How to Build AWS Cross Account CI-CD Deployment using AWS Developer Tools
Learn to set up Cross-Account CI/CD pipelines using AWS tools. Deploy across multiple AWS accounts and environments with a robust, scalable strategy
Published Aug 18, 2024
Last Modified Oct 24, 2024
In today's digital world, businesses are using cloud services like Amazon Web Services (AWS) to work more efficiently. AWS offers tools that help automate the process of developing and deploying software. One challenge companies face is deploying applications across multiple AWS accounts while keeping the process smooth and secure.
Implementing and deploying cross-account CI/CD (Continuous Integration and Continuous Deployment) can be a complex and time-consuming task. In a multi-account and multi-environment strategy, it's important to have a centralized Shared Services Account from which we can deploy CI/CD pipelines to different environments like Development, Staging, QA, and Production.
In this article, we'll explore how to use AWS tools such as CodeBuild, and CodeDeploy to set up cross-account CI/CD pipelines. We'll cover how to deploy applications running on EC2 servers from a centralized or shared account to Development or Production accounts. By setting up roles, managing permissions, and automating deployments, you'll be able to build a strong and scalable system. Whether you're a developer or part of a DevOps team, learning these skills can greatly improve how you deploy applications in the cloud.
Create Cross Account Role which will be assumed by CodeBuild Service in Shared Account or Centralised Account.
- Log in to the Dev or Prod account and go to the IAM section and click Create role.
- Select the trusted entity as an AWS account and in an AWS Account section choose Another AWS Account option. Now you can provide a shared or Centralised Account ID here.
2. Add AdministrationAccess Permissions and Provide Role Name and Description and create an IAM role. in my case role name is "cross-account-cicd-role".
EC2 role fetches the build artifacts from the source bucket in the shared account and allows the CodeDeploy service to deploy the latest code on the server.
- Log in to the Dev or Prod Account and go to the IAM console and select Roles and click Create Role.
- You can select Trusted Entity as EC2 and add the permissions mentioned below.
Policies:
- AmazonEC2RoleforAWSCodeDeploy
- AmazonS3FullAccess
- AmazonSSMManagedInstanceCore
- CloudWatchAgentServerPolicy
- Provide Role Name and click on Create Role.
- Once the Role is created, Inside the Role go to the Under Permissions policies, you can Click on Add Permissions, and select Create Inline Policy. You can choose JSON and Paste the below JSON by updating the bucket name and KMS key ARN details.
Inline policy to get access to the artifacts bucket and KMS key used to encrypt the bucket in the shared account. Make sure you have created a S3 bucket to store the artifacts of the pipeline in a shared account and encrypt it with a custom/user-defined KMS key.
Create an inline policy for S3:
Attach this role to EC2 instance where your application is running.
- Log in to the Dev or Prod Account. Go to the AM console go to the IAM Roles and click Create Role
- Select Trusted Entity as CodeDeploy and Click on Next. After that Provide the Role Name and Description and Click on Create Role.
Login to the Development or Production Account. Go to the Developer Tools. Click CodeDeploy and go to Applications.
Go to the Create application and provide the application name. After choosing the Compute platform as EC2/on-premises and create application.
- Once the application is created then click on Create deployment group.
- Provide deployment group name.
- Choose the service role which we have created in the above steps (AWSCodeDeployRole).
- Choose Deployment type as In place.
- Under Environment configuration click onAmazon EC2 instances and choose Key as Name and Value as the hostname of the instance to deploy the code.
- Select only once under Codedeploy Agent installation and choose OneAtATime deployment under Deployment settings.
- Choose the Load balancer and its corresponding target group
- Create a deployment group.
Below are the sample example files please amend the details as per your application or deployment requirement.
buildspec.yml:
- Create S3 bucket to store the artifacts of the Build and add below below-mentioned Bucket Policy that allows UAT or Production Account EC2 Role to download the artifacts into the EC2 server.
1. CodeBuild Service Role with S3, CloudWatch access and one inline policy that assumes the Cross Account Role to access the UAT or Production Account resources.
2. Go to IAM console. Click Roles and go to Create Role. After that Add permissions mentioned below and click on Create Role.
3. To create an inline policy: Once the Role is created, go inside the Role and under permissions policies click on Add permissions
- Select Create Inline Policy
- Choose JSON
- Paste the below JSON details by updating the Development or Production Account EC2 role ARN details
- click on Next and give name and click on Create.
- Go to IAM and click Roles
- Create a Role and Add CloudwatchFullAccess permissions mentioned below
- lick on Next and Provide Role Name and Description and click on Create Role.
Go to Developer Tools → CodePipeline → Pipelines → Create pipeline
Step1: Pipeline settings
- Provide the pipeline name.
- Choose existing service role and select the pipeline role which we have created earlier.
- Expand Advanced settings.
- Choose Custom location for Artifact store.
- Select the Bucket which we have created to store the artifacts.
- Select Custom encryption key and click on Next.
Step2: Add source stage
Choose GitHub as the Source provider, choose the repository and branch name, and leave the other two options default like below, click on Next.
Step3: Add build stage
- Choose AWS CodeBuild as Build provider, click on Create project then it will open new wizard.
- In the create build project page provide the project name and description.
- Choose Build type as Single build and click on Next.
Step4: Add deploy stage
- Click on Skip deploy stage and Next, and it will pop up a window for confirmation just click on Skip to skip the deploy stage and click on Next.
We are going to use the CodeDeploy service in the Development or Production account to deploy the code on the EC2 application servers thats why we are skipping the deploy stage in the pipeline.
Step5: Review stage
Finally, review the details and click on Create Pipeline to create a pipeline.
Once the pipeline is created then it will automatically execute the stages the first time and the next time onwards it will trigger whenever any changes in the source code.
If we configured the things properly then our pipeline execution completes successfully and it will trigger the CodeDeploy deployment in development or production.
Now login to the development or production account and go to Developer Tools go to CodeDeploy and click Application. Choose your application and go to Deployment groups. After that you can see the latest build status was Succeeded.
In this article, we explored how to integrate GitHub and AWS Developer Tools like CodeBuild, CodePipeline, and CodeDeploy to create a CI/CD pipeline capable of deploying application code to an EC2 instance across multiple AWS accounts. By leveraging a centralized account, we demonstrated how to effectively manage and deploy your applications to target AWS accounts, ensuring a streamlined and efficient deployment process.
Thanks for reading! Let’s see you in the next article. And Stay connected on LinkedIn :