AWS CodeDeploy


Getting Started

Prerequisites:


IAM User

  1. Create IAM User

    For more information, see Creating an IAM User in IAM User Guide.

  2. Grant the IAM user access to AWS CodeDeploy

    Copy the following policy and attach it to the IAM user.

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "autoscaling:*",
        "codedeploy:*",
        "ec2:*",
        "elasticloadbalancing:*",
        "iam:AddRoleToInstanceProfile",
        "iam:CreateInstanceProfile",
        "iam:CreateRole",
        "iam:DeleteInstanceProfile",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:GetInstanceProfile",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:ListInstanceProfilesForRole",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "iam:PutRolePolicy",
        "iam:RemoveRoleFromInstanceProfile",
        "s3:*"
      ],
      "Resource" : "*"
    }    
  ]
}

To learn how to attach a policy to an IAM user, see Working with Policies. To learn how to restrict users to a limited set of AWS CodeDeploy actions and resources, see Authentication and Access Control for AWS CodeDeploy.


Install or Upgrade and Then Configure the AWS CLI

Installing the AWS Command Line Interface. If you’re on a Mac, I would suggest installing via Brew.

Configuring the AWS CLI. You will need to setup your security credentials.


Create a Service Role for AWS CodeDeploy

NOTE we will be doing this through the CLI. The ability to do this through the console has been removed(?).

Create a Service Role

  1. On your development machine, create a text file named, for example, CodeDeploy-Trust.json. This file will be used to allow AWS CodeDeploy to work on your behalf. Do one of the following:
  • To grant access to all supported regions, save the following content in the file:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  • To grant access to only some supported regions, type the following content into the file, and remove the lines for the regions to which you want to exclude access:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "codedeploy.us-east-2.amazonaws.com",
          "codedeploy.us-east-1.amazonaws.com",           
          "codedeploy.us-west-1.amazonaws.com",
          "codedeploy.us-west-2.amazonaws.com",
          "codedeploy.ca-central-1.amazonaws.com",
          "codedeploy.eu-west-1.amazonaws.com",
          "codedeploy.eu-west-2.amazonaws.com",
          "codedeploy.eu-central-1.amazonaws.com",          
          "codedeploy.ap-northeast-1.amazonaws.com",
          "codedeploy.ap-northeast-2.amazonaws.com",
          "codedeploy.ap-southeast-1.amazonaws.com",
          "codedeploy.ap-southeast-2.amazonaws.com",
          "codedeploy.ap-south-1.amazonaws.com",
          "codedeploy.sa-east-1.amazonaws.com",
          "codedeploy.cn-north-1.amazonaws.com.cn"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  1. From the same directory, call the create-role command to create a service role named CodeDeployServiceRole based on the information in the text file you just created:

    Important

    Be sure to include file:// before the file name. It is required in this command.

    aws iam create-role --role-name CodeDeployServiceRole --assume-role-policy-document file://CodeDeploy-Trust.json

    In the command’s output, note the value of the Arn entry under the Role object. You will need it later when you create deployment groups. If you forget the value, follow the instructions in Get the Service Role ARN (CLI)

  2. Call the attach-role-policy command to give the service role named CodeDeployServiceRole the permissions based on the IAM managed policy named AWSCodeDeployRole. For example:

    aws iam attach-role-policy --role-name CodeDeployServiceRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole

Get the Service Role ARN

To use the AWS CLI to get the ARN of the service role, call the get-role command against the service role named CodeDeployServiceRole:

aws iam get-role --role-name CodeDeployServiceRole --query "Role.Arn" --output text


Create an IAM Instance Profile for Your Amazon EC2 Instances

NOTE we will be doing this through the CLI. The ability to do this through the console has been removed(?).

  1. On your development machine, create a text file named CodeDeploy-EC2-Trust.json. Paste the following content, which allows Amazon EC2 to work on your behalf:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  1. In the same directory, create a text file named CodeDeploy-EC2-Permissions.json. Paste the following content:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
  1. From the same directory, call the create-role command to create an IAM role named CodeDeploy-EC2-Instance-Profile, based on the information in the first file:

    Important

    Be sure to include file:// before the file name. It is required in this command.

    aws iam create-role --role-name CodeDeploy-EC2-Instance-Profile --assume-role-policy-document file://CodeDeploy-EC2-Trust.json

  1. From the same directory, call the put-role-policy command to give the role named CodeDeploy-EC2-Instance-Profile the permissions based on the information in the second file:

    Important Be sure to include file:// before the file name. It is required in this command.

    aws iam put-role-policy --role-name CodeDeploy-EC2-Instance-Profile --policy-name CodeDeploy-EC2-Permissions --policy-document file://CodeDeploy-EC2-Permissions.json

  1. Call the create-instance-profile command followed by the add-role-to-instance-profile command to create an IAM instance profile named CodeDeploy-EC2-Instance-Profile.

    The instance profile allows Amazon EC2 to pass the IAM role named CodeDeploy-EC2-Instance-Profile to an Amazon EC2 instance when the instance is first launched:

    1. aws iam create-instance-profile --instance-profile-name CodeDeploy-EC2-Instance-Profile

    2. aws iam add-role-to-instance-profile --instance-profile-name CodeDeploy-EC2-Instance-Profile --role-name CodeDeploy-EC2-Instance-Profile

    You’ve now created an IAM instance profile to attach to your Amazon EC2 instances.

  1. Attach IAM Role to EC2

    Navigate to the IAM console

    Choose Running Instances

    Choose Actions > Instance Settings > Attach/Replace IAM role

    From the IAM role dropdown, choose CodeDeploy-EC2-Instance-Profile

    Choose Apply


Set Up CodeDeploy

Navigate to the CodeDeploy Console

Choose Get Started Now if you see it

Choose Custom deployment

Choose Skip Walkthrough

Fill in Application name, for simplicity, I’m going to use CodeDeploy

Fill in Deployment group name, for simplicity, I’m going to use CodeDeploy

Choose In-place deployment

Under Add instance Choose the Value dropdown, choose CodeDeploy

Under Deployment configuration, choose the Deployment configuration dropdown, Choose CodeDeployDefault.AllAtOnce

Under Serice Role, Choose Service role ARN dropdown, choose arn:aws:iam::ID:role/CodeDeployServiceRole

Choose Create application


AppSpec File

Create a file in the root of your application named appspec.yml

This is the configuration file for your CodeDeploy. You must have this file for CodeDeploy to work

version: 0.0 
os: linux 
files:
  - source: /
    destination: /home/ubuntu/ # Example

For more information on AppSpec File


Install AWS CodeDeploy Agent on the server

If you’re not sure how to connect to your EC2 instance see Connect to Your Instance

These instructions are for an Ubuntu Server. For other OS instructions Click Here

sudo apt-get update

sudo apt-get install ruby

sudo apt-get install wget

cd /home/ubuntu

wget https://<bucket-name See Below>.s3.amazonaws.com/latest/install

chmod +x ./install

sudo ./install auto

Type y if prompted.

bucket-name represents one of the following:

  • aws-codedeploy-us-east-2 for instances in the US East (Ohio) region
  • aws-codedeploy-us-east-1 for instances in the US East (N. Virginia) region
  • aws-codedeploy-us-west-1 for instances in the US West (N. California) region
  • aws-codedeploy-us-west-2 for instances in the US West (Oregon) region
  • aws-codedeploy-ca-central-1 for instances in the Canada (Central) region
  • aws-codedeploy-eu-west-1 for instances in the EU (Ireland) region
  • aws-codedeploy-eu-west-2 for instances in the EU (London) region
  • aws-codedeploy-eu-central-1 for instances in the EU (Frankfurt) region
  • aws-codedeploy-ap-northeast-1 for instances in the Asia Pacific (Tokyo) region
  • aws-codedeploy-ap-northeast-2 for instances in the Asia Pacific (Seoul) region
  • aws-codedeploy-ap-southeast-1 for instances in the Asia Pacific (Singapore) region
  • aws-codedeploy-ap-southeast-2 for instances in the Asia Pacific (Sydney) region
  • aws-codedeploy-ap-south-1 for instances in the Asia Pacific (Mumbai) region
  • aws-codedeploy-sa-east-1 for instances in the South America (São Paulo) region
  • aws-codedeploy-cn-north-1 for instances in the China (Beijing) region

sudo service codedeploy-agent start

sudo service codedeploy-agent status


Push code to S3 bucket

If you forgot your application name CodeDeploy Console

Choose AWS CodeDeploy dropdown, choose Applications

Under Applications is a list of your applications

AWS CLI

In your terminal, navigate to the root of your application

aws deploy push --application-name <application-name> --description "This is a revision for the application code_deploy" --s3-location s3://<your-bucket-name>/bundle.zip --source .

If there were no errors, it should return:

To deploy with this revision, run:

aws deploy create-deployment --application-name <application-name> --s3-location bucket=<your-bucket-name>,key=bundle.zip,bundleType=zip,eTag=36b322ef06925e79eab39180c0bedb64-5 --deployment-group-name <deployment-group-name> --deployment-config-name <deployment-config-name> --description <description>


Push bundle to CodeDeploy

If you forgot your deployment group name CodeDeploy Console

Choose AWS CodeDeploy dropdown, choose Applications

Choose the application name

Under Deployment groups is a list of your deployment groups

AWS CLI

aws deploy create-deployment --application-name <application-name> --s3-location bucket=<your-bucket-name>,key=bundle.zip,bundleType=zip --file-exists-behavior OVERWRITE --deployment-group-name <deployment-group-name> --description revision


Check status of deploy

Navigate to CodeDeploy

Choose your application

Choose the arrow next to your application name

It will either show In-progress, Succeeded, or Failed

That’s it!

If you’re having errors or your deploy is failing, see Troubleshooting AWS CodeDeploy


Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.

Antoine de Saint-Exupéry