Set up Bitbucket Pipelines and AWS CodeDeploy with Terraform

guides keyboard image

What you’ll need to follow this guide: Link to heading

  • Terraform >12.13 & understanding of basic Terraform usage
  • AWS API Access, preferably with admin-level permissions
  • Bitbucket Repository with Pipelines enabled
  • An EC2 Instance you wish to push your code repository contents to

Concept: Link to heading

Using Bitbucket Pipelines and Bitbucket Deploy, we will set up automatic pushes to an EC2 Instance with AWS CodeDeploy. Target EC2 Instance does not need to be publicaly accessible in any way for this approach.

Benefits: Link to heading

  • A non-SSH approach - Unlike webhooks to Jenkins or other scripts that Rsync, this method will allow you to stay behind firewalls and/or private subnets within your AWS VPC
  • Lean on IAM for tighter authorization of AWS resources
  • Pipelines offer a world of options in continuous integration and delivery practices and tools
  • No internal EC2 instances running to support deployment

Costs: Link to heading

  • AWS CodeDeploy - ~$0.02 per deployment, per instance (priced from us-west-2)
  • S3 standard storage costs apply

Implementation Guide: Link to heading

Included are some hints in Terraform code that you can adapt to your needs. Please modify it accordingly to your needs and environemnt. Link to heading

1. Create IAM User with Direct Policy Attachment for Bitbucket. Link to heading

The basic goal of this step is to screate an IAM user and a direct policy for Bitbucket, as well as an S3 bucket, which will be where you upload your repository artifacts. An IAM user controls access to specific AWS resources that will be used in this guide.

For obvious reasons, you will want to call your bucket something else and change the bucket name.

r}r}r}r{}E}eeeeOsbrafs}v}snpsusnupFouecoeeoaaosoasoucglrrr}reumtueumel""]rkicvusnrehrrreriVSceoeela}iaccccetetn_repobe==e=eyrad_psnlst{}{}"===es{lsie""""""=ie,,asiyendab/a$aomw"""td__gwi"w{wneseupresa=stsas<"n"""]"""""_xsro_el{_b_w_E:tSEA,RSEARsa-iyergfiuisi==O"ifceifce3mwvnvoaaca_aF":dftsdfts_pea=cerlmkmim""2"ei""""""""o"eioblstrris_e_a_b$0[:cossssssssu:couuetefy_teutamui{1tn33333333rtnrc--"apshs"c_sta2"""::::::::c"""ckb2ltimecuebw-V::GPGLLLCHeV::eeu"sidresrus1ieueiiire"i"tceoe="se_c_0s"[tttsssea:s"":"kn_srpki-uAAAAtttaduAse_e""_.oea1alcccAAJtB"al3["tcnAbkbltm7llccclcoeu*ll:"e"ocEieii"_"EoeoolcbJc"Eo*axnrStytcu,dwsuuMesokdw"rafy2b"bysi"snnys"bei",nmip5uu"et,PttBs,"tt,:pgt6c"crooPPuP,"oalui"kbk".riuucorweroeiebb0nbbki1s_antttii"tllen":bt_"b_tt,"iitt,suibupbb,ccss3coy{ciuuAA"":kn_kpcccc,,:edeekkcc:t{etpeeeee"f"lttssxai".ssa{u{nnBBmle{allptsmool.ecce{n}kk-a"""bm,,uec}k"et/*"]
After your terraform apply, you should now have an IAM user created for Bitbucket to work with. Link to heading

2. Create a separate IAM role & policy for your EC2 Instance that will be able to use CodeDeploy. Link to heading

We will be using an IAM role to attach to an EC2 instance; the IAM policy will drive what actions and AWS resources the role will be able to perform once it is attached to an instance.

It will need to read the same S3 bucket and have access to codedeploy, along with the proper trust relationship for the service and will be attached to your EC2 instance:

r{{}E}d}r}r}r}r}eOaeeeesnpFts}snasnrpsnrsaiit}oaoIatoasoaooAoaoYomanauml""]Aaap}umsumlltumlouimsgNreiVSM"tcrreureeitreeur_tsaccetaetiticmcscacciameyratwminyde=eeyce==wenn=est{}{}{}{}}{}{}{}{}rseocpe__hisc"=ie,,,,,,,,u_nnien""r"a"""l"te{=aom"""]"sitsptacoartac$laa_wneSEA,Rtaaiwolwnhwo{wnt"s<"n"""]"ifc""e"""""""""]""""]""}"""]""""]""""]"m{=lfsdesesdanscye_E:tSEA,RdftsssaAERAEREA,RSEA,RCSEA,RSEA,RSEA,Rr_si_e__===_ewe_epxi=O"ifce"ei33orcfecfefceifceoifceifceifceep[eidpiridsei_eaaF":dfts:co::untfstfsftsdftsndftsdftsdftslo"{raeoa"["oae_dnpmm"2"ei""""""""otnGLr:ieoieoei""""""""""""""""""""""""""""""""""""""o"ei""""""od"}"ei""""o"ei""o"ei"oalssmplmc"$lmpis=r=p_c0[:cossssssssu"""eicaocuocucoaaaaaaaaaaaaaaaaaaaaaaaeeetscceeeeeeeeu:coccccccuiS:coccccu:cossu:cosutit_li_o${e_laatolpo1tn33333333rV::tsewntrntrtnuuuuuuuuuuuuuuuuuuuuuuucccanllllllllllrtnoooooortttnoooortnnnrtnnrics==rocpd{aioma"f"eod2"""::::::::ci*t"s""c""c""ttttttttttttttttttttttt222gsooaaaaaaaac"""ddddddcir"""ddddc"""ssc"""scoy:oyyoeawtny_rnpit_le-V::GPGLLLCHes"["*::::e::e::ooooooooooooooooooooooo:::::uusssssssseC::eeeeeeeoi"C::eeeeeC::::eS:::en_A"["]l-ldwsos-recll2iid1ieueiiire"uA,"s""sssssssssssssssssssssssDDTGPddtttttttt"ossssss"nncossss"oCS"NL"sdsS"cee=ies_teoaeae.nce0s"[tttsssea:al[3"":"":"[ccccccccccccccccccccccceeeeuwwiiiiiiii:d"[tttttt:"god"[tttt:d"[re:S"[i:hoseeo"ccp_iyacll"cmsyp-uAAAAtttadll:cAcAAaaaaaaaaaaaaaaaaaaaaaaassrtbaacccccccceAaaaaaa:LdeAaaaaeAetTAsicurcd2"yliaon2ee=it"l1alcccAAJtB"Eo:ol"ll"llllllllllllllllllllllllccmRlttllllllll"Slrrrrrr"ieSlrrrr"SlaT"olt"pumv2e""$_oamuc".A"hcao7llccclcoeu*dw:dl*ol*liiiiiiiiiiiiiiiiiiiiiiirrieiccoooooooo*tl------*{kstl----*tltoaplT*mei.dc{aym_recMeo"rn"y"EoeoolcbJc"i"eeo"uo"onnnnnnnnnnnnnnnnnnnnnnniinsshhaaaaaaaa"aonnnnnn"etaonnnn"aoeprioo"eRcaeodt-_p_oIxl$occ-,dwsuuMesokt,xdwdwwgggggggggggggggggggggggbbaoh::ddddddddrwoooooo,"arwoooorwTincwpnoempdateroipdad{"eoei"snnys"beoae"w"":::::::::::::::::::::::eetu"DPbbbbbbbbN"tttttt:rN"ttttN"oc:L"itl"aletacolnrefmea"dct,PttBs,"trmp,a,,CDDDPRCUEDDDDDSRAPPPPDDIIer,euaaaaaaaao,iiiiii-o,iiiio,pAai,c"ezodac2lisodoprwe2ooPPuP,"1pltoeeeuerpneeeeeuetuuuueennIcstlllllllltffffff{ntfffftitwss"oye.h"ectferl"sd"riuuco"locmlsstcedassssssstttttslssnecMaaaaaaaaiiiiiiioiiiiiictst""]n.pam.yaipe_e0nbbki,eyhpeccLoaabcccccpuaSSNLcettssrennnnnnnnfcccccctfccccf"r:Acaalwec.nllt_ip"tllen-::ltrrirttlrrrrremcccoirtaat"itcccccccciaaaaaaiiaaaai,iscowmosnocceohial,"iittb**eeiifdeeeiiiiinehahtfienna,briiiiiiiicttttttfcttttcbncdsay_tdoe"yinmo,ccssu""tLbbeLAAMbbbbbdPLleiebAccneinnnnnnnnaiiiiiiiaiiiiausee.z_i"ed:_ss_yAA""c,,eieeciuueeeeeeProidfceueecAcggggggggtooooooctoooott:sdcoeade"e,ti_cc,,kLfALyftttAPSNLroanuiyStsSelA::::::::innnnnnainnnnie*seoncm"edccanecceieuiceooruocoiocdglccco"tsalDDRDDDRDosssssstossssos:"pma2_cpeo2tnsceetfctflcSSitlhtfceBPealaS,a"raeeeeeeeen::::::in::::n"*,l"w"polpd.hct2ss/eyoeeycccoieieesaodtelct,mrssgrssgrsCDUDSUosLLLLs:o,sodoleneea"ss*ccScHcaasScdfcssllUiHiausmccieccieRrepeunnLiiiiScy.{leyoda"nBB"ylcyolllCciuiyseaipoonls""rrsgrrsgeesdlbssissssNo_cid_yemic{ll]ceacoeiioaelccesncdnogi",,iitiiitiaacaesu:sttttSdeocee_pea{eoolHllkAnnllseals"cyaCkAn,bbesbbesdtrttcbNtNTTETecmypcel}m_cceoie"cggli"dte",e"to"cgeerteertWeieersoAoaavos2"_l2co"_pkkAonH,tGGen,AiH,r,en,tGLIIeTTTerNbNNictctrgept"do.2yir""ckgoirrcgcoosGfironnraaarioeoobricigsniaoyn._no,,t"GooootGtno"rivoassIrrrTttNtteifefeftcr{c_aaetfi,rknuuiriCk,ogiudttngggaeioii"bisitoTC-uemrcaioosHppoooosuutpBaaseeerAftff,ecscsryrnmcen2nlnu"e""nunn"pri"annttttgciiii"a"a"Rpeoe2}}"ce"p,a,,"psf,Aae,lccaGHseccfcct,t,eeatn"""e.,sr,s"ictsaeenre"teaiaaiisstit]{_c"t",gti"nHscoa,sstcttooo"ef.{po,b,uio,ceWeul"siaiinnuAicrderoneaispt"otoosRrccooeaan"rltFsh,ninnFuccadfdtt",sthr""RoRRoleeteie"i,"hLo,,unuure"sidlp,o,"omlRllRs,soeeln,aLeueee""nposdo"l""s,,sliy"Ba,e,,o*os_,ad"u"yelB,r_wcaaceh2nleca.ca"2tnen:.'arcjsm"e"se,raoi}"rnm",n}p:"oarwtsa:nctodedeploy:*"
After your terraform apply, your IAM role will have the permissions it needs to work with CodeDeploy, S3, and is ready to be attached to an EC2 Instance. Link to heading

3. Create CodeDeploy app, deployment group, and deployment config. Link to heading

To get started with CodeDeploy, you will need three things:

  • deployment app name (we’ll call ‘app’ in this guide)
  • deployment group
  • deployment config for your application

This step’s goal is to configure CodeDeploy to push to your EC2 Instance which we’ll call in this guide ’example_instance’:

r}r}r}eeescnsdm}sadsde}a}a}ooaoeiopeeeculummupntvupprp2teeaaerperliyar_lvl_onvrlncucomplcnoiote}_aemaaeteyueueaycyacrbn_rbemmemmemg2oltcml"_"e_"ee_e__lesoseapanh==anrnstktvldndwlwtewtoteaeyabfsas_a"5s_l_tgypla==i==_t_clF0_gec_eucgcfcotLcr_o{fekt[u[tooonhEooani_r"r"rdrdfyEdurfl===cuDaauemei_TepnitoeEtpeddgh_d_ge"""nPipe==e_oPen_rNKefLo-ppnsEpanaExiOndl""latRlma{mYagYeoSaomsCoeme_muM{pyepyeEye"AprEl_rp_{N_NlaNoav"d=Td====DetTypee"e__i_mprp"p""""VioFe""lal$a$CAnnAnopo{p{oLsIt"ypyapadUt{L"am"mw"weEaU]peessD"nRpnn__ecE"ttcipe"__oal"]{cgdmoore_ynodrDfueoeipplfg"lea"o.u"ycl"a_otapad.pppeOp"pdn".ee{apA{pltpoA.yTn_iaemmcee2"}."arn}"
After you terraform apply the above, you will now have all 3 required resources for a complete CodeDeploy setup on AWS. Link to heading

4. Create CodeDeploy appspec.yml and Lifecycle Hook scripts. Link to heading

To complete CodeDeploy setup, you will need to create an appspec.yml and some scripts for lifecycle hooks to check into your repository root directory. The appspec.yml file will control the CodeDeploy lifecycle hooks (or steps) that you will want to use to deploy your code. There are many lifecycle hooks but this guide will cover the 3 basic lifecycle hooks:

  • BeforeInstall - the script you want to run before copying code to the desired location on the server examples: backing up a configuration file to a different location, stopping the application

  • AfterInstall - the script you want to run after code is copied to the desired location on the server examples: running a database migration, installing packages or modules your updated code will depend on

  • ApplicationStart - the script, or command to start or restart your application examples: init.d, systemctl, or custom startup scripts    

  • appspec.yml:

vofhesior:l-oBAAsekefpilssdsf-t-p-oi:oe:oelnnusrltrrltriltr:urteoiuIoiucoiuxciIcmnncmnacmn0ennaeasaeataea.:astosttositos0ttiu:aiu:oiu:/iaotlotnotoln:uln:uSn:unl:b::bt:b::1u1ua1us2ns2nrs2n/c0tc0ttc0teruru:ruxiiiapppmtttpsssl///ebaa/efpdftpeoelsrrite_ci_ianintansitstoitanoal_nlls/l.tf.saoshrlhtd.esrh/

And for the scripts mentioned in appspec.yml:

  • scripts/before_install.sh:
##!e/xbaimnp/lbea:shservicestopapp
  • scripts/after_install.sh:
##!e/xbaimnp/lbea:shpipinstall-rrequirements.txt
  • scripts/application_start.sh:
##!e/xbaimnp/lbea:shservicerestartapp
This will give you the basic setup for controlling what CodeDeploy does at each step of the deployment. Link to heading

I highly encourate you to expand on these scripts and make them as elaborate as your needs require. It’s just bash, after all!

5. Attach IAM Instance role and install the CodeDeploy Agent on your Instance. Link to heading

Now, back to the IAM role we created in step 2 – Ensure the EC2 Instance has the ‘codedeploy-ec2’ role attached and then install the CodeDeploy Agent. The agent runs locally on the EC2 Instance and will be responsible for honoring the steps you specified in appspec.yml. I won’t be re-typing those instructions but they can be found at this link: https://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent-operations-install.html  
  You can attach the role via AWS console by right clicking on the Instance > Instance Settings > Attach/Replace IAM Role instance attachment screenshot Or you can ensure that your Terraform code includes the following line: iam_instance_profile = "${aws_iam_instance_profile.codedeploy_ec2.name}" within the aws_instance resource of the host you are working on  
 

Ideally, the IAM role ‘codedeploy-ec2’ is attached prior to starting the codedeploy-agent for the first time, else it will complain. If you happen to install the agent prior to attaching the role to the instance, just reboot the instance. Link to heading

6. Enable Bitbucket Pipelines for your code repository. Link to heading

Next, we will enable Bitbucket Pipelines for your repo by going to your repository Settings > Pipelines > Enable show pipelines are enabled

This will enable Bitbucket pipelines to operate on your repository. Link to heading

7. Create a bitbucket-pipelines.yml in your code repository. Link to heading

Create a bitbucket-pipelines.yml file for your repo. The pipelines file will control what Bitbucket is supposed to do with your code when you push to a given branch. You can also perform different actions by branch name within steps. This example will do most of the heavy-lifting on commits to the master branch:    

  • bitbucket-pipelines.yml:
ipmiapdbgeerelf-adm:ianeanuscv-s--aelthettsteselsessl::pcsotrtta:r-:pes:ensenssimpcpacpacspee:r-:mr----:mr-itcnieieia:htpe:paazpv:ppvno:tctppiiatia/:hB:ttpprAAAASCZVD:prAAAADSCWVIFd"ou--eiWWWP3OIEeeiWWWPE3OAEGIeTigg-:aSSSP_MPRp:aSSSPP_MIRNLfh"leerb___LBM_Slb___LLBMTSOEaiddttalDASIUAFIoalDASIOUA:IR_useateECECCNIOyteECECYCNOEElvtuiplsFCCAKDLNlsFCCAMKD'N_Xtseopnpa:AERTE:E_ba:AERTEE:t_AI-clds.sUSEIT:LusUSEINTrLPSiroSatzsLSTO:'AisLSTOT:'uAPTmip3taiiT__Nu'BliT__N_deBLSapmelpa_KA_$paEda_KA_G$e'EI_gtelnRECNSlpLnRECNRSpLCBen./EYCA3op:w/EYCAO3l:AE:rt-aG_EM_a.iaG_EMU_oTH2uywIISEBdz'twIISEPBy'IAnssODS:U'iahsODS::U'aOVscz-N:_Cpp-N:_CpNIric:K$K'pCc:K$$Kp_Ooipo$EAE-oo$EADE-SRnpd$AYPT1dd$AYPET1T:teAW:P.eeAW:PP.Oas-WSL0D-WSLL0P'ldS_$I.edS_$IO._Olle_AAC0pe_AACY0FVipDCWA'lpDCWAM'AEbklECSTpolECSTEIRreoFE_IyoFE_INLWayASSOyASSOTURnl:USEN:USEN_RIci0L_C_0L_C_GEThn.TKRN.TKRNRSEet3_EEA3_EEAO:'s".RYTM.RYTMU2E__E2E__EP'tGIAGIAthIDCIDCraOCOCutNENEeSS'dSSo__nKK'EEtYYhaveanyspecificpipelineassignedin'branches'."
This will tell Bitbucket what to do with your code once you commit it to a certain branch. Link to heading

The default steps will execute for any branches you don’t specify but this layout should give you a good idea of what you can do with teh bitbucket-pipelines.yml file. Also note the usage of pipe: atlassian/aws-code-deploy:0.3.2, which is a shortcut reference to an Atlassian-managed Docker container that is already set up to work with CodeDeploy using the Environment Variables we will cover in the next step.

8. Configure Bitbucket Pipelines Environment Variables in your code repository. Link to heading

You will notice some environment variables in the previous step – Ensure the variables in bitbucket-pipelines.yml are configured properly.    

In your Bitbucket repository, go to Settings > Repository Variables be sure to set values for:

  • AWS_DEFAULT_REGION
  • AWS_ACCESS_KEY_ID (of the IAM user in step1)
  • AWS_SECRET_ACCESS_KEY (of the IAM user in step1)
  • APPLICATION_NAME
  • S3_BUCKET

example env vars

Now your bitbucket-pipelines.yml should be ready for action Link to heading

9. Commit changes to Bitbucket and Push to Master branch Link to heading

Commit your changes & push it all up to the master branch of repository and watch the magic happen – pipelineous automaticus!

Closing Link to heading

If everything goes according to plan, and you’ve modified Terraform to fit your setup, you should be happily on your adventure with automated continuous deployment using Bitbucket Pipelines with AWS CodeDeploy.

Considerations Link to heading

  • AWS S3 Lifecycle Policies can help keep your storage costs in check
  • CodeDeploy configs allow for myriad deployment methods, choose the one that is right for your stack with regards to uptime
  • Rollback triggers aren’t a must but they’re a great idea
  • Encourage development staff to work on maturing bitbucket-pipelines for their codebase - it only makes quality better for everyone
  • Of course you can do this all in AWS Console and skip Terraform entirely