Blog

Building applications with pipelines

30 Jan, 2023
Xebia Background Header Wave

In larger organizations a lot of things are in place. Think of things like deployment pipelines for your applications. But how do you set those up using the services AWS provides? In this blog post I will guide you to how I do it for my pet projects.

I am a big fan of CloudFormation so the examples I will show are CloudFormation snippets.

The git repository

I am using AWS CodeCommit as a source repository. The reason for this choice is that it integrates with AWS CodePipeline. We also want the ability to test our infrastructure. So I usually use feature branches to do that. Here the first challange appears. We only need 1 repository and a pipeline to deploy our infrastructure. But we also need a pipeline that deploys our feature branch. In CloudFormation you can do this using conditions.

Parameters:
  FeatureGitBranch:
    Type: String
    Default: ""
  ProjectName:
    Type: String
    Default: ""   
Conditions:
  IsMainBranchPipeline: !Equals [!Ref FeatureGitBranch, ""]
  IsFeatureBranchPipeline: !Not [Condition: IsMainBranchPipeline]

By providing a FeatureGitBranch parameter we can now make some choices. For example we could only create the repository in the production pipeline.

Resources:
  PipelineRepo:
    Condition: IsMainBranchPipeline
    Type: AWS::CodeCommit::Repository
    Properties:
      RepositoryName: !Ref ProjectName
      RepositoryDescription: <repository-description>

The pipeline requirements

The pipeline uses a couple of resources. You can share these resources across your pipelines. So they are in a separate template and I deploy these resources once per region that I am using.

First you will need a S3 bucket to store the artifacts created by each stage.

ArtifactsBucket:
  Type: AWS::S3::Bucket
  DeletionPolicy: Retain
  UpdateReplacePolicy: Retain
  Properties:
    BucketName: !Sub codepipeline-artifacts-${AWS::AccountId}-${AWS::Region}
    VersioningConfiguration:
      Status: Enabled
    BucketEncryption:
      ServerSideEncryptionConfiguration:
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256

I am using a predictable bucket name so I can use it in my pipeline. Because bucket names need to have a globally unique name I also include the account id and region.

You will also need an IAM role. You will use this role in your pipeline to deploy your CloudFormation template.

CloudFormationServiceRole:
 Type: AWS::IAM::Role
 Properties:
   RoleName: !Sub cloudformation-execution-role-${AWS::Region}
   AssumeRolePolicyDocument:
     Version: "2012-10-17"
     Statement:
       - Action: sts:AssumeRole
         Effect: Allow
         Principal: { Service: cloudformation.amazonaws.com }
   ManagedPolicyArns:
     - arn:aws:iam::aws:policy/AdministratorAccess

Again I use a predictable name and I included the region. Since role names are unique in your account you can deploy this in every region. For the sake of simplicity I used the AdministratorAccess managed policy. You might want to limit this for your own scope.

The pipeline

The pipeline itself also needs a role. This role can pass the CloudFormation role and use the buckets created in the previous step.

CodePipelineExecutionRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Action: "sts:AssumeRole"
          Effect: Allow
          Principal:
            Service:
              - codepipeline.amazonaws.com
    Policies:
      - PolicyName: CodePipelineAccess
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action: "iam:PassRole"
              Resource: !Sub cloudformation-execution-role-${AWS::Region}
      - PolicyName: CodePipelineCodeAndS3Bucket
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Action:
                - s3:GetBucketAcl
                - s3:GetBucketLocation
              Effect: Allow
              Resource:
                - !Sub arn:${AWS::Partition}:s3:::codepipeline-artifacts-${AWS::AccountId}-eu-west-1
                - !Sub arn:${AWS::Partition}:s3:::codepipeline-artifacts-${AWS::AccountId}-eu-central-1
            - Action:
                - "s3:GetObject"
                - "s3:GetObjectVersion"
                - "s3:PutObject"
              Effect: Allow
              Resource:
                - !Sub arn:${AWS::Partition}:s3:::codepipeline-artifacts-${AWS::AccountId}-eu-west-1/*
                - !Sub arn:${AWS::Partition}:s3:::codepipeline-artifacts-${AWS::AccountId}-eu-central-1/*
      - PolicyName: CodeCommitAccess
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Action:
                - codecommit:GitPull
                - codecommit:GetBranch
                - codecommit:GetCommit
                - codecommit:UploadArchive
                - codecommit:GetUploadArchiveStatus
              Effect: Allow
              Resource:
                - !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${ProjectName}
                - !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${ProjectName}/*
      - PolicyName: CodePipelineCodeBuildAndCloudformationAccess
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - "codebuild:StartBuild"
                - "codebuild:BatchGetBuilds"
              Resource:
                - !GetAtt CodeBuildProjectBuildAndPackage.Arn
            - Effect: Allow
              Action:
                - "cloudformation:DescribeStacks"
              Resource: !Sub "arn:${AWS::Partition}:cloudformation:eu-*:${AWS::AccountId}:stack/*"
            - Effect: Allow
              Action:
                - "cloudformation:CreateStack"
                - "cloudformation:DeleteStack"
                - "cloudformation:UpdateStack"
                - "cloudformation:CreateChangeSet"
                - "cloudformation:ExecuteChangeSet"
                - "cloudformation:DeleteChangeSet"
                - "cloudformation:DescribeChangeSet"
                - "cloudformation:SetStackPolicy"
                - "cloudformation:SetStackPolicy"
                - "cloudformation:ValidateTemplate"
              Resource:
                - !Sub "arn:${AWS::Partition}:cloudformation:eu-*:${AWS::AccountId}:stack/${ProjectName}-*/*"

As you can see in the snippet the role is also allowed to start a CodeBuild project. And it can deploy a CloudFormation template.
You might have noticed that I used 2 regions in this role. This is because in this particular example I have a pipeline that uses 2 regions.

Because we use 2 regions we also need 2 artifact stores.

Pipeline:
  Type: AWS::CodePipeline::Pipeline
  Properties:
    ArtifactStores:
      - Region: eu-west-1
        ArtifactStore:
          Location: !Sub codepipeline-artifacts-${AWS::AccountId}-eu-west-1
          Type: S3
      - Region: eu-central-1
        ArtifactStore:
          Location: !Sub codepipeline-artifacts-${AWS::AccountId}-eu-central-1
          Type: S3
    RoleArn: !GetAtt CodePipelineExecutionRole.Arn
    RestartExecutionOnUpdate: true
    Stages:
      - Name: Source
        Actions:
          - Name: SourceCodeRepo
            ActionTypeId:
              Category: Source
              Owner: AWS
              Version: 1
              Provider: CodeCommit
            Configuration:
              PollForSourceChanges: False
              RepositoryName: !Ref ProjectName
              BranchName: !If [IsFeatureBranchPipeline, !Ref FeatureGitBranch, "main"]
            OutputArtifacts:
              - Name: SourceCodeAsZip
            RunOrder: 1

Depending on the IsFeatureBranchPipeline condition we select the correct branch for this pipeline. Depending on your project you might need a build step. I use CodeBuild to run unit tests and build and package any resources needed.

      - Name: BuildAndPackage
        Actions:
          - Name: CodeBuild
            ActionTypeId:
              Category: Build
              Owner: AWS
              Provider: CodeBuild
              Version: "1"
            Configuration:
              ProjectName: !Ref CodeBuildProjectBuildAndPackage
            InputArtifacts:
              - Name: SourceCodeAsZip
            OutputArtifacts:
              - Name: BuildArtifactAsZip

I did not include the CodeBuild project and IAM role snippet for CodeBuild. I will do a blog post on that in the future.

So lets go over to the fun part. The next stage is the actual deployment of the CloudFormation template. I am using 2 regions and I only want to deploy to these 2 regions for my production environment. I also have different parameters for my production environment. Again, I am using conditions to control this behaviour.

          - !If
            - IsMainBranchPipeline
            - Name: Production
              Actions:
                - Name: Ireland-CreateChangeSet
                  RunOrder: 1
                  Region: eu-west-1
                  InputArtifacts:
                    - Name: BuildArtifactAsZip
                  ActionTypeId:
                    Category: Deploy
                    Owner: AWS
                    Provider: CloudFormation
                    Version: "1"
                  Configuration:
                    ActionMode: CHANGE_SET_REPLACE
                    RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cloudformation-execution-role
                    StackName: !Sub ${ProjectName}-production
                    ChangeSetName: !Sub ${ProjectName}-production-ChangeSet
                    TemplatePath: BuildArtifactAsZip::packaged-template.yaml
                    Capabilities: CAPABILITY_NAMED_IAM
                    ParameterOverrides: |-
                      {
                        "EnvType": "production"
                      }
                - Name: Frankfurt-CreateChangeSet
                  RunOrder: 1
                  Region: eu-central-1
                  InputArtifacts:
                    - Name: BuildArtifactAsZip
                  ActionTypeId:
                    Category: Deploy
                    Owner: AWS
                    Provider: CloudFormation
                    Version: "1"
                  Configuration:
                    ActionMode: CHANGE_SET_REPLACE
                    RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/cloudformation-execution-role
                    StackName: !Sub ${ProjectName}-production
                    ChangeSetName: !Sub ${ProjectName}-production-ChangeSet
                    TemplatePath: BuildArtifactAsZip::packaged-template.yaml
                    Capabilities: CAPABILITY_NAMED_IAM
                    ParameterOverrides: |
                      {
                        "EnvType": "production"
                      }
                - Name: Ireland-ExecuteChangeSet
                  RunOrder: 2
                  Region: eu-west-1
                  ActionTypeId:
                    Category: Deploy
                    Owner: AWS
                    Provider: CloudFormation
                    Version: "1"
                  Configuration:
                    ActionMode: CHANGE_SET_EXECUTE
                    RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cloudformation-execution-role
                    StackName: !Sub ${ProjectName}-production
                    ChangeSetName: !Sub ${ProjectName}-production-ChangeSet
                - Name: Frankfurt-ExecuteChangeSet
                  RunOrder: 2
                  Region: eu-central-1
                  ActionTypeId:
                    Category: Deploy
                    Owner: AWS
                    Provider: CloudFormation
                    Version: "1"
                  Configuration:
                    ActionMode: CHANGE_SET_EXECUTE
                    RoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/cloudformation-execution-role
                    StackName: !Sub ${ProjectName}-production
                    ChangeSetName: !Sub ${ProjectName}-production-ChangeSet
            - !Ref AWS::NoValue

In the 1 action I create a change set. In the second action I execute it. Please note the RoleArn used here. You could also specify a role from a different account. This allows you to use a separate account for different environments. For example you could host the pipeline in a deployment account. And have separate development, testing, acceptance and production accounts.

The feature branch

So we now have a working pipeline for the production environment. How about the feature branch? For this we use again the conditions.

          - !If
            - IsFeatureBranchPipeline
            - Name: FeatureDevelopment
              Actions:
                - Name: Ireland-CreateChangeSet
                  RunOrder: 1
                  Region: eu-west-1
                  InputArtifacts:
                    - Name: BuildArtifactAsZip
                  ActionTypeId:
                    Category: Deploy
                    Owner: AWS
                    Provider: CloudFormation
                    Version: "1"
                  Configuration:
                    ActionMode: CHANGE_SET_REPLACE
                    RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cloudformation-execution-role
                    StackName: !Sub ${ProjectName}-${FeatureName}
                    ChangeSetName: !Sub ${ProjectName}-feature-ChangeSet
                    TemplatePath: BuildArtifactAsZip::packaged-template.yaml
                    Capabilities: CAPABILITY_NAMED_IAM
                    ParameterOverrides: |
                      {
                        "EnvType": "development"
                      }
                - Name: Ireland-ExecuteChangeSet
                  RunOrder: 2
                  Region: eu-west-1
                  ActionTypeId:
                    Category: Deploy
                    Owner: AWS
                    Provider: CloudFormation
                    Version: "1"
                  Configuration:
                    ActionMode: CHANGE_SET_EXECUTE
                    RoleArn: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cloudformation-execution-role
                    StackName: !Sub ${ProjectName}-${FeatureName}
                    ChangeSetName: !Sub ${ProjectName}-feature-ChangeSet
            - !Ref AWS::NoValue

As you can see, the feature branch is only deployed to the eu-west-1 region. And it has set the EnvType parameter to development.

Pickup new commits

When you push your commits to the CodeCommit repository. You can use an event rule to trigger a new pipeline execution. To make this happen we need an IAM role and the rule itself.

CloudWatchEventRole:
   Type: AWS::IAM::Role
   Properties:
     AssumeRolePolicyDocument:
       Version: '2012-10-17'
       Statement:
       - Effect: Allow
         Principal: { Service: events.amazonaws.com }
         Action: sts:AssumeRole
     Policies:
       - PolicyName: root
         PolicyDocument:
           Version: '2012-10-17'
           Statement:
             - Action: codepipeline:StartPipelineExecution
               Resource: !Sub arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${Pipeline}
               Effect: Allow

CloudWatchEventRule:
  Type: AWS::Events::Rule
  Properties:
    Description: Check CodeCommit Repo Changes
    EventPattern:
      detail-type:
        - "CodeCommit Repository State Change"
      source:
        - aws.codecommit
      resources:
        - !Sub arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${ProjectName}
      detail:
        event:
          anything-but:
            - referenceDeleted
        referenceType:
          - branch
        referenceName:
          - !If [IsFeatureBranchPipeline, !Ref FeatureGitBranch, "main"]
    Targets:
      - Id: codepipeline
        Arn: !Sub arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${Pipeline}
        RoleArn: !Sub ${CloudWatchEventRole.Arn}

We are triggering on every event except when the branch removal.

Conclusion

You can store the template for the pipeline in your CodeCommit repository. When you create a feature branch you can deploy that template specifying the branch name. The pipeline can then deploy the project CloudFormation template. And with every commit that you push your feature environment will receive an update.

With this setup you have everything in a single repository. (Except for the shared S3 bucket and IAM role.) Having everything in a single repository makes it easier to maintain.

Joris Conijn
Joris has been working with the AWS cloud since 2009 and focussing on building event driven architectures. While working with the cloud from (almost) the start he has seen most of the services being launched. Joris strongly believes in automation and infrastructure as code and is open to learn new things and experiment with them, because that is the way to learn and grow. In his spare time he enjoys running and runs a small micro brewery from his home.
Questions?

Get in touch with us to learn more about the subject and related solutions

Explore related posts