Blog
Thoughts on engineering, design, and building great products.
CodeBuild Advanced: Environment Variables, Secrets, and Cache
Real builds need config and secrets: an API URL, a key, a database password. This article passes them into CodeBuild the right way — plain variables declared inline, sensitive values pulled from SSM Parameter Store and Secrets Manager and masked automatically by CodeBuild in the logs. Plus enabling cache for faster builds. All tested for real, with logs.
CodeBuild: Project, buildspec.yml, and the First Build
Build the build stage: create a CodeBuild project wired to the CodeCommit repo, write buildspec.yml defining the build phases, run a real build, then read the CloudWatch log to see how each phase runs. Dissect the mechanism — CodeBuild stands up a temporary container, runs buildspec in phase order, pushes the artifact to S3 and logs to CloudWatch.
CodeCommit: The Source of Code for the Pipeline
Build the source stage: create a CodeCommit repo, connect Git with git-remote-codecommit (uses AWS credentials, no separate Git password to store), push a sample app, then walk through the branch and pull request flow with the AWS CLI. This is where the code lives and the starting point for every pipeline run in later articles.
Foundation: IAM Service Roles and the S3 Artifact Bucket
Before building the pipeline you need two foundations: IAM service roles that let AWS services act on your behalf, and an S3 bucket to hold artifacts. This article dissects how service roles and trust policies work — why a service assumes a role for temporary credentials instead of storing keys — then creates the role for CodeBuild and the artifact bucket (versioning enabled) with the AWS CLI.
What CI/CD Is and the AWS Developer Tools Suite
Series opener: why deploying by hand eventually breaks, how CI and CD differ, and which AWS services let you build a pipeline — CodeCommit, CodeBuild, CodeDeploy, CodePipeline, CodeArtifact. How the pieces assemble into a chain that carries code from commit to running on EC2, all driven by the AWS CLI.
CI/CD for Terraform: GitHub Actions, OIDC, and Quality Scanning
Put Terraform into a pipeline: automatic plan on pull requests, apply on merge, AWS authentication via OIDC with no stored access key. Bolt the quality scanners fmt, validate, tflint, Trivy and Checkov into the pipeline — with real output showing what holes they catch.
CI/CD with GitHub Actions: Automatically Build and Deploy to AWS
Build a pipeline: every push to GitHub automatically builds a Docker image, pushes it to ECR, and deploys to EC2. Uses OIDC so you don't store an AWS access key in GitHub.