environment 内のすべての Service からの侵入を許可するデフォルトのセキュリティグループを無効化します。
-
-<span class="parent-field">network.vpc.security_groups.</span><a id="network-vpc-security-groups-groups" href="#network-vpc-security-groups-groups" class="field">`groups`</a> <span class="type">Array of Strings</span>    
-タスクに関連する追加のセキュリティグループ ID。
-
-<span class="parent-field">network.vpc.security_groups.groups</span><a id="network-vpc-security-groups-groups-from-cfn" href="#network-vpc-security-groups-groups-from-cfn" class="field">`from_cfn`</a> <span class="type">String</span>  
-[CloudFormation スタックエクスポート](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/using-cfn-stack-exports.html)の名称。
+{% include 'network-vpc.ja.md' %}

site/content/docs/manifest/scheduled-job.en.md

@@ -150,21 +150,7 @@ How long the job should run before it aborts and fails. You can use the units: `
 
 <div class="separator"></div>
 
-<a id="network" href="#network" class="field">`network`</a> <span class="type">Map</span>  
-The `network` section contains parameters for connecting to AWS resources in a VPC.
-
-<span class="parent-field">network.</span><a id="network-vpc" href="#network-vpc" class="field">`vpc`</a> <span class="type">Map</span>  
-Subnets and security groups attached to your tasks.
-
-<span class="parent-field">network.vpc.</span><a id="network-vpc-placement" href="#network-vpc-placement" class="field">`placement`</a> <span class="type">String</span>    
-Must be one of `'public'` or `'private'`. Defaults to launching your tasks in public subnets.
-
-!!! info
-    If you launch tasks in `'private'` subnets and use a Copilot-generated VPC, Copilot will automatically add NAT Gateways to your environment for internet connectivity. (See [pricing](https://aws.amazon.com/vpc/pricing/).) Alternatively, when running `copilot env init`, you can import an existing VPC with NAT Gateways, or one with VPC endpoints for isolated workloads. See our [custom environment resources](../developing/custom-environment-resources.en.md) page for more.
-
-<span class="parent-field">network.vpc.</span><a id="network-vpc-security-groups" href="#network-vpc-security-groups" class="field">`security_groups`</a> <span class="type">Array of Strings</span>  
-Additional security group IDs associated with your tasks. Copilot always includes a security group so containers within your environment
-can communicate with each other.
+{% include 'network-vpc.en.md' %}
 
 <div class="separator"></div>
 

site/content/docs/manifest/scheduled-job.ja.md

@@ -153,20 +153,7 @@ Job の実行時間。この時間を超えた場合、Job は停止されて失
 
 <div class="separator"></div>
 
-<a id="network" href="#network" class="field">`network`</a> <span class="type">Map</span>    
-`network` セクションは VPC 内の AWS リソースに接続するためのパラメータを持ちます。
-
-<span class="parent-field">network.</span><a id="network-vpc" href="#network-vpc" class="field">`vpc`</a> <span class="type">Map</span>  
-タスクにアタッチするサブネットとセキュリティグループ。
-
-<span class="parent-field">network.vpc.</span><a id="network-vpc-placement" href="#network-vpc-placement" class="field">`placement`</a> <span class="type">String</span>    
-`'public'` か `'private'`のいずれかである必要があります。デフォルトではタスクはパブリックサブネットで起動します。
-
-!!! info
-    Copilot が作成した VPC の `'private'` サブネットを利用してタスクを実行する場合、Copilot は Environment に NAT ゲートウェイを追加します。あるいは Copilot 外で作成した VPC を `copilot env init` コマンドにてインポートしている場合は、その VPC に NAT ゲートウェイがあり、プライベートサブネットからインターネットへの接続性があることを確認してください。
-
-<span class="parent-field">network.vpc.</span><a id="network-vpc-security-groups" href="#network-vpc-security-groups" class="field">`security_groups`</a> <span class="type">Array of Strings</span>  
-タスクに関連づける追加のセキュリティグループのリスト。Copilot は常にセキュリティグループを含んでおり、環境内のコンテナは互いに通信できるようになっています。
+{% include 'network-vpc.ja.md' %}
 
 <div class="separator"></div>