[AWS DA] AWS CICD: CodeCommit, CodePipeline, CodeBuild, CodeDeploy

Posted 2021-06-02 Answer1215

Overview

• CodeCommit: storing code
• CodePipeline: automating our pipeline from code to ElasticBeanstalk
• CodeBuild: building and testing our code
• CodeDeploy: deploying the code to EC2 fleets (not Beanstalk) Impportant! CodeDeploy only deploy to EC2, no whereelse

CodeCommit

Security

Authentication in Git:

• SSH Key
• HTTPS
• MFA

Authorization in Git:

• IAM policies for user / role to repositories

Encryption:

• Repo are encrypted at rest using KMS automatically
• Encrypted in transit (SSH or HTTPS)

Cross Account access:

• Use IAM role in your AWS account and use AWS STS (with AssumeRole API)
• NOT share SSH
• NOT share AWS credentials

 

Notifications

You can trigger notification in CodeCommit using SNS, Lambda or CloudWatch Event Rules.

Basiclly any notification related to Pull request (inlcude comments), goes to CloudWatch Event Rules.

Otherwise goes to SNS / AWS Lambda.

CloudWath Event rules can also goes into SNS topic.

SNS / Lambda:

• Deletion of branches
• Push to master
• Notify external Build System
• Trigger AWS Lambda function to perform codebase analysis (maybe credentials got committed in the code?)

CloudWatch Event Rules:

• Trigger for pull request (Created/updated/deleted/commented)
• Commit comment events
• CloudWatch Event Rules goes into a SNS topic

Answer: CloudWatch Event Rules. Anything related to PR, goes to CER.

 

CodePipeline

Artifacts

• Each pipeline stage can create "artifacts"
• Artifacts are passed stored in Amamzon S3 and passed on to next stage

 

Troubleshooting

• CodePipeline state changes happen in AWS CloudWatch Events, which can in return create SNS notifications.
  • you can create events for failed piplines
  • you can create events for cancelled stages

Pipeline -> all goes to CloudWatch Event Rules -> SNS

Different from CodeCommit, only Pull Request related goes into CloudWatch Event Rules

• If CodePipeline fails a stage, you pipeline stops and you can get information in the console
• AWS CloudTrail can be used to audit AWS API calls
• If Pipeline cannot perform an action, make sure the "IAM Service Role" attached does have enough permission (IAM Policy)

Deploy

Services which Codepipeline can deploy to:

 

Stage

You can new stage easily and each stage can have multi action groups (Sequential / parallel)

 

CodeBuild

• Continuous scaling
• Pay for usage
• Leverage Docker under the hood for reproducible builds
• Possibility to extend capabilities leveraging our own base Docker images
• Intergration with KMS for encryption of build artifacts
• IAM for build permissions
• VPC netowrk security
• CloudTrail for API calls logging
• Build instruction can be defined in code (buildspec.yml file)
• Output logs to S3 & AWS CloudWatch Logs
• Use CloudWatch Alarms to detect failed build and trigger notification
• CloudWatch Events / AWS Lambda as a Glue
• SNS notifications
• Ability to reproduce CodeBuild locally to troubleshoot in case of errors
• Builds can be defined within CodePipeline or CodeBuild itself
• Deployment group are set of EC2 instance where you are going to deploy to

Supported environment

• If not in lists, then you can use Docker to extend any environment you linke

buildspec.yml

• Must be at root of your code
• Define environment variables
  • Plaintext variables
  • Secure secreets: use SSM Parameter store
• Phases
  • Install: install dependencies you may need for your build
  • Pre build: final commands to execute before build
  • Build: actual build commands
  • Post build: finishing touches (zip output for example)
• Artifacts: upload to s3 encrypted with KMS
• Cache: Files to cache (usually dependencies) to S3 for future build speedup

 

CodeBuild containers are deleted at the end of their execution. You cannot SSH into them, even while they are running.

 

CodePipeline can deploy to S3, so need to choose CodePipeline

CodeBuild is mainly used for transform markdown file to html file in build phrase.

 

 

CodeDeploy

• Deploy application automatically to many EC2 instance

 

• EC2 instnaces are grouped by deployment group (dev/test/prod)
• CodeDeploy works with any application, auto scaling integration
• Blue/green only works with EC2 instances (NOT no premise)
• Support for AWS Labda
• CodeDploy doesn\'t previson resources

 

AppSpec

Hooks: set of instructions to do to deploy the new version (hooks can have timeouts).

The order is:

• BeforeBlockTraffic
• AfterBlockTraffic
• ApplicationStop
• DownloadBundle
• BeforeInstall
• AfterInstall
• ApplicationStart
• ValidateService: really important (to make sure application is indeed working)
• BeforeAllowTraffic
• AllowTraffic
• AfterAllowTraffic

Failures:

• New deployments wil first be deployed to "failed state" instance
• To rolback: redploy old deployment or enable automated rollback for failures 

Deployment Targets:

• Set of EC2 intances with tags
• Directly to an Auto Scaling Group
• Mix of ASG / Tags so you can build deployjment segments
• Customization in scripts with DEPLOYMENT_GROUP_NAME environment variables

 

---

 

CodeDeploy Demo

0. appspec.yml file, app store in S3

version: 0.0
os: linux
files:
  - source: /index.html
    destination: /var/www/html/
hooks:
  BeforeInstall:
    - location: scripts/install_dependencies
      timeout: 300
      runas: root
    - location: scripts/start_server
      timeout: 300
      runas: root
  ApplicationStop:
    - location: scripts/stop_server
      timeout: 300
      runas: root

 

1. Create two Roles

One for CodeDeploy role:

Another for EC2 role, because EC2 need to pull the code from S3

 

2. Create an EC2 instance where CodeDeploy can deploy to:

• Add IAM Role for EC2

• Add HTTP for security group

• Add Tag "Enviroment=Dev"

 

3. SSH into EC2 instance

sudo yum update
sudo yum install ruby

// download the agent
wget https://aws-codedeploy-eu-west-3.s3.amazonaws.com/latest/install
chmod +x ./install
sudo ./install auto
sudo service codedeploy-agent status
// The AWS CodeDeploy agent is running as PID 7640

 

4. Create CodeDeploy Application

 

5. Create Deployment Group

 

6. Create Deployment

 

7. View the app in broswer by using EC2 Public IPV4 address.

---

 

 

RollBack

• You can specify automated roolback options
• Rollback when a deploymetn fails
• Disable rollbacks - Do not perform rollbacks fro this deployement
• If a roll back happens, CodeDepoy redepploys the last know good revision as a new deployment. (So it will get a new deployment ID).

 

CodeStar