Use AWS CodeCommit and AWS CodePipeline to deploy a CI/CD pipeline in multiple AWS accounts
Created by Kirankumar Chandrashekar (AWS) and Abdal Garuba (AWS)
Environment: PoC or pilot | Technologies: DevOps | Workload: All other workloads |
AWS services: AWS CodeCommit; AWS CodePipeline |
Summary
This pattern shows you how to deploy a continuous integration and continuous delivery (CI/CD) pipeline for your application code workloads in separate Amazon Web Services (AWS) accounts for DevOps, developer, staging, and production workflows.
You can use a multiple AWS account strategy
Your application's code remains identical in all these separate AWS accounts and is maintained on a central AWS CodeCommit repository hosted by your DevOps account. Your developer, staging, and production accounts have separate Git branches in this CodeCommit repository.
For example, when code is committed to the developer Git branch in your central CodeCommit repository, Amazon EventBridge in your DevOps account notifies EventBridge in your developer account of the repository changes. In your developer account, AWS CodePipeline and the source stage go into InProgress status. The source stage is configured from the developer Git branch in the central CodeCommit repository and CodePipeline assumes a service role for the DevOps account.
The contents of the CodeCommit repository in the developer branch are uploaded to an artifact store in an Amazon Simple Storage Service (Amazon S3) bucket and encrypted with an AWS Key Management Service (AWS KMS) key. After the source stage's status changes to Succeeded in CodePipeline, the code will be transitioned to the next stage of the pipeline execution.
Prerequisites and limitations
Prerequisites
Existing AWS accounts for each required environment (DevOps, developer, staging, and production). These accounts can be hosted by AWS Organizations.
AWS Command Line Interface (AWS CLI), installed and configured.
Architecture
Technology stack
AWS CodeBuild
AWS CodeCommit
AWS CodePipeline
Amazon EventBridge
AWS Identity and Access Management (IAM)
AWS KMS
AWS Organizations
Amazon S3
Tools
AWS CodeBuild – CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.
AWS CodeCommit – CodeCommit is a fully-managed source-control service that hosts secure Git-based repositories
AWS CodePipeline – CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.
Amazon EventBridge – EventBridge is a serverless event bus service for connecting your applications with data from a variety of sources.
AWS Identity and Access Management (IAM) – IAM helps you to manage access to AWS services and resources securely.
AWS KMS – AWS Key Management Service (AWS KMS) helps you create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.
Amazon S3 – Amazon Simple Storage Service (Amazon S3) is storage for the internet.
Epics
| Task | Description | Skills required |
|---|---|---|
Create a CodeCommit repository. | Sign in to the AWS Management Console for your DevOps account, and open the CodeCommit console. Create a repository and set up all the required Git branches for your developer, staging, and production AWS accounts. For help with this and other stories, see the “Related resources” section. | DevOps engineer |
Create access credentials for the CodeCommit repository. | On the IAM console, create access credentials to allow application developers to push and pull the application’s code base from the CodeCommit repository. | DevOps engineer |
Create an IAM role for CodePipeline service roles. | On the IAM console, create an IAM role that can be used by all your CodePipeline service roles to access the central CodeCommit repository. | Cloud administrator |
Set up the EventBridge rules for your other AWS accounts. | On the Amazon EventBridge console, set up rules to send notifications about relevant CodeCommit repository changes to EventBridge in the individual developer, staging, and production AWS accounts. | Cloud administrator |
Create an AWS KMS key. | On the AWS KMS console, create a KMS key that allows CodePipeline in your individual developer, staging, and production AWS accounts to encrypt and decrypt artifacts. | Cloud administrator |
| Task | Description | Skills required |
|---|---|---|
Set up EventBridge to receive events from the DevOps AWS account. | Sign in to the AWS Management Console for one of your individual AWS accounts (developer, staging, or production). On the Amazon EventBridge console, set up EventBridge to receive CodeCommit repository change events from your DevOps account. | Cloud administrator |
Create an S3 bucket. | On the Amazon S3 console, create an S3 bucket to store CodePipeline artifacts. | Cloud administrator |
Create all required AWS resources for CodePipeline stages. | Create all the other AWS resources that will be required by the CodePipeline stages. These resources will vary depending on the role of each AWS account in your CI/CD pipeline. | Cloud administrator |
Create an IAM role. | On the IAM console, create an IAM role for the CodePipeline service role. This service role must be able to assume the IAM role in the DevOps account to access the CodeCommit repository. | Cloud administrator |
Create a pipeline in CodePipeline. | On the CodePipeline console, create a pipeline. Then create a source stage that points to the CodeCommit repository in the DevOps account for its individual Git branch. | Cloud administrator |
Repeat the steps for all your AWS accounts. | Repeat these steps for all the AWS accounts that are required as part of your CI/CD strategy. | Cloud administrator |
Related resources
Create resources in your DevOps AWS account
Create resources in your other AWS accounts
Other resources
