CI/CD on AWS with the Developer Tools
Build a complete CI/CD pipeline on AWS with the Developer Tools suite: CodeCommit, CodeBuild, CodeArtifact, CodeDeploy and CodePipeline. The series goes from the concepts to a real pipeline that takes code from CodeCommit through build and test, then a blue/green deploy onto an EC2 Auto Scaling Group with a manual approval gate and automatic rollback. All infrastructure is built with the AWS CLI, every command is run for real on AWS, and the code lives at github.com/nghiadaulau/aws-cicd-series. Grounded in the official AWS docs.
What CI/CD Is and the AWS Developer Tools Suite
Series opener: why deploying by hand eventually breaks, how CI and CD differ, and which AWS services let you build a pipeline — CodeCommit, CodeBuild, CodeDeploy, CodePipeline, CodeArtifact. How the pieces assemble into a chain that carries code from commit to running on EC2, all driven by the AWS CLI.
Foundation: IAM Service Roles and the S3 Artifact Bucket
Before building the pipeline you need two foundations: IAM service roles that let AWS services act on your behalf, and an S3 bucket to hold artifacts. This article dissects how service roles and trust policies work — why a service assumes a role for temporary credentials instead of storing keys — then creates the role for CodeBuild and the artifact bucket (versioning enabled) with the AWS CLI.
CodeCommit: The Source of Code for the Pipeline
Build the source stage: create a CodeCommit repo, connect Git with git-remote-codecommit (uses AWS credentials, no separate Git password to store), push a sample app, then walk through the branch and pull request flow with the AWS CLI. This is where the code lives and the starting point for every pipeline run in later articles.
CodeBuild: Project, buildspec.yml, and the First Build
Build the build stage: create a CodeBuild project wired to the CodeCommit repo, write buildspec.yml defining the build phases, run a real build, then read the CloudWatch log to see how each phase runs. Dissect the mechanism — CodeBuild stands up a temporary container, runs buildspec in phase order, pushes the artifact to S3 and logs to CloudWatch.
CodeBuild Advanced: Environment Variables, Secrets, and Cache
Real builds need config and secrets: an API URL, a key, a database password. This article passes them into CodeBuild the right way — plain variables declared inline, sensitive values pulled from SSM Parameter Store and Secrets Manager and masked automatically by CodeBuild in the logs. Plus enabling cache for faster builds. All tested for real, with logs.
CodeBuild Test Reports: A Build Must Not Only Run, It Must Be Correct
A successful build does not mean the code is correct — it only means the commands ran without error. This article has CodeBuild run real tests (pytest) and collect the results into a viewable test report: total count, pass/fail, each case. And why you should let a failing test fail the build, blocking broken code before it reaches deploy.
CodeArtifact: An Internal Package Repository for Builds
Real builds depend on a stream of packages from the Internet — risky when an external source changes or disappears. CodeArtifact is a managed package repository: both a proxy cache for public PyPI/npm and a store for your private packages. This article creates a domain and repository, publishes a Python package then reinstalls it from CodeArtifact, and wires it into CodeBuild.
CodeDeploy: The First In-Place Deploy to EC2
Opening Part IV: putting artifacts onto EC2 with CodeDeploy. Stand up an instance with the agent, create an application and a deployment group targeted by tag, write appspec.yml with lifecycle hooks, then run the first in-place deploy — watch the agent pull the revision from S3 and run through each lifecycle event until the app actually serves.
CodeDeploy Lifecycle Hooks: Order, Variables, and When a Hook Fails
A deep dive into CodeDeploy's hook layer: what order the lifecycle events run in, which hook fits which job, why ApplicationStop runs from the old revision rather than the new one, the environment variables CodeDeploy passes into your scripts, and what happens when a hook fails — the deploy stops right there, and later events don't run.
Deploying to an Auto Scaling Group and Deployment Config
From one instance to many: deploying to an Auto Scaling Group. Create a launch template and ASG, attach the deployment group to the ASG, then pick a deployment config (OneAtATime, HalfAtATime, AllAtOnce) to control whether the deploy goes machine by machine or all at once. Plus a key mechanism: CodeDeploy automatically deploys the latest revision to instances the ASG launches later.
Blue/Green Deploy With ALB and Automatic Rollback
In-place deploys have a window where a machine is offline. Blue/green avoids it: stand up a new fleet (green) in parallel, validate it, then shift traffic over with a load balancer — blue stays intact for an instant return. This article builds an ALB, switches the deployment group to blue/green, runs it for real (including a very realistic IAM error), and configures automatic rollback per CloudWatch alarm.
CodePipeline: Wiring Source, Build, Deploy Into a Chain
Until now every stage ran by hand. CodePipeline wires them into one automated chain: Source pulls code from CodeCommit, Build calls CodeBuild, Deploy calls CodeDeploy — artifacts flow from one stage to the next. This article builds the first pipeline, runs it for real, and dissects how artifacts pass between stages.