Posted May 29, 20204 yr This post discusses the benefits of and how to build an AWS CI/CD pipeline in AWS CodePipeline for multi-region deployment. The CI/CD pipeline triggers on application code changes pushed to your AWS CodeCommit repository. This automatically feeds into AWS CodeBuild for static and security analysis of the CloudFormation template. Another CodeBuild instance builds the application to generate an AMI image as output. AWS Lambda then copies the AMI image to other Regions. Finally, AWS CloudFormation cross-region actions are triggered and provision the instance into target Regions based on AMI image. The solution is based on using a single pipeline with cross-region actions, which helps in provisioning resources in the current Region and other Regions. This solution also helps manage the complete CI/CD pipeline at one place in one Region and helps as a single point for monitoring and deployment changes. This incurs less cost because a single pipeline can deploy the application into multiple Regions. As a security best practice, the solution also incorporates static and security analysis using cfn-lint and cfn-nag. You use these tools to scan CloudFormation templates for security vulnerabilities. The following diagram illustrates the solution architecture. Multi region AWS CodePipeline architecture Prerequisites Before getting started, you must complete the following prerequisites: Create a repository in CodeCommit and provide access to your user Copy the sample source code from GitHub under your repository Create an Amazon S3 bucket in the current Region and each target Region for your artifact store Creating a pipeline with AWS CloudFormation You use a CloudFormation template for your CI/CD pipeline, which can perform the following actions: Use CodeCommit repository as source code repository Static code analysis on the CloudFormation template to check against the resource specification and block provisioning if this check fails Security code analysis on the CloudFormation template to check against secure infrastructure rules and block provisioning if this check fails Compilation and unit test of application code to generate an AMI image Copy the AMI image into target Regions for deployment Deploy into multiple Regions using the CloudFormation template; for example, us-east-1, us-east-2, and ap-south-1 You use a sample web application to run through your pipeline, which requires Java and Apache Maven for compilation and testing. Additionally, it uses Tomcat 8 for deployment. The following table summarizes the resources that the CloudFormation template creates. Resource Name Type Objective CloudFormationServiceRole AWS::IAM::Role Service role for AWS CloudFormation CodeBuildServiceRole AWS::IAM::Role Service role for CodeBuild CodePipelineServiceRole AWS::IAM::Role Service role for CodePipeline LambdaServiceRole AWS::IAM::Role Service role for Lambda function SecurityCodeAnalysisServiceRole AWS::IAM::Role Service role for security analysis of provisioning CloudFormation template StaticCodeAnalysisServiceRole AWS::IAM::Role Service role for static analysis of provisioning CloudFormation template StaticCodeAnalysisProject AWS::CodeBuild::Project CodeBuild for static analysis of provisioning CloudFormation template SecurityCodeAnalysisProject AWS::CodeBuild::Project CodeBuild for security analysis of provisioning CloudFormation template CodeBuildProject AWS::CodeBuild::Project CodeBuild for compilation, testing, and AMI creation CopyImage AWS::Lambda::Function Python Lambda function for copying AMI images into other Regions AppPipeline AWS::CodePipeline::Pipeline CodePipeline for CI/CD To start creating your pipeline, complete the following steps: Launch the CloudFormation stack with the following link: Launch button for CloudFormation Choose Next. For Specify details, provide the following values: Parameter Description Stack name Name of your stack OtherRegion1 Input the target Region 1 (other than current Region) for deployment OtherRegion2 Input the target Region 2 (other than current Region) for deployment RepositoryBranch Branch name of repository RepositoryName Repository name of the project S3BucketName Input the S3 bucket name for artifact store S3BucketNameForOtherRegion1 Create a bucket in target Region 1 and specify the name for artifact store S3BucketNameForOtherRegion2 Create a bucket in target Region 2 and specify the name for artifact store Choose Next. On the Review page, select I acknowledge that this template might cause AWS CloudFormation to create IAM resources. Choose Create. Wait for the CloudFormation stack status to change to CREATE_COMPLETE (this takes approximately 5–7 minutes). When the stack is complete, your pipeline should be ready and running in the current Region. To validate the pipeline, check the images and EC2 instances running into the target Regions and also refer the AWS CodePipeline Execution summary as below. AWS CodePipeline Execution Summary We will walk you through the following steps for creating a multi-region deployment pipeline: 1. Using CodeCommit as your source code repository The deployment workflow starts by placing the application code on the CodeCommit repository. When you add or update the source code in CodeCommit, the action generates a CloudWatch event, which triggers the pipeline to run. 2. Static code analysis of CloudFormation template to provision AWS resources Historically, AWS CloudFormation linting was limited to the ValidateTemplate action in the service API. This action tells you if your template is well-formed JSON or YAML, but doesn’t help validate the actual resources you’ve defined. You can use a linter such as the cfn-lint tool for static code analysis to improve your AWS CloudFormation development cycle. The tool validates the provisioning CloudFormation template properties and their values (mappings, joins, splits, conditions, and nesting those functions inside each other) against the resource specification. This can cover the most common of the underlying service constraints and help encode some best practices. The following rules cover underlying service constraints: E2530 – Checks that Lambda functions have correctly configured memory sizes E3025 – Checks that your RDS instances use correct instance types for the database engine W2001 – Checks that each parameter is used at least once You can also add this step as a pre-commit hook for your GIT repository if you are using CodeCommit or GitHub. You provision a CodeBuild project for static code analysis as the first step in CodePipeline after source. This helps in early detection of any linter issues. 3. Security code analysis of CloudFormation template to provision AWS resources You can use Stelligent’s cfn_nag tool to perform additional validation of your template resources for security. The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure provisioning and validates against AWS best practices. For example: IAM rules that are too permissive (wildcards) Security group rules that are too permissive (wildcards) Access logs that aren’t enabled Encryption that isn’t enabled Password literals You provision a CodeBuild project for security code analysis as the second step in CodePipeline. This helps detect any insecure infrastructure provisioning issues. 4. Compiling and testing application code and generating an AMI image Because you use a Java-based application for this walkthrough, you use Amazon Corretto as your JVM. Corretto is a no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK). Corretto comes with long-term support that includes performance enhancements and security fixes. You also use Apache Maven as a build automation tool to build the sample application, and the HashiCorp Packer tool to generate an AMI image for the application. You provision a CodeBuild project for compilation, unit testing, AMI generation, and storing the AMI ImageId in the Parameter Store, which the CloudFormation template uses as the next step of the pipeline. 5. Copying the AMI image into target Regions You use a Lambda function to copy the AMI image into target Regions so the CloudFormation template can use it to provision instances into that Region as the next step of the pipeline. It also writes the target Region AMI ImageId into the target Region’s Parameter Store. 6. Deploying into multiple Regions with the CloudFormation template You use the CloudFormation template as a cross-region action to provision AWS resources into a target Region. CloudFormation uses Parameter Store’s ImageId as reference and provisions the instances into the target Region. Cleaning up To avoid additional charges, you should delete the following AWS resources after you validate the pipeline: The cross-region CloudFormation stack in the target and current Regions The main CloudFormation stack in the current Region The AMI you created in the target and current Regions The Parameter Store AMI_VERSION in the target and current Regions Conclusion You have now created a multi-region deployment pipeline in CodePipeline without having to worry about the mechanics of creating and copying AMI images across Regions. CodePipeline abstracts the creating and copying of the images in the background in each Region. You can now upload new source code changes to the CodeCommit repository in the primary Region, and changes deploy automatically to other Regions. Cross-region actions are very powerful and are not limited to deploy actions. You can also use them with build and test actions.View the full article
.png.6dd3056f38e93712a18d153891e8e0fc.png.1dbd1e5f05de09e66333e631e3342b83.png.933f4dc78ef5a5d2971934bd41ead8a1.png)
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.