Skip to content

AWS CodePipeline

AWS provides two developer services for building code, AWS CodePipeline and AWS CodeBuild. The former being an orchestration tool, while the later executes each stage using a buildspec file. This guide assumes both were configured manually through the AWS Console and only focuses on the gotchas1.

CodePipeline

By default, CodePipeline clones a repository to S3 without the .git metadata folder. A full clone2 is needed for Uplift to run.

CodePipeline Artefact Format

CodeBuild

CodeBuild will always receive a git clone with a detached HEAD. By default, Uplift will error in this scenario. If performing a release, this will need to be resolved through a git checkout. However, the branch name is not exposed to CodeBuild by default. CodePipeline provides a variable #{SourceVariables.BranchName} that can be mapped to CodeBuild as an environment variable:

CodeBuild Branch Environment Variable

IAM

Additional permissions are needed to pull and push code within AWS CodeBuild. These vary based on the SCM used.

Principle of Least Privilege

For illustration purposes, a resource type of "*" is used. This should always be narrowed to the specific resource when possible.

CodeCommit

Both the codecommit:GitPull and codecommit:GitPush IAM permissions are needed and should be added to the CodeBuild service role.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CodeCommitUplift",
      "Effect": "Allow",
      "Action": ["codecommit:GitPull", "codecommit:GitPush"],
      "Resource": "*"
    }
  ]
}

GitHub

The codestar-connections:UseConnection IAM permission is needed when interacting with GitHub through an AWS CodeStar connection.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GitHubUplift",
      "Effect": "Allow",
      "Action": ["codestar-connections:UseConnection"],
      "Resource": "*"
    }
  ]
}

Buildspec

The buildspec will change depending on the CodeBuild project base image.

Default Amazon Images

Tested against the Amazon Linux 2, Ubuntu and Windows variants.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# buildspec.yml

version: 0.2
env:
  git-credential-helper: yes # (1)
phases:
  install:
    commands:
      - curl https://raw.githubusercontent.com/gembaadvantage/uplift/main/scripts/install | bash
  pre_build:
    commands:
      - git checkout $BRANCH_NAME # (2)
  build:
    commands:
      - uplift release
  1. Without this Uplift will lack any credentials when attempting to push code back to the source SCM.
  2. The BRANCH_NAME environment variable can be referenced directly within the buildspec, once mapped.

Official Uplift Image

Tested against the public gembaadvantage/uplift image.

Dealing with DockerHub Rate Limits

There are known issues with accessing public DockerHub repositories from AWS services, documented here.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# buildspec.yml

version: 0.2
env:
  git-credential-helper: yes
phases:
  pre_build:
    commands:
      - git checkout $BRANCH_NAME
  build:
    commands:
      - uplift release

  1. A preferred approach for generating an AWS CodePipeline would be to either write a CloudFormation template manually or use the AWS CDK tooling. This is known as Infrastructure as Code (IaC), and wasn't included in the documentation to avoid unnecessary complexity. 

  2. This strategy works for all supported SCM providers.