Today, since we are growing our development team and I don’t want to handle deploying code all the time for the team – I went ahead and integrated Bitbucket with CodeDeploy to make things a bit more efficient. So our workflow can be more: Write Code, Commit Code, QA Code, Sign Off, Deploy.
However, if you don’t have much experience with IAM Roles and CodeDeploy it is a bit of a hassle to get started. So there are a few gotchas for those who don’t want to go through the Official AWS Documentation. First, don’t expect to just start modifying your deployment process on an old staging server using CD; it probably won’t work depending on the setup. You need to have an IAM Instance Profile setup which you can only do when you create an EC2 instance. Lets start there.
User, role, and ec2 setup
Create a new user
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#Using_CreateUser_console
Grant access to CodeDeploy to that IAM user
Add the following policy to your new user.
{
"Version": "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"autoscaling:*",
"codedeploy:*",
"ec2:*",
"elasticloadbalancing:*",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"s3:*"
],
"Resource" : "*"
}
]
}
Create a service role
https://docs.aws.amazon.com/codedeploy/latest/userguide/how-to-create-service-role.html
Create a EC2 instance
Do your normal Launch Instance but on Step 3: Configure Instance Details you must assign the service role you just created to the instance
Some gotchas
The service role must have a Trust Relationship setup with CodeDeploy. This is what I used.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Note: The service array has codedeploy.amazonaws.com
Setup CodeDeploy
- Create a new Application – Ensure you map the service role you created earlier during this part as well as the name of the instance/s.
Tip: If you run into Cannot assume role check out the gotcha above.
- Install the agent on the EC2 instance.
yum update
yum -y install ruby wget
cd /home/ec2-user
wget https://aws-codedeploy-us-east-1.s3.amazonaws.com/latest/install # depends on your region
chmod +x install
./install auto
Setup Bitbucket
-
Install the CodeDeploy Addon via Settings > Addons > AWS CodeDeploy
-
Go to the repository you want to deploy to the new instance
-
Settings > CodeDeploy Settings
-
Follow on screen instructions to make Bitbucket Role with Third Party AWS Accounts, this is what mine looks like.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::507461364343:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "connection:123456"
}
}
}
]
}
-
Copy and Paste ARN from newly created role to connect the two
-
Add an AppSpec file to the base of your repo named appspec.yml
version: 0.0
os: linux
files:
- source: /
destination: /home/user/public
AppSpec file documentation: https://docs.aws.amazon.com/codedeploy/latest/userguide/app-spec-ref.html
Once this is completed you should be able to deploy from any commit using the Deploy to AWS button.
Other issues I encountered
-
Don’t use a version other than 0.0 on your AppSpec file, your deployments will fail
-
Don’t have anything existing in your destination or otherwise the deployment will fail