RELIABLE, SECURE, AND SERVERLESS CONTINUOUS INTEGRATION AND DELIVERY
AWS CodeBuild and AWS CodePipeline is a fully-managed continuous integration service that helps you to build, package & deploy your application in a safe and reliable manner. It enables your team to focus on building the actual application and worrying less about efforts or operations to ship it to customers.
As the name already implies, CodeBuild is the service that actually builds. But don't get too caught up in this phrase, as you can basically execute anything in CodeBuild. It doesn't just strictly map down to packaging and building applications.
You're also able to execute infrastructure manipulations via infrastructure as code tools like Terraform or CDK, change routing destinations, execute the creation of backups, trigger Jenkins functions for batch jobs, or any other process that can be poured into a script.
A structured and well-thought-out delivery process doesn't just include a single build job. It's an orchestration of many - often dependent jobs - that enable you to roll out deployment packages and infrastructure in a reliable and safe manner.
And that's exactly what AWS CodePipeline does: it's your CodeBuild orchestration tool. With CodePipeline, you can create pipelines that connect jobs into stages to create a much more robust process that can be easily reproduced and understood.
Builds are executed within containers. For the images that execute within the containers, you have two options:
If you're using the managed images, they already include the runtimes for most programming languages.
Build specs define what your build job should actually do. Each spec file is a YAML and contains various build commands and related settings.
You can provide your build spec either:
Your buildspec file can be structured via the different phases, which are executed by CodeBuild. You can also inject environment vars from SSM 🔐 or ARN 📝 and much more.
Looking into the phase details of our example build project, we can see the phases CodeBuild will run through. An example execution looks like this:
CodeBuild can check out a repository in the beginning. As a source provider, you can use Amazon S3, AWS CodeCommit, GitHub, or BitBucket.
Additionally, you can define if builds should be triggered automatically on source changes, e.g. a new commit to a specific branch in your repository.
Pipelines are an orchestrated collection of build projects. It allows structuring continuous integration and deployment into phases, including builds, quality gates, and actual deployments.
At the end of a build execution, you can choose to archive artifacts (outputs) which will then be saved at S3 and can be injected into other build project's (inputs) of your pipeline execution. CodePipeline itself will keep track of versioning, so you'll always end up injecting the outputs of your current pipeline execution.
The default output artifact will be named build_output. There's the option to create additional output files via secondary: which is a prefix with a unique number.
Your typical release pipeline does not run through all stages without user interaction. Most teams do want to have a fixed quality gate which requires developers to manually approve the deployment to production.
CodePipeline meets this requirement via approval steps that can be integrated between to build projects and require a response from a user that has the needed codecommit:PutApprovalResult permissions assigned.
Users will also be asked to put a message for either approval or rejection, so decisions can be traced later.
There are a lot of things done right by both services.
There's no perfect service or solution for anything. This includes AWS CodeBuild and CodePipeline.
By default, CodeBuild projects can't access resources that reside in a VPC. By adding your VPC ID, the VPC subnet IDs, and the VPC security group IDs to your build project configuration, CodeBuild will be able to access private resources in your VPC.
If there's no dedicated requirement, CodeBuild doesn't need to be attached to a private VPC as it's fully protected by IAM.
Your CodeBuild and CodePipeline projects execute the most critical actions in your AWS account. That's why monitoring is crucial, as with every other resource.
Logging: All console output at CodeBuild is by default uploaded to CloudWatch. The necessary permissions are assigned to the service roles. This allows for traceability if the build projects fail.
Build Notifications: AWS CodePipeline integrates with AWS Chatbot which allows for simple and readable notifications via your favorite communication tools, e.g. Slack. You're also able to filter for events as you may only want to get notified for specific events like failures.
As mentioned earlier, CodeBuild and CodePipeline are solely pay-per-use except for a small fee per created CodePipeline project per month. The price per build minute depends on the memory & CPU configuration of your build container. AWS specify those as small, medium, or large.