CI/CD on AWS: The Basics and 4 Best Practices
What Is CI/CD on AWS?
A CI/CD pipeline that lets you submit new code on one end, build it, automatically test it, and deploy it to a production environment. Each stage is a logical unit within the delivery process, acting as a gate that validates a certain aspect of your code.
As your code progresses through the CI/CD pipeline, quality should increase as more aspects are verified. Test results are received immediately due to automation, and the pipeline stops builds and releases if they do not pass predetermined quality thresholds.
Many CI/CD pipelines are implemented in public cloud environments. Amazon Web Services (AWS) provides a collection of CI/CD tools to help accelerate software development and release lifecycles. AWS CodePipeline, for example, can automate the build, testing, and deployment phases for every code change according to defined release models. You can integrate CodePipeline with other AWS Services, such as Amazon S3, or third parties like GitHub.
AWS CI/CD Tools and Services
AWS CodePipeline
AWS CodePipeline is a cloud-based continuous delivery service. It can automatically compile, build, and test your code, and continuously deliver container-based applications to the AWS cloud. It can perform pre-deployment validation of the artifacts (container images, descriptors, etc.) needed for network service or cloud native network functions.
AWS CodePipeline can also help you run various tests for containerized network function / virtual network function (CNF/VNF), such as baseline and regression testing. You can also use this service to run functional testing, performance testing, and reliability and disaster recovery (DR) testing.
Image Source: AWS
AWS CodeCommit
AWS CodeCommit is a managed source control service that lets you store private Git repositories and various managed assets, including source code, binary files, and documents, in the AWS cloud. The service is highly scalable and secure and eliminates the need to self-manage source control systems and scale the underlying infrastructure.
AWS CodeBuild
AWS CodeBuild is a fully managed continuous integration (CI) service that builds services in the cloud. It compiles source code, runs unit tests, and creates deployment-ready artifacts. There is no need to provision, scale, and manage the build servers—CodeBuild offers pre-packaged build environments for commonly-used programming languages and scales automatically to meet peaks in build requests. It provides build tools like Apache Maven and Gradle and also lets you customize build environments and use your existing build tools.
AWS CodeDeploy
CodeDeploy is a cloud-based deployment service that automatically deploys applications to various targets, including Amazon EC2 instances, serverless Lambda functions, Amazon ECS services, and on-premises instances. It can deploy application content running on a server and stored in GitHub or Bitbucket repositories and Amazon S3 buckets and deploy serverless Lambda functions. There is no need to make changes to your code to use CodeDeploy.
Amazon Elastic Container Registry
Amazon Elastic Container Registry (Amazon ECR) is a fully-managed, cloud-based container image registry service. It provides a scalable, reliable, and secure location for your containers. Amazon ECR lets you use your preferred CLI to pull, push, and manage Docker images, Open Container Initiative (OCI) images, and OCI-compatible artifacts.
The service lets you use AWS Identity and Access Management (IAM) to assign resource-based permissions to your private repositories to ensure only specific users and Amazon EC2 instances are allowed access to container repositories.
AWS CodeStar
AWS CodeStar provides one interface for various development tasks. It lets you create and manage your software development projects on the AWS cloud. You can use CodeStar to develop, build, and deploy your applications in the cloud by creating an AWS CodeStar project. Each project can integrate the relevant AWS services for your toolchain.
AWS CodeStar offers various project templates, each providing a different toolchain. It can include source control, build, virtual servers, deployment, or serverless resources. The service can also manage the permissions allowed for team members (project users). Project owners can add users as team members to their CodeStar project and grant them role-appropriate access to the project and its associated resources.
4 Best Practices for Successful CI/CD on AWS
1. Use AWS CodeStar with CodePipeline
CodeStar is a cloud service providing a unified AWS software management UI. It combines AWS resources in a single project toolchain using CodePipeline. The AWS CodeStar dashboard lets you automatically build pipelines, source code, repositories, spec files, and instances. You choose the coding language and application type.
You integrate the relevant IDE into the CodeStar dashboard, where you can add or remove team members and manage user permissions.
2. Use Amazon VPC
CodePipeline lets you use Amazon Virtual Private Cloud endpoints, allowing you to connect directly via a private VPC endpoint. All traffic stays inside the VPC and AWS network. You can use Amazon VPC to run AWS resources in your personally-defined virtual network, so you control the subnet, IP address, and other settings.
AWS PrivateLink powers the VPC endpoints, enabling private inter-service communication via a flexible interface. You define the interface endpoint when connecting the VPC to AWS CodePipeline, allowing the VPC to access AWS services. You don’t need a VPN connection or Internet gateway to connect.
3. Monitor the Pipelines
Monitoring lets you keep your AWS pipelines reliable, available, and performant. The data collected from monitoring solutions make it easier to debug complex failures.
Examples of monitoring tools that work with CodePipeline and AWS resources include:
- EventBridge—monitors CodePipeline events, detecting pipeline changes and routing data to AWS targets like SNS. The events here are identical to Amazon CloudWatch Events.
- The Developer Tools console—supports notifications to monitor CodePipeline events.
- CloudTrail—captures API calls from CodePipeline and delivers log files to Amazon S3 buckets. CloudWatch can send Amazon SNS notifications upon the delivery of log files.
- CLI—lets you view information about your pipeline’s status or execution.
4. Secure the CI/CD Pipeline
CodePipeline offers several security features to help you implement security policies.
Here are some ways to secure your CI/CD pipelines:
- Use authentication and encryption for the source repositories connecting to the pipelines.
- Avoid entering secrets directly into the configuration if your pipeline includes secrets (i.e., passwords, tokens)—store secrets using Secrets Manager to keep them confidential.
- Use encryption on the server-side if your pipeline stores artifacts in an Amazon S3 bucket.
- Install Jenkins on EC2 build and test instances with separate profiles if Jenkins is your action provider. Ensure the instance profiles only give Jenkins the necessary permissions.
Comments
Post a Comment