Introduction
Building a pipeline for automated tests and deployment is every developers' dream, not having to manually verify security vulnerabilities or functioning before making it live. A wrongly configured pipeline or choosing tools without prior load considerations can either end up over spending or crashing. In this project I will guide you through the building of an AWS native pipeline, it will build our code and host directly on AWS, cost considerations are made to ensure very little expenditure with every build, AWS Build only charges for the build time, no servers running.
How it works
The code is hosted in Bitbucket, whenever there is an update, the pipeline is triggered and fetches the code, Code build runs a test on Sonar cloud, if the quality gate is passed, the pipeline launches the build phase, stores the built artifact in an S3 bucket next Elastic Beanstalk is triggered to pick the artifact from S3 and update its environment. After a 360 seconds waiting, the final stage of the pipeline is triggered which tests the deployed software, the credentials of a test user, initially stored in DB is used to login to the web App and takes screenshots which are stored in another S3 bucket.
Architecture
How to Build It
Host code in Bitbucket
Create an account on bitbucket a guide to create it can be found here. and clone the code by running
git clone https://github.com/Ndzenyuy/cicd-on-aws.git
cd cicd-on-aws
The above command will clone the source code and change the working directory in to cicd-on-aws folder.
Now we have to configure a Bitbucket repository and upload the code. Go to your browser and create a repository in Bitbucket. To learn how to create a repository in bitbucket check this guide here. The repository should the following
workspace: aws-cicd-beanstalk
repo name: cicd-with-elastic_beanstalk
access level: private
Now back to the terminal, run the following:
git remote rm origin
git remote add source https://path/to/your/bitbucket/repo.git
git push -u
Now the code should be present on Bitbucket. Verify if it is the case or troubleshoot were you may have gone wrong. Leave the bitbucket tab open and open a different one.
Configure CodeArtifact
The App is a java based app, we will be using Maven to build it, so we are configuring CodeArtifact so that we can download and store maven dependencies, this will help reduce build times in subsequent builds. On the AWS console, search CodeArtifact and create a repository and give it the following configurations:
repo name: cicd-aws
Public upstream repositories: maven-central-store -> next
aws account: this account
domain: give your domain, could be any name -> next
verify and create repository
The created repository will display as follows:
Now open maven-central-store repository and click on View connection instructions -> Mac & Linux = true -> Select package manager client = mvn.
Here you'll have the connection instructions on how to connect to the repository from your project.
Copy Step 3: Export a CodeArtifact authorization token for authorization to your repository from your preferred shell. and open the buildspec.yml file in vscode and replace the line 15. The code should be as:
- export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain sparxinc --domain-owner 781655249241 --region us-east-1 --query authorizationToken --output text`
Copy Step 4: Add your server to the list of servers to your settings.xml to settings.xml. Scroll to line 5 and replace the server section with what was copied from the artifact repos instructions. It should look like this
<servers>
<server>
<id>sparxinc-cicd-aws</id>
<username>aws</username>
<password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
</server>
</servers>
Next copy Step 5: Add a profile containing your repository to your settings.xml. and replace the contents of the profile section and the mirrors, it should look like this
#Profiles
<profiles>
<profile>
<id>sparxinc-cicd-aws</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<repositories>
<repository>
<id>sparxinc-cicd-aws</id>
<url>https://sparxinc-XXXXXXXXXXXX.d.codeartifact.us-east-1.amazonaws.com/maven/maven-central-store/</url>
</repository>
</repositories>
</profile>
</profiles>
#mirrors
<mirrors>
<mirror>
<id>sparxinc-maven-central-store</id>
<name>sparxinc-maven-central-store</name>
<url>https://sparxinc-XXXXXXXXXXXX.d.codeartifact.us-east-1.amazonaws.com/maven/maven-central-store/</url>
<mirrorOf>*</mirrorOf>
</mirror>
</mirrors>
Save the settings.xml file and open pom.xml. Back on the console, copy only the url from the instructions and replace those that is on line 303 and . The copied url is similar to:
<url>https://sparxinc-XXXXXXXXXXXX.d.codeartifact.us-east-1.amazonaws.com/maven/maven-central-store/</url>
Create build jobs
Here we are going to creat two build jobs, the first will analyse the code on sonar cloud and the second will build the artifact.
We need to first create a connection for bitbucket app, go under developer tools, search for settings -> connection and create a new connection.
Select a provider: bitbucket
connection name: awscicd -> connect to bitbucket
In the next page click install new app and grant access to bitbucket when prompted. It'll return to the previous page, now click on the connect button. Our pipeline can now connect to bitbucket.
Code analysis job on sonar cloud
On the console, search CodeBuild -> Create project and give the following configurations:
Project name: code-analysis
source provider: bitbucket
Credential: Bitbucket app
connection: awscicd
repository: cicd-with-elastic_beanstalk
operating system: ubuntu
new service role name: codebuild-code-analysis-service-role
Build spec -> use a buildspec file -> buildspec name: buildspec.yml
Cloudwatch logs -> stream name prefix = awscicd-logs
click create build project
If you open buildspec.yml file, you'll notice the parameters are stored in the parameter store, we need values for LOGIN, HOST, Organization and Project. For extra security, we need to store in Parameter store. But before then, we need to create a project in Sonarcloud before storing it's access information on parameter store. Go to sonarcloud and create an account if you don't have any yet by following this tutorial.
Login token: In the sonar cloud welcome page, on the top right corner of the screen, click you account icon and select My Account -> Security. Now give a token name of your choice and click generate. Copy the generated code to a sticky note for later use
Organization: On the same tab, open organizations and create a new organization, select create one manually
name: aws-cicd-organization
key: aws-cicd-organization
plan: free plan -> create organization
Project: On the page that opens, click analyse new project
organization: aws-cicd-organization
display name: beanstalk-app
project key: aws-cicd-organization_beanstalk-app -> next
The new code for this project will be based on: Previous version
create project
Open a new tab and open AWS console and search systems manager -> parameter store and create parameter with the following configurations.
HOST
parameter: HOST
Tier: standard
Type: String
datatype: text
value: https://sonarcloud.io
Organization
parameter: Organization
Tier: standard
Type: String
datatype: text
value: aws-cicd-organization
LOGIN
parameter: LOGIN
Tier: standard
Type: Secure String
datatype: text
value: (paste the value of the token generated in sonarcloud)
Project
parameter: Project
Tier: standard
Type: String
datatype: text
value: aws-cicd-organization_beanstalk-app
Return to the codebuild tab, we need to modify the IAM role of the build project in order to access parameter store, on the page
Under service role, top right, click on the IAM arn, it opens a new tab in IAM. Create a System manager policy with the following allow permissions:
under list: DescribeParameters
under read: GetParameter, GetParametersByPath, GetParameterHistory, GetParameters, DescribeDocumentParameters
Click next, for policy name parameteraccess and create. Return and open the service role for the build project and add the created policy to it. Next search for another policy named "AWSCodeArtifactReadOnlyAccess" and add it to the same role. You should have policies as in the image below
Now return to the build project in codebuild tab and start build. If everything turns out well
So the Code analysis on sonar cloud should be populated with the statistics of the job that ran.
Build artifact job
Back to creating a build job console -> create build project and configure with the following:
name: build-artifact
source provider: bitbucket
select "custom source provider"
repository: aws-cicd-beanstalk
source version: main
operating system: ubuntu
select "new service role"
build spec: select 'use buildspec file'
buildspec name: aws-files/build_buildspec.yml
create build project
Next we need to add the policy to access CodeArtifact to read the dependencies. To do so, click on the Service role url and add policy to this role. Add the policy named AWSCodeArtifactReadOnlyAccess.
Close the tab and return to CodeBuild and run build-artifact project by clicking start build. The project should finish successfully.
Create pipeline
Create an S3 bucket to store the artifact after the build job runs, give the parameters:
name: pipeline-storage-for-artifacts-xxx (xxx are random numbers to make the bucket name unique)
region: us-east-1
create bucket
Now create a folder in the bucket named artifacts
On the AWS console, search pipeline -> create pipeline -> Build custom pipeline -> next
name: aws-cicd-pipeline
leave defaults and click next
source provider: bitbucket
connection: connect to bitbucket
-> enter a connection name
-> create connection
-> choose the app or create one if none exists and connect
repository name: aws-cicd-beanstalk
default branch: main -> next
Build provider: select other build providers and choose AWS CodeBuild
Project name: build-artifact
input artifacts: source artifacts -> next
Deploy provider: S3
input artifacts: BuildArtifact
key: artifacts
next, review and create pipeline
The pipeline will be automatically triggered, we need to stop it and add the code analysis stage. So click on stop execution select the pipeline and stop it. Click on edit and add a stage just before the build stage
stage name: codeanalysis -> add -> add action group
action name: analyse-code
action provider: aws codebuild
input artifacts: SourceArtifact
project name: code-analysis -> done
Edit the deploy stage action and select Extract file before deploy then -> done
Make sure all the edited stages are validated with done. Save the changes and return to the pipeline. Click on release change to trigger the pipeline.
And voila, the pipeline has been successfully built. If you open the S3 bucket, you will find the artifact stored there
Configure SNS
Go to the console and search SNS -> create a new topic
type: standard
name: awscicd-notification -> create notification
Click on create subscription
protocol: email
endpoint: youremail@email.com
An email will be sent to the provided email. The status will be pending until you open the email and validate the subscription.
To the left pane, under pipelines -> settings -> notifications -> create notification rule
name: aws-cicd-rule
Events that trigger notifications: select all
targets: awscicd-notification -> submit
The notification rule will be created.
Now back to our pipeline, if we run the pipeline anew, notifications will be sent about the status of the pipeline
Launch Elastic Beanstalk
Create an IAM role
Console -> IAM -> roles -> Create role:
`Trusted entity type: AWS service
use case: EC2
Permissions policies:
- AdministratorAccess-AWSElasticBeanstalk
- AWSElasticBeanstalkCustomPlatformforEC2Role
- AWSElasticBeanstalkRoleSNS
- AWSElasticBeanstalkWebTier
role name: elasticbean-role-awscicd -> Create role`
Create keypair
Console -> EC2 -> Keypairs -> create keypair
Name: beanstalk-key -> create keypair
Launch Elastic beanstalk
Search Elastic Beanstalk on the console -> Create Application then
Application name: awscicd-beanstalk
-> create
Click create new environment
Environment tier: web-server-environment
platform: Tomcat
Platform branch: Tomcat 10 with Corretto 21 running on 64bit Amazon Linux 2023
Platform version: 5.4.1 (Recommended)
Presets: Custom configuration
Leave any other as default and -> click next
Service role: Create and use new service role
EC2 key pair: beanstalk-key
EC2 instance profile: elasticbean-role-awscicd
Virtual Private Cloud (VPC): choose VPC with internet access
Public IP address: activated =true
Instance subnets: select all -> Next
Root volume type: General Purpose 3(ssd)
size: 10GB
IOPS: 3000
Throughput: 125
Autoscaling group -> Environment type: load balanced
min instances: 1
max instances: 4
Instance types: t2.micro
Processes: select default -> actions -> edit
-> sessions -> session stickiness = Enabled
Monitoring: Enhanced
email notifications: <enter your email>
Deployment policy: Rolling
Deployment batch size: 50 -> next
Review all the settings
Review all the settings and click on create. This will take about 4-5 minutes to create the infrastructure.
When Beanstalk is ready, you can click on the DNS link to access the page:
Our beanstalk environment is up and running, we will configure the pipeline to update the code with the built artifact.
Create RDS Database
Console -> RDS -> Create database and configure it as follows
choose a database creation method: standard create
Engine options: MySQL
Engine version: 8.0.35
Templates: free tier
DB instance identifier: awscicd-mysql
master username: admin
password: admin123
Burstable classes (includes t classes): db.t3.micro
storage: 20GB
Security group: create new(name: awscicd-sg)
Additional configuration: Initial database name: accounts
Review and create database. Wait for a while till the database is created. When the status changes from creating -> available before we can proceed.
Click on the created database and copy the endpoint. It should be like awscicd-mysql.cjrs4jngtznx.us-east-1.rds.amazonaws.com
Initialize Database
We have to login into the beanstalk instance and initialize the database with the initial data. But first we need to configure the awscicd-sg to receive traffic from beanstalk.
Go to console -> EC2 -> Security groups and open the Security group for the running beanstalk instance and copy the security group ID. Now open awscicd-sg -> Edit inbound rules.
Add a new rule allowing 3306 from the security group of the beanstalk instance. This will permit us to connect to the database through the beanstalk instance.
Save the changes. Now ssh into the running instance and run the following: (make sure to replace with the rds endpoint copied earlier)
sudo -i
dnf install mariadb105 -y
wget https://raw.githubusercontent.com/Ndzenyuy/vprofile-project/refs/heads/cd-aws/src/main/resources/db_backup.sql
mysql -h <enter-rds-edpoint> -u admin -padmin123 accounts < db_backup.sql
Add other parameters to Parameter store
We need to add the RDS endpoint, the database user and password to our parameters because Elastic beanstalk connects to the database. So we go to parameter store -> create new parameter and create the following parameters:
RDS-Endpoint
parameter: RDS-Endpoint
Tier: standard
Type: String
datatype: text
value: <enter your RDS End point>
RDPUSER
parameter: RDUSER
Tier: standard
Type: String
datatype: text
value: admin
RDPASS
parameter: RDPASS // or enter the password you used when creating db
Tier: standard
Type: Secure String
datatype: text
value: admin123
Save all the parameters and edit the last stage of the pipeline, the deploy stage so that we can now deploy to beanstalk. Go to pipelines -> select the pipeline we created earlier(aws-cicd) and select it, choose edit and scroll to the deploy stage and update with the following parameters:
action name: deploy and update the environment.
Action provider: AWS Elastic beanstalk
Input artifact: BuildArtifact (what we defined in the build stage)
Application name: awscicd-beanstalk
Environment: web-server-environment
Now Click on done:
Scroll up and Save the pipeline. Now to test the pipeline, Click on Release change. This will trigger the pipeline to build all the steps and deploy to our beanstalk environment.
After the build successfully completes, after about 5 minutes, check the Enviroment DNS on beanstalk and see how the application is displayed
To check if the RDS database is connected, try to log-in with the credentials
Username: admin_vp
password: admin_vp
If the database is connected, we'll be channeled to the welcome page:
Wooow!!!!!!!! Congratulations, you just deployed a cicd pipeline with AWS Pipeline. Each code update detected on your branch and pushed to bitbucket will automatically deploy to beanstalk.
If you succedded to build this project, please let me know in the comments, if you have difficulties i will be glad to help, just put it in the comments.
I haven't included Selenium test stage for the moment, but will certainly do when all is ripe
Top comments (0)