This lesson is Part 1 of 2 that will walk you through setting up AWS CodeDeploy for deployment. Now that you've automated builds of your project, you'll want to deploy it automatically. While copying your artifact from S3 to your EC2 instance seems pretty straightforward, CodeDeploy can automate this process in a very flexible and scalable way.
What is AWS CodeDeploy?
AWS CodeDeploy automates deployment to servers such as your EC2 instances. CodeDeploy can make it easier for you to push new releases more often while avoiding downtime. It helps to eliminate many error-prone manual operations and allows you to scale your deployment infrastructure easily. And the good news is, CodeDeploy does not incur any additional costs beyond what you are already paying for EC2, AWS Lambda, or Amazon ECS.
Getting Started with CodeDeploy
Head on over to the CodeDeploy Console to get started. By default, this takes you to the "Deployments" page, which is empty at this time. Click Getting started in the sidebar. As before, take a few minutes to read the page and watch the video for a quick introduction.
To get started, click the big orange Create application button.
Application Configuration
- Application name - give it a name like "DemoApplication"
- Computer type - EC2
Click Create application.
You should receive a notification that the application was created successfully, and in order to create a new deployment, you must first create a deployment group. With regard to an EC2 deployment, a deployment group simply specifies which instances are targeted for deployment. You can target individual instances or instances tied to auto-scaling groups.
Keep in mind that you can create more than one deployment group for each CodeDeploy application. This allows you to deploy new builds to different instances or sets of instances at different times. You might create one deployment group with instances tagged as beta, which is used for testing before pushing the build to another deployment group with instances tagged production.
You'll create a deployment group in the next lesson, since there is some prerequisite work to be completed first.
AWS Tags
As mentioned above, deployment groups rely on instance tags. You might remember as part of the EC2 instance launch process that you were able to add tags at that time. You didn't add any, but that's OK - you can add/update/remove tags at any time.
Tags are a simple way of labeling your assets in order to better organize them. You can imagine how complicated your EC2 dashboard can become when managing dozens or even hundreds of instances and their respective resources. Just as an institution might tag its physical resources like servers and other equipment, tags allow you to track and organize things inside AWS.
Each tag consists of a key and value (value is optional), both of which are simple strings. There are no specific guidelines for how tags should be used or structured, it's entirely up to you.
You can read more about using tags here, but don't worry about diving too deep into them at this time, just go ahead and navigate to your EC2 console in a new tab and add a single tag to your demo deployment instance, you'll reference it shortly.
Identity and Access Management (AWS IAM)
Much like the security group used to secure your EC2 instance, AWS IAM provides access control -- across all of AWS. IAM controls who can access which services or resources at any given time. AWS IAM is widely used by teams that require multiple accounts and administration, but it is also used to specify permissions for automated services like AWS CodeDeploy.
AWS IAM Role
Because CodeDeploy requires permission to access your EC2 resources, you must create a "service role" for CodeDeploy before proceeding. To begin, navigate to the AWS IAM console.
In the sidebar, click Roles, then click the Create role button.
On this page, select AWS service, then from the Choose the service that will use this role list select CodeDeploy, then below the list select CodeDeploy again.
On the next page, AWSCodeDeployRole is automatically selected, click Next.
On the review page, enter "CodeDeployServiceRole" as name for the role, then click the Create role button. With that, you have created a service role that can be used to create CodeDeploy deployment groups. But you're not done yet, continue with the IAM configuration.
AWS IAM Instance Profile
The second piece of the IAM puzzle is configuring an instance profile, which provides permissions directly to your instance. The instance profile consists of a role that contains one or more policies. First, you'll need to create a custom policy that allows the instance access to S3, where your artifact is stored.
In the AWS IAM console sidebar click Policies, then click the Create Policy button.
Paste the following in the JSON tab:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Click Next, Next, then on the review page, use "CodeDeployDemo-EC2-Permissions" for the policy name. Click the Create policy button. Nice, your custom policy is complete. Now you'll create a role that contains this new policy.
In the IAM sidebar, click Roles, then click the Create role button.
-
Select AWS service, and under use case choose EC2, and click Next.
-
In the permissions list, put a check next to the policy you just created (CodeDeployDemo-EC2-Permissions).
-
Also check AmazonSSMManagedInstanceCore (use the search to find if you need to).
-
Click Next
-
Give the role a name: CodeDeployDemo-EC2-Instance-Profile
-
Click the Create role button.
Now that your instance profile has been created, you'll need to assign it to your EC2 instance. Once again navigate to the EC2 console, and head to your instance detail page. On this page, notice that the IAM Role section currently contains a dash (-), which means no role is currently assigned.
To assign one, click the Actions menu, then Security, then Modify IAM role.
Choose your instance profile, and click Update IAM role. And with that, your instance has the permissions necessary to work with CodeDeploy!
Note: It is generally not necessary to reboot your instance, but it may take a few minutes for the permissions to take effect. If you encounter any permissions issues with the new IAM roles, an instance reboot should resolve them.
Summary: AWS CodeDeploy Part 1 - AWS Tags & AWS IAM
You've now completed most of the preparatory work for AWS CodeDeploy to handle your application deployment. Up next, you'll create a deployment group of instances to target, then run an actual deployment. Stay tuned!