3.4.12 CI/CD Automation & CodeDeploy

CI/CD Fundamentals

CI/CD Process

Main goal:

  • ✅ Define issues at early stages
  • ✅ Improve code quality
  • ✅ Reduce validation time
  • ✅ Release updates faster

CI/CD Pipeline Stages

Source → Build → Test → Staging → Production

Each stage = logical unit validating code as it progresses

Infrastructure as Code (IaC)

Configuration as Code vs Infrastructure as Code:

TypeServicePurpose
IaCCloudFormation, CDKProvision infrastructure
ConfigurationOpsWorks (Chef/Puppet)Configure applications

Key: Automate process và lifecycle management. Every step programmed và managed as source code.

AWS CI/CD Services

Complete CI/CD Toolset

ServicePurpose
CodePipelineOrchestrate workflows
CodeCommitSource control
CodeBuildBuild và test
CodeDeployDeploy applications
CodeArtifactArtifact repository
ECRContainer registry
SAMServerless deployment
CDKInfrastructure as code
AmplifyFrontend deployment
CopilotContainer deployment
X-RayTracing
CloudShellCLI environment

Integration với Other Services

  • Lambda
  • S3
  • CloudFormation
  • AppConfig
  • Secrets Manager
  • API Gateway

CodeDeploy Deployment Configurations

EC2/On-Premises

Deployment types:

  • In-place - Update existing instances
  • Blue/Green - New instances, switch traffic

Predefined configurations:

  • CodeDeployDefault.OneAtATime
  • CodeDeployDefault.HalfAtATime
  • CodeDeployDefault.AllAtOnce

ECS Deployments

Deployment type: Blue/Green only

Traffic shifting:

  • Canary - Two increments
  • Linear - Equal increments
  • All-at-once - Immediate

Configurations:

  • CodeDeployDefault.ECSLinear10PercentEvery1Minutes
  • CodeDeployDefault.ECSLinear10PercentEvery3Minutes
  • CodeDeployDefault.ECSCanary10Percent5Minutes
  • CodeDeployDefault.ECSCanary10Percent15Minutes
  • CodeDeployDefault.ECSAllAtOnce

Lambda Deployments

Deployment type: Traffic shifting only

Configurations:

  • CodeDeployDefault.LambdaLinear10PercentEvery1Minute
  • CodeDeployDefault.LambdaLinear10PercentEvery2Minutes
  • CodeDeployDefault.LambdaLinear10PercentEvery3Minutes
  • CodeDeployDefault.LambdaLinear10PercentEvery10Minutes
  • CodeDeployDefault.LambdaCanary10Percent5Minutes
  • CodeDeployDefault.LambdaCanary10Percent10Minutes
  • CodeDeployDefault.LambdaCanary10Percent15Minutes
  • CodeDeployDefault.LambdaCanary10Percent30Minutes
  • CodeDeployDefault.LambdaAllAtOnce

CloudFormation Stack Sets

Scenario thi: Organization có several AWS accounts (staging, testing, production). Manage updates to CloudFormation template across all accounts với least effort.

Answer: CloudFormation Stack Sets

Stack Sets allow:

  • Update stacks for multiple AWS accounts
  • Deploy to multiple regions
  • Single operation
  • Centralized management
# Create stack set
aws cloudformation create-stack-set \
  --stack-set-name my-app \
  --template-body file://template.yaml

# Deploy to multiple accounts
aws cloudformation create-stack-instances \
  --stack-set-name my-app \
  --accounts 111111111111 222222222222 \
  --regions us-east-1 eu-west-1

SAM for Serverless

Scenario thi: Set up serverless architecture (Lambda, API Gateway, DynamoDB) trong single stack. Locally build, test, debug, deploy.

Options: Elastic Beanstalk, CloudFormation, SAM

Answer: SAM

Why:

  • ✅ Extension of CloudFormation (reliable deployment)
  • ✅ Define resources using CloudFormation
  • Local build, test, debug capabilities
  • ✅ AWS tools for serverless applications
# Local testing
sam local invoke
sam local start-api

# Build
sam build

# Deploy
sam deploy --guided

API Gateway Deployment

Stages & Canary Release

After initial deployment, add more stages:

  • Configure caching
  • Customize throttling
  • Configure logging
  • Define stage variables
  • Attach canary release for testing

Stage Variables

Scenario thi: Reuse same Lambda function for multiple stages. Function reads from different DynamoDB table depending on stage.

Solution: Stage variables + mapping templates

{
  "TableName": "$stageVariables.tableName"
}

Lambda receives:

table_name = event['stageVariables']['tableName']

Configure per stage:

  • Dev stage: tableName = orders-dev
  • Prod stage: tableName = orders-prod

Version & Release Management

Systems Manager Capabilities

CapabilityPurpose
Parameter StoreParameter labels, versions
Application ManagerTroubleshoot applications
AppConfigCreate, manage, deploy configurations

Parameter Labels

# Create parameter with label
aws ssm put-parameter \
  --name /myapp/config \
  --value "v1-config" \
  --type String

# Add label
aws ssm label-parameter-version \
  --name /myapp/config \
  --parameter-version 1 \
  --labels prod

# Get by label
aws ssm get-parameter \
  --name /myapp/config:prod

ECR Image Tags

Why tag images:

  • Group repos for development teams
  • Separate dev và prod images
  • Use IAM policies to secure access

Examples:

  • myapp:dev-latest
  • myapp:prod-v1.2.3
  • myapp:feature-auth

AWS Amplify Branches

Git-based workflow với continuous deployment:

  • Each branch = separate environment
  • Updates deployed on every commit
  • Preview deployments for PRs

Keywords: Serverless backends, GraphQL/REST APIs, authentication, analytics, storage

AWS Copilot

Deploy containerized applications on ECS:

  • Deploy from source code
  • CodePipeline integration
  • Multiple environments, accounts, regions
  • Managed within CLI

Cross-Account Deployments

Scenario thi: Deploy Lambda APIs across different AWS accounts và environments.

Architecture:

Dev Account (CodePipeline)
  ↓ Assume Role
Pre-Prod Account (Deploy)
  ↓ Assume Role
Prod Account (Deploy)

CodePipeline stages:

  1. Commit - Source stage
  2. Build - Build CloudFormation template, save to S3
  3. Deploy Pre-Prod - Assume pre-prod role, deploy via CloudFormation
  4. Deploy Prod - Assume prod role, deploy via CloudFormation

IAM Roles needed:

  • ✅ Cross-account role (pre-prod, prod)
  • ✅ Read/write policy for S3
  • ✅ KMS key access policy
  • ✅ CloudFormation service role
  • ✅ Lambda execution role
  • ✅ API Gateway invocation policy

Automated Testing

Lambda Test Events

Create test events trong Lambda console:

  • API Gateway events
  • S3 events
  • DynamoDB Streams events
  • CloudWatch Events
  • Custom events

Serverless Testing

Essential for scale:

  • Unit testing
  • Mock testing
  • Integration testing
  • Real-time feedback

Tools:

  • SAM local testing
  • Step Functions Local
  • API Gateway mock integrations

Secrets & Certificate Rotation

Automated Rotation

ServiceRotates
AWS Certificate Manager✅ Certificates
Secrets Manager✅ Credentials
KMS✅ Keys
Parameter Store❌ Manual
IAM Database Authentication❌ Manual

Exam tip: Certificate Manager và Secrets Manager automate rotation. Parameter Store does NOT.

Operational Excellence Pillar

CI/CD best practices từ Well-Architected Framework:

  • Automate testing
  • Use IaC
  • Implement deployment strategies
  • Monitor deployments
  • Enable rollback
  • Use version control

Exam Tips:

  • CodeDeploy: EC2/on-premises (in-place + blue/green), ECS (blue/green only), Lambda (traffic shifting)
  • Stack Sets = multiple accounts/regions với least effort
  • SAM = local build/test/debug cho serverless
  • Stage variables = pass config to Lambda per stage
  • Linear = equal increments, Canary = two increments
  • Certificate Manager + Secrets Manager = automated rotation
  • Parameter Store = NO automated rotation
  • Cross-account = assume roles, IAM policies, KMS keys
  • Amplify = git-based, continuous deployment, GraphQL/REST
  • Copilot = containers on ECS from source code