Bitbucket and CodeDeploy

Today, since we are growing our development team and I don’t want to handle deploying code all the time for the team – I went ahead and integrated Bitbucket with CodeDeploy to make things a bit more efficient. So our workflow can be more: Write Code, Commit Code, QA Code, Sign Off, Deploy.

However, if you don’t have much experience with IAM Roles and CodeDeploy it is a bit of a hassle to get started. So there are a few gotchas for those who don’t want to go through the Official AWS Documentation. First, don’t expect to just start modifying your deployment process on an old staging server using CD; it probably won’t work depending on the setup. You need to have an IAM Instance Profile setup which you can only do when you create an EC2 instance. Lets start there.

Create user, assign roles, and create ec2 instance

Create a new IAM User

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#Using_CreateUser_console

Grant access to CodeDeploy to that IAM User

Add the following policy to your new user.

{
  "Version": "2012-10-17",
  "Statement" : [
    {
      "Effect" : "Allow",
      "Action" : [
        "autoscaling:*",
        "codedeploy:*",
        "ec2:*",
        "elasticloadbalancing:*",
        "iam:AddRoleToInstanceProfile",
        "iam:CreateInstanceProfile",
        "iam:CreateRole",
        "iam:DeleteInstanceProfile",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:GetInstanceProfile",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:ListInstanceProfilesForRole",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "iam:PutRolePolicy",
        "iam:RemoveRoleFromInstanceProfile",
        "s3:*"
      ],
      "Resource" : "*"
    }
  ]
}

Create a service role

http://docs.aws.amazon.com/codedeploy/latest/userguide/how-to-create-service-role.html

Create an EC2 instance

Do your normal “Launch Instance” but on Step 3: Configure Instance Details you must assign the service role to the instance.

Some Gotchas

The service role must have a Trust Relationship setup with CodeDeploy. This is what I used:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ec2.amazonaws.com",
          "codedeploy.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

 

Note the “Service” array has codedeploy.amazonaws.com.

Setup CodeDeploy

  1. Create a new Application – Ensure you map the service role you created earlier during this part as well as the name of the instance/s.

Tip: If you run into Cannot assume role check out the gotcha above.

 2. Install the agent on the EC2 Instance

um update
yum -y install ruby wget
cd /home/ec2-user
wget https://aws-codedeploy-us-east-1.s3.amazonaws.com/latest/install # depends on your region
chmod +x install
./install auto

Setup Bitbucket

  1. Install the CodeDeploy Addon via Settings > Addons > AWS CodeDeploy

  2. Go to the repository you want to deploy to the new instance

  3. Settings > CodeDeploy Settings

  4. Follow on screen instructions to make Bitbucket Role with Third Party AWS Accounts, this is what mine looks like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::507461364343:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "connection:123456"
        }
      }
    }
  ]
}

5. Copy and Paste ARN from newly created role to connect the two

6. Add an AppSpec file to the base of your repo named appspec.yml

version: 0.0
os: linux
files:
  - source: /
    destination: /home/user/public

See documentation on AppSpec files here: http://docs.aws.amazon.com/codedeploy/latest/userguide/app-spec-ref.html

Once this is completed you should be able to deploy from any commit using the Deploy to AWS button.

Other issues I encountered

  1. Don’t use a version other than 0.0 on your AppSpec file, your deployments will fail
  2. Don’t have anything existing in your destination or otherwise the deployment will fail

Write a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.