Bitbucket AWS CodeDeploy Setup

Summary

This doc will explain how to setup a deployment pipeline using Bitbucket AWS plugin + AWS CodeDeploy.

CodeDeploy applications are at (link may vary depends on the region):

https://us-west-2.console.aws.amazon.com/codedeploy/home?region=us-west-2#/applications

The result of this setup will enable developers to trigger a deployment directly from Bitbucket UI.

Prerequisite

1. An AWS account with necessary permissions (eg: creating IAM roles, launch instance).
2. A Bitbucket project, and permission to install Bitbucket AWS CodeDeploy plugin.

Step 1. Create an IAM instance Profile & role for EC2 with CodeDeploy access

The purpose of this step is to give EC2 access right to S3 storage, which we will later push our deploy artifices into. Without this step, EC2 cannot fetch revisions from S3.

*You can create an IAM instance profile using either CLI or Console, below is using Console.

1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.
2. In the IAM console, in the navigation pane, choose Policies, and then choose Create Policy. (If a Get Started button appears, choose it, and then choose Create Policy.)
3. Next to Create Your Own Policy, choose Select.
4. In the Policy Name box, type CodeDeployDemo-EC2-Permissions.
5. In the Policy Document box, paste the following:
   { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": "*" } ] }

   1 2 3 4 5 6 7 8 9 10 11 12 13 14

   { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:Get*", "s3:List*" ], "Effect": "Allow", "Resource": "*" } ] }

6. Choose Create Policy.

7. In the navigation pane, choose Roles, and then choose Create New Role.
8. In the Role Name box, give the IAM instance profile a name like CodeDeployDemo-EC2-Instance-Profile, and then choose Next Step.
9. On the Select Role Type page, next to Amazon EC2, choose Select.
10. On the Attach Policy page, select the box next to CodeDeployDemo-EC2-Permissions, and then choose Next Step.
11. Choose Create Role.

Step 2. Launch an EC2 instance using the IAM role created by Step 1

When you launch an EC2 instance, be aware there is a step to choose an IAM role, choose the role created in Step 1.

Step 3. Install CodeDeploy Agent into EC2 instance from Step 2

Connect to AWS EC2 instance:

1. Download the [yourPrivateKey].pem file.
2. Open an SSH client. (PuTTY or Git Bash etc…)
3. Locate your private key file ( [yourPrivateKey].pem ). The wizard automatically detects the key you used to launch the instance.
4. Your key must not be publicly viewable for SSH to work. Use this command to setup Owner View only:

   chmod 400 [yourPrivateKey].pem

5. Connect to your instance using its Public DNS:

   Example:

   ssh -i "[yourPrivateKey].pem" ubuntu@ec2-XX-XXX-XX-XX.us-west-2.compute.amazonaws.com

6. Install CodeDeploy Agent (Ubuntu):

   sudo apt-get update sudo apt-get install python-pip sudo apt-get install ruby sudo apt-get install wget cd /home/ubuntu wget [https://bucket-name.s3.amazonaws.com/latest/install](https://bucket-name.s3.amazonaws.com/latest/install) chmod +x ./install sudo ./install auto

   1 2 3 4 5 6 7 8 9

   sudo apt-get update sudo apt-get install python-pip sudo apt-get install ruby sudo apt-get install wget cd /home/ubuntu wget [https://bucket-name.s3.amazonaws.com/latest/install](https://bucket-name.s3.amazonaws.com/latest/install) chmod +x ./install sudo ./install auto

Step 4. Create a Service Role

The service role you create for AWS CodeDeploy must be granted the permissions to access the instances to which you will deploy applications. These permissions enable AWS CodeDeploy to read the tags applied to the instances or the Auto Scaling group names associated with the instances.

*You can create an IAM instance profile using either CLI or Console, below is using Console.

1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.
2. In the navigation pane, choose Roles, and then choose Create New Role.
3. In the Role Name box, give the service role a name (for example, CodeDeployServiceRole), and then choose Next Step.
4. On the Select Role Type page, with AWS Service Roles selected, next to AWS CodeDeploy, choose Select.
5. On the Attach Policy page, select the box next to the AWSCodeDeployRole policy, and then choose Next Step.
6. Note the value of the Role ARN field. You will need it later when you create deployment groups. If you forget the value, follow the instructions in Get the Service Role ARN (Console) .
7. Choose Create Role.
8. If you want this service role to have permission to access all currently supported endpoints, you are finished with this procedure.
9. Under Trust Relationships, choose Edit Trust Relationship.
10. You should see the following policy, which provides the service role permission to access all supported endpoints:
    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codedeploy.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

    { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "codedeploy.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

Step 5. Create CodeDeploy Application

Go to AWS CodeDeploy and follow the widget to creating the Application, remember to use the Service Role created in Step 3. You will need to select the instance from Step 2.

Step 6. Create an IAM role for bitbucket AWS plugin

Bitbucket needs the ability to stage your code artifacts in an Amazon S3 bucket for CodeDeploy to pull, so step one of this setup process is to create an AWS Identity and Access Management (IAM) role with the following policy:

The setup will ask for the ARN of the IAM role so Atlassian can assume a role in your account, push code to your S3 bucket on your behalf, and do a deployment using CodeDeploy.

Once you’ve provided the role ARN, you’ll also be able to tell Bitbucket which S3 bucket to use for storing deployment artifacts and which CodeDeploy application to deploy to:

• Final Step: Enjoy deploy with one button click through Bitbucket UI

  

  PS: You can choose which target environment you want to deploy after clicking “Deploy to AWS”.

Trouble shooting

• Verify the AWS CodeDeploy agent is running

  To see if the AWS CodeDeploy agent is installed and running, sign in to the instance, and run the following command:

  sudo service codedeploy-agent status

  1 2	sudo service codedeploy-agent status

  If the command returns an error, the AWS CodeDeploy agent is not installed. Install it as described in Install or reinstall the AWS CodeDeploy agent for Amazon Linux or RHEL .

  If the AWS CodeDeploy agent is installed and running, you should see a message like The AWS CodeDeploy agent is running.

  If you see a message like error: No AWS CodeDeploy agent running, start the service and run the following two commands, one at a time:

  sudo service codedeploy-agent start sudo service codedeploy-agent status

  1 2 3

  sudo service codedeploy-agent start sudo service codedeploy-agent status

• AWS CodeDeploy limitation
  1. Do not have more than one CodeDeploy pointing to the same file:
     • If 2 CDs point to the same file on the same server, the first CD will put a lock on that file, and the next CD cannot change it
     • It’s ok to put 2 CD pointing to the same server, as long as they’re not targeting the same file.
  2. For S3 deployment (eg: static website), other tools are needed. GoCD and Jenkins are both good choices.

Reference:

https://aws.amazon.com/blogs/apn/announcing-atlassian-bitbucket-support-for-aws-codedeploy/

Want an end-to-end continuous deployment pipeline?:

Check this blog to build a Jenkins pipeline with AWS CodeDeploy