AWS DeveloperTools - keshavbaweja-git/guides GitHub Wiki

  • A CloudWatch event can be used to route CodeBuild, CodeCommit, CodeDeploy, CodePipeline, and other Code Suite notifications to CodeStar Notifications.

CodeCommit

  • CodeCommit Notification rules support SNS and AWS ChatBox as targets
  • CodeCommit Triggers support SNS and Lambda as targets
  • CodeCommit Approval Rule Template
    • No. of approvals
    • Approval pool members (optional)
    • Branch filters
  • CodeCommit Approval Rule Template can be associated with multiple repositories

CodeBuild

  • CodeBuild build environment Managed Docker images are available for - Amazon Linux 2, Ubuntu 18.04, Windows Server Core 2019.
  • You can specify Docker images from your ECR repository or any other repository for building Custom environments.
  • CodeBuild Phases: Submitted => Queued => Provisioning => Download Source => Install => Pre build => Build => Post build => Upload artifacts => Finalizing
  • CodeBuild Buildspec Phases: Install => Pre build => Build => Post build => Upload artifacts
  • CodeBuild phase can specify following values for on-failure
    • CONTINUE
    • ABORT
  • CodeBuild phases have a finally section, commands in finally section are executed regardless of success or failure of commands in commands section.
  • CodeBuild env section can reference SSM parameter store paths.
  • CodeBuild environment variable types: PlainText, SSM Parameter, Secrets Manager
  • CodeBuild BuildArtifacts API retrieves information about build output artifacts
    • artifactId
    • bucketOwnerAccess
    • encryptionDisabled
    • location
    • overrideArtifactName - name specified in buildspec file overrides the artifact name
    • md5sum
    • sha256sum
  • CodeBuild - to override Artifact name specified in console
    • If you use the console to create your build project, select Enable semantic versioning under Artifact configuration
    • If you use the AWS CLI, set the overrideArtifactName to true in the JSON-formatted file passed to create-project.
    • If you use the AWS CodeBuild API, set the overrideArtifactName flag on the ProjectArtifacts object when a project is created or updated or a build is started.
  • A CodeBuild project supports
    • Multiple sources and multiple artifacts
    • NO_SOURCE
    • Caching
      • CacheType: S3
      • CacheType: LOCAL
        • Mode: LOCAL_CUSTOM_CACHE
        • Mode: LOCAL_DOCKER_LAYER_CACHE
        • Mode: LOCAL_SOURCE_CACHE
    • Cron based scheduled triggers created in CodeBuild
    • Cron based scheduled triggers created in CloudWatch
    • Webhook integration with GitHub, GitHub Enterprise Server, and Bitbucket.
    • Webhook integration best practices: filter webhooks to trigger build by VCS account id & file paths, scope down permissions of build IAM role, use an inline or S3 stored buildspec.
    • Project sharing allows project owners to share their AWS CodeBuild projects with other AWS accounts or users. In this model, the account that owns the project (owner) shares a project with other accounts (consumers). A consumer cannot edit or run a project.
    • Batch builds for concurrent and coordinated builds
    • Batch builds introduce a new security role in the batch configuration. This new role is required as CodeBuild must be able to call the StartBuild, StopBuild, and RetryBuild actions on your behalf to run builds as part of a batch. Customers should use a new role, and not the same role they use in their build.
    • Batch build types
      • Build graph
      • Build list (a no. of builds are run in parallel)
      • Build matrix (build + env var combinations)
    • Batch build output artifacts can be combined into one archive by specifying CombineArtifacts
    • Making the build results, logs, and artifacts for your build projects available to the general public.
  • Typically, AWS CodeBuild cannot access resources in a VPC. To enable access, you must provide additional VPC-specific configuration information in your CodeBuild project configuration. This includes the VPC ID, the VPC subnet IDs, and the VPC security group IDs. VPC-enabled builds can then access resources inside your VPC.
  • You can use AWS CodeBuild with a proxy server to regulate HTTP and HTTPS traffic to and from the internet. To run CodeBuild with a proxy server, you install a proxy server in a public subnet and CodeBuild in a private subnet in a VPC.
  • AWS Config can monitor a CodeBuild project and can display; Configuration changes timeline, configuration change details, relationships with other AWS resources, list of configuration changes
  • You can use the Jenkins plugin for AWS CodeBuild to integrate CodeBuild with your Jenkins build jobs. Instead of sending your build jobs to Jenkins build nodes, you use the plugin to send your build jobs to CodeBuild. This eliminates the need for you to provision, configure, and manage Jenkins build nodes.
  • You can integrate CodeBuild with open-source tool Codecov to produce code coverage reports

CodeDeploy

  • CodeDeploy Application is configured for one of the following Compute platforms

    • EC2/On-Premises
    • Lambda
    • ECS

  • Application

    • DeploymentGroup
      • DeploymentType
      • DeploymentConfiguration
    • AppSpec

  • CodeDeploy hooks - EC2 In-place deployments

    • ApplicationStop => DownloadBundle => BeforeInstall => Install => AfterInstall => ApplicationStart => ValidationService

  • CodeDeploy hooks - EC2 Blue/Green deployment

    1. Replacement environment: ApplicationStop => DownloadBundle => BeforeInstall => Install => AfterInstall => ApplicationStart => ValidationService => BeforeAllowTraffic => AllowTraffic => AfterAllowTraffic =>
    2. Original environment: BeforeBlockTraffic => BlockTraffic => AfterBlockTraffic

  • CodeDeploy hooks - Lambda deployment

    • BeforeAllowTraffic => AllowTraffic > AfterAllowTraffic

  • DEPLOYMENT_GROUP_NAME - environment variable available to CodeDeploy hooks scripts

CodeDeploy deployment type: In-place:EC2/On-Premises

The application on each instance in the deployment group is stopped, the latest application revision is installed, and the new version of the application is started and validated. You can use a load balancer so that each instance is deregistered during its deployment and then restored to service after the deployment is complete.

CodeDeploy deployment type: Blue/green:EC2/On-Premises

  • Instances are provisioned for the replacement environment.
  • The latest application revision is installed on the replacement instances.
  • An optional wait time occurs for activities such as application testing and system verification.
  • Instances in the replacement environment are registered with an Elastic Load Balancing load balancer, causing traffic to be rerouted to them. Instances in the original environment are deregistered and can be terminated or kept running for other uses.

CodeDeploy deployment on Compute Platform:EC2/On-Premises

  • DeploymentGroup
    • DeploymentType: In-place | Blue-green
    • AutoScalingGroup
    • List of tags
    • ALB/NLB
    • DeploymentConfiguration
    • SNS notifications
    • Alarm based deployment management - Deployment is stopped if any of the alarms are Active
    • Automatic deployment rollbacks - If any of the specified CW event is triggered or any of the specified alarm is Active

CodeDeploy deployment type: Blue/green:Lambda

  • DeploymentGroup
    • DeploymentConfiguration
  • AppSpec
    • Lambda Function name
    • Lambda Function version

CodeDeploy deployment type: Blue/green:ECS

  • DeploymentGroup
    • ECS Cluster
    • ECS Service
    • ALB/NLB
    • Production Listener
    • Test Listener (optional)
    • Two Target Groups
    • DeploymentConfiguration
    • Traffic re-routing
    • Original version termination
  • AppSpec
    • ECS Task definition
    • Container name
    • Container port

CodeDeploy monitoring

  • CloudWatch Alarms: Up to 10 alarms can be attached to a DeploymentGroup. Deployment stops if status information for any of the alarms can't be retrieved.
  • CloudWatch Events: A list of events that can trigger automated rollback.
  • CloudTrail Log Events
  • SNS notifications

CodeDeploy for On-Premises servers

  • Local account used to configure on-premises server should have sudo or root privilege
  • IAM identity used to register on-premises server used to granted proper permissions
  • VPN/Direct-Connect is not required, CodeDeploy can work over Internet

CodePipeline

  • By default, CodePipeline uses AWS managed key for encryption. This AWS managed key can't be changed or deleted.
  • You can configure CodePipeline to use a Customer managed KMS key. This Customer managed key can be changed or rotated as required.
  • CodePipeline failure notifications: CloudWatch Event Rule with CodePipeline events as Source and SNS as topic
  • CodePipeline does not support resource based IAM policies.
  • CodePipeline executions
    • Stages are locked when an execution is being processed
    • Subsequent executions wait for the stage to be unlocked
    • Waiting executions are superseded by more recent executions
    • A transition can be disabled, with this executions can't enter the next stage, such waiting executions are known as Inbound executions. Inbound executions can be superseded.
    • An Approval action prevents a pipeline from transitioning to next action until permission is granted.
    • Pipeline failure: an action in a stage does not complete successfully. This failed execution can be retried or superseded.
  • CodePipeline Stages use input and output artifacts that are stored in the Amazon S3 artifact bucket you chose when you created the pipeline. CodePipeline zips and transfers the files for input or output artifacts as appropriate for the action type in the stage.
  • When you use the console to create your first pipeline, CodePipeline creates an Amazon S3 bucket in the same AWS Region to store items for all pipelines. Every time you use the console to create another pipeline in that Region, CodePipeline creates a folder for that pipeline in the bucket. It uses that folder to store artifacts for your pipeline as the automated release process runs. This bucket is named codepipeline-region-12345EXAMPLE, where region is the AWS Region in which you created the pipeline, and 12345EXAMPLE is a 12-digit random number that ensures the bucket name is unique.
  • If you use the AWS CLI to create a pipeline, you can store the artifacts for that pipeline in any Amazon S3 bucket as long as that bucket is in the same AWS Region as the pipeline. You might do this if you are concerned about exceeding the limits of Amazon S3 buckets allowed for your account. If you use the AWS CLI to create or edit a pipeline, and you add a cross-Region action (an action with an AWS provider in a Region different from your pipeline), you must provide an artifact bucket for each additional Region where you plan to execute an action.
  • CodePipeline pipeline with CodeBuild and multiple sources and artifacts - https://docs.aws.amazon.com/codebuild/latest/userguide/sample-pipeline-multi-input-output.html
Action Type Action Provider
Source CodeCommit
S3
BitBucket
GitHub
Build CodeBuild
Jenkins
TeamCity
CloudBees
Deploy CodeDeploy
CloudFormation: CHANGE_SET_EXECUTE, CHANGE_SET_REPLACE, CREATE_UPDATE, DELETE_ONLY, REPLACE_ON_FAILURE (use for testing purposes only)
Elastic Beanstalk
ECS
AppConfig
Service Catalog
Approval Manual
Invoke Lambda
Step Functions