AWS CODEBUILD & CODEPIPELINEIcon-Architecture/64/Arch_Amazon-CodeBuild_64Created with Sketch.

RELIABLE, SECURE, AND SERVERLESS CONTINUOUS INTEGRATION AND DELIVERY

INTRODUCTION👋

AWS CodeBuild and AWS CodePipeline is a fully-managed continuous integration service that helps you to build, package & deploy your application in a safe and reliable manner. It enables your team to focus on building the actual application and worrying less about efforts or operations to ship it to customers.

AWS CODEBUILD🔨

As the name already implies, CodeBuild is the service that actually builds. But don't get too caught up in this phrase, as you can basically execute anything in CodeBuild. It doesn't just strictly map down to packaging and building applications.

You're also able to execute infrastructure manipulations via infrastructure as code tools like Terraform or CDK, change routing destinations, execute the creation of backups, trigger Jenkins functions for batch jobs, or any other process that can be poured into a script.

AWS CODEPIPELINE🧰

A structured and well-thought-out delivery process doesn't just include a single build job. It's an orchestration of many - often dependent jobs - that enable you to roll out deployment packages and infrastructure in a reliable and safe manner.

And that's exactly what AWS CodePipeline does: it's your CodeBuild orchestration tool. With CodePipeline, you can create pipelines that connect jobs into stages to create a much more robust process that can be easily reproduced and understood.

BUILD IMAGES & CONTAINERS📦

Builds are executed within containers. For the images that execute within the containers, you have two options:

  • provide your own image either via ELR or another non-AWS repository
  • use one of the managed images by AWS CodeBuild

If you're using the managed images, they already include the runtimes for most programming languages.

BUILD SPECS📃

Build specs define what your build job should actually do. Each spec file is a YAML and contains various build commands and related settings.

You can provide your build spec either:

  • in your source code or
  • fix the build project itself

Your buildspec file can be structured via the different phases, which are executed by CodeBuild. You can also inject environment vars from SSM 🔐 or ARN 📝 and much more.

PHASES

Looking into the phase details of our example build project, we can see the phases CodeBuild will run through. An example execution looks like this:

  • (4s ms) Submitted: job submitted to CodeBuild's queue
  • (13m) Queued: waiting for unreserved compute resources
  • (53s) Provisioning: download image & starts container
  • (4s) Download Source: downloading your source code
  • (160s) Install: runs our NPM install
  • (53s) Build: runs our Serverless packing command
  • (41s) Upload Artifacts: archives artifacts & uploads to S3
  • (3s) Finalizing: completing the job & freeing resources
  • Complete: build project is completed

SOURCES & TRIGGERS🔄

CodeBuild can check out a repository in the beginning. As a source provider, you can use Amazon S3, AWS CodeCommit, GitHub, or BitBucket.

Additionally, you can define if builds should be triggered automatically on source changes, e.g. a new commit to a specific branch in your repository.

PIPELINES🔄

Pipelines are an orchestrated collection of build projects. It allows structuring continuous integration and deployment into phases, including builds, quality gates, and actual deployments.

ARTIFACTS📦

At the end of a build execution, you can choose to archive artifacts (outputs) which will then be saved at S3 and can be injected into other build project's (inputs) of your pipeline execution. CodePipeline itself will keep track of versioning, so you'll always end up injecting the outputs of your current pipeline execution.

The default output artifact will be named build_output. There's the option to create additional output files via secondary: which is a prefix with a unique number.

APPROVAL STAGES👍

Your typical release pipeline does not run through all stages without user interaction. Most teams do want to have a fixed quality gate which requires developers to manually approve the deployment to production.

CodePipeline meets this requirement via approval steps that can be integrated between to build projects and require a response from a user that has the needed codecommit:PutApprovalResult permissions assigned.

Users will also be asked to put a message for either approval or rejection, so decisions can be traced later.

PROS

There are a lot of things done right by both services.

  • Pay-as-you-go Pricing: you'll never pay for idling build agents as it's an on-demand service with linear pricing based on your actual usage.
  • Fully-managed: A managed service is a good service. In the case of AWS CodeBuild and AWS CodePipeline, you don't need to maintain machines besides the configuration of your projects (and maybe your build image).
  • Reliability: Both services offer high availability and also do award service credits for certain availability levels that are not met within a month.

ROOM FOR IMPROVEMENT📈

There's no perfect service or solution for anything. This includes AWS CodeBuild and CodePipeline.

  • Build Times: Each CodeBuild has to bootstrap a build container with your image and therefore run through initial phases. This takes time for which you'll be charged.
  • Console Interfaces: The console interface has a lot of useful views and is very heavy on written text's instead of good visualizations. There's not even a simple overview for the build projects of several pipelines.
  • On-demand Pricing: We've listed this on the pro side, but it can also be negative. For projects that require constant execution of builds, CodeBuild can get very expensive.

VPC SUPPORT🔒

By default, CodeBuild projects can't access resources that reside in a VPC. By adding your VPC ID, the VPC subnet IDs, and the VPC security group IDs to your build project configuration, CodeBuild will be able to access private resources in your VPC.

If there's no dedicated requirement, CodeBuild doesn't need to be attached to a private VPC as it's fully protected by IAM.

MONITORING📊

Your CodeBuild and CodePipeline projects execute the most critical actions in your AWS account. That's why monitoring is crucial, as with every other resource.

Logging: All console output at CodeBuild is by default uploaded to CloudWatch. The necessary permissions are assigned to the service roles. This allows for traceability if the build projects fail.

Build Notifications: AWS CodePipeline integrates with AWS Chatbot which allows for simple and readable notifications via your favorite communication tools, e.g. Slack. You're also able to filter for events as you may only want to get notified for specific events like failures.

PRICING💸

As mentioned earlier, CodeBuild and CodePipeline are solely pay-per-use except for a small fee per created CodePipeline project per month. The price per build minute depends on the memory & CPU configuration of your build container. AWS specify those as small, medium, or large.