← Back to AWS Mastery
Advanced14 min read

DevOps & CI/CD

Automate deployment pipelines with AWS CodePipeline, CodeBuild, and CodeDeploy — plus integration with GitHub Actions and third-party CI tools.

AWS CodePipeline

CodePipeline orchestrates CI/CD workflows with stages: Source (CodeCommit, GitHub, S3), Build (CodeBuild), Test, Deploy (CodeDeploy, CloudFormation, ECS). Pipelines execute sequentially through stages with parallel actions within stages.

Each pipeline execution produces artifacts passed between stages. Failed actions stop the pipeline and trigger notifications.

  • Use manual approval actions before production deployment
  • Pipeline artifacts stored in S3 with encryption
  • CloudWatch Events trigger pipelines on code changes
# Pipeline stages
# Source → Build → Test → Deploy-Staging → Approval → Deploy-Production

aws codepipeline create-pipeline \
  --cli-input-json file://pipeline-definition.json

AWS CodeBuild

CodeBuild compiles source code, runs tests, and produces deployable artifacts. Define build steps in buildspec.yml. Supports Docker-based builds with custom images.

Buildspec phases: install (dependencies), pre_build (login to registries), build (compile, test), post_build (push images, deploy). Cache dependencies between builds for speed.

# buildspec.yml
version: 0.2
phases:
  install:
    runtime-versions:
      nodejs: 20
  pre_build:
    commands:
      - npm ci
  build:
    commands:
      - npm run test
      - npm run build
  post_build:
    commands:
      - aws s3 sync ./dist s3://my-bucket/
artifacts:
  files:
    - '**/*'
  base-directory: dist

AWS CodeDeploy

CodeDeploy automates application deployments to EC2, Lambda, ECS, and on-premises servers. Deployment types: in-place (update existing instances) and blue/green (new instances, traffic shift).

Configure deployment groups with target instances, deployment configuration (OneAtATime, HalfAtATime, AllAtOnce), and rollback triggers based on CloudWatch alarms.

# appspec.yml for EC2 deployment
version: 0.0
os: linux
files:
  - source: /
    destination: /var/www/app
hooks:
  ApplicationStop:
    - location: scripts/stop.sh
  ApplicationStart:
    - location: scripts/start.sh
  ValidateService:
    - location: scripts/validate.sh

GitHub Actions Integration

Many teams prefer GitHub Actions over CodePipeline. Use aws-actions/configure-aws-credentials for OIDC-based authentication without long-term keys. Deploy to S3, Lambda, ECS, and EKS from GitHub workflows.

OIDC federation is more secure than access keys — GitHub requests temporary credentials from AWS STS.

# GitHub Actions with OIDC
- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123:role/GitHubActions
    aws-region: us-east-1

- run: aws s3 sync ./dist s3://my-bucket/ --delete
- run: aws cloudfront create-invalidation \
    --distribution-id E1234567890 --paths "/*"

CI/CD Best Practices

Implement pipeline as code — store buildspec.yml and appspec.yml in git. Run tests in CI before deployment. Use separate AWS accounts for staging and production. Automate rollback on deployment failure.

Tag every deployment with git SHA for traceability. Maintain deployment frequency metrics (DORA metrics) to measure DevOps maturity.

# DORA metrics targets
# Deployment frequency: multiple per day
# Lead time for changes: < 1 hour
# Change failure rate: < 15%
# Mean time to recovery: < 1 hour

Get In Touch

Ready to discuss your next project? Drop me a message.