Bitbucket and CodeDeploy
Today, since we are growing our development team and I don’t want to handle deploying code all the time for the team – I went ahead and integrated Bitbucket with CodeDeploy to make things a bit more efficient. So our workflow can be more: Write Code, Commit Code, QA Code, Sign Off, Deploy.
However, if you don’t have much experience with IAM Roles and CodeDeploy it is a bit of a hassle to get started. So there are a few gotchas for those who don’t want to go through the Official AWS Documentation. First, don’t expect to just start modifying your deployment process on an old staging server using CD; it probably won’t work depending on the setup. You need to have an IAM Instance Profile setup which you can only do when you create an EC2 instance. Lets start there:
Create User, Assign Roles and Create EC2 Instance
1. Create a new IAM User
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#Using_CreateUser_console
2. Grant access to CodeDeploy to that IAM User by attaching the following policy:
- {
- “Version”: “2012-10-17″,
- “Statement” : [
- {
- “Effect” : “Allow”,
- “Action” : [
- “autoscaling:*”,
- “codedeploy:*”,
- “ec2:*”,
- “elasticloadbalancing:*”,
- “iam:AddRoleToInstanceProfile”,
- “iam:CreateInstanceProfile”,
- “iam:CreateRole”,
- “iam:DeleteInstanceProfile”,
- “iam:DeleteRole”,
- “iam:DeleteRolePolicy”,
- “iam:GetInstanceProfile”,
- “iam:GetRole”,
- “iam:GetRolePolicy”,
- “iam:ListInstanceProfilesForRole”,
- “iam:ListRolePolicies”,
- “iam:ListRoles”,
- “iam:PassRole”,
- “iam:PutRolePolicy”,
- “iam:RemoveRoleFromInstanceProfile”,
- “s3:*”
- ],
- “Resource” : “*”
- }
- ]
- }
3. Create a service role:
http://docs.aws.amazon.com/codedeploy/latest/userguide/how-to-create-service-role.html
4. Create an EC2 Instance
Do your normal “Launch Instance” but on Step 3: Configure Instance Details you must assign the service role to the instance.
Some Gotchas
1. The service role must have a Trust Relationship setup with CodeDeploy. This is what I used:
- {
- “Version”: “2012-10-17″,
- “Statement”: [
- {
- “Effect”: “Allow”,
- “Principal”: {
- “Service”: [
- “ec2.amazonaws.com”,
- “codedeploy.amazonaws.com”
- ]
- },
- “Action”: “sts:AssumeRole”
- }
- ]
- }
Note the “Service” array has codedeploy.amazonaws.com.
Setup CodeDeploy
1. Create a new Application – Ensure you map the service role you created earlier during this part as well as the name of the instance/s.
Tip: If you run into Cannot assume role check out the gotcha above.
2. Install the agent on the EC2 Instance
- yum update
- yum –y install ruby wget
- cd /home/ec2–user
- wget https://aws-codedeploy-us-east-1.s3.amazonaws.com/latest/install # depends on your region
- chmod +x install
- ./install auto
Setup Bitbucket
1. Install the CodeDeploy Addon via Settings > Addons > AWS CodeDeploy
2. Go to the repository you want to deploy to the new instance
3. Settings > CodeDeploy Settings
4. Follow on screen instructions to make Bitbucket Role with Third Party AWS Accounts, this is what mine looks like:
- {
- “Version”: “2012-10-17″,
- “Statement”: [
- {
- “Effect”: “Allow”,
- “Principal”: {
- “AWS”: “arn:aws:iam::507461364343:root”
- },
- “Action”: “sts:AssumeRole”,
- “Condition”: {
- “StringEquals”: {
- “sts:ExternalId”: “connection:123456″
- }
- }
- }
- ]
- }
5. Copy and Paste ARN from newly created role to connect the two.
6. Add an AppSpec file to the base of your repo named appspec.yml:
- version: 0.0
- os: linux
- files:
- – source: /
- destination: /home/user/public
See documentation on AppSpec files here:
http://docs.aws.amazon.com/codedeploy/latest/userguide/app-spec-ref.html
Once this is completed you should be able to deploy from any commit using the Deploy to AWS button.
Other issues I’ve encountered
1. Don’t use a version other than 0.0 on your AppSpec file, your deployments will fail
2. Don’t have anything existing in your destination or otherwise the deployment will fail