CI/CD Pipeline#
A fully automated CI/CD pipeline using CodeCommit, CodeBuild, CodeDeploy, and CodePipeline – automatically build, test, and deploy applications with approval gates and rollback support.
Architecture Overview#
┌─────────────────────────────────────┐
│ Developer Push │
│ git push origin main │
└────────────────┬────────────────────┘
│
┌────────────────▼────────────────────┐
│ CodeCommit (Git Repository) │
│ - Source code + buildspec.yml │
│ - Branch protection rules │
│ - Pull request approvals │
└────────────────┬────────────────────┘
│
┌────────────────▼────────────────────┐
│ CodePipeline │
│ ┌─────────────────────────────┐ │
│ │ Stage 1: Source │ │
│ │ - Pull from CodeCommit │ │
│ └──────────┬──────────────────┘ │
│ ┌──────────▼──────────────────┐ │
│ │ Stage 2: Build & Test │ │
│ │ - CodeBuild project │ │
│ │ - Unit tests, linting │ │
│ │ - Security scan (SAST) │ │
│ │ - Package artifact │ │
│ └──────────┬──────────────────┘ │
│ ┌──────────▼──────────────────┐ │
│ │ Stage 3: Deploy to Staging │ │
│ │ - CodeDeploy (blue/green) │ │
│ │ - Integration tests │ │
│ │ - Manual approval gate │ │
│ └──────────┬──────────────────┘ │
│ ┌──────────▼──────────────────┐ │
│ │ Stage 4: Deploy to Prod │ │
│ │ - CodeDeploy (blue/green) │ │
│ │ - Smoke tests │ │
│ │ - Rollback on failure │ │
│ └─────────────────────────────┘ │
└─────────────────────────────────────┘Services Used#
| Service | Purpose | Configuration |
|---|---|---|
| CodeCommit | Git repository | Branch protection, pull request templates, approval rules |
| CodeBuild | Build + test | Managed build environment, cached dependencies, test reports |
| CodeDeploy | Application deployment | Blue/green strategy, auto-rollback, lifecycle hooks |
| CodePipeline | Pipeline orchestration | 4 stages (Source -> Build -> Staging -> Prod), parallel actions |
| S3 | Artifact storage | Encrypted bucket, versioning, lifecycle to expire old artifacts |
| CloudWatch | Monitoring & alerts | Pipeline state changes, deployment failures, build duration |
| SNS | Notifications | Build failures, deployment status, approval requests |
Key Design Decisions#
| Decision | Rationale |
|---|---|
| CodeCommit over GitHub | Fully managed, IAM integrated, no external dependencies |
| Blue/green deployments | Zero downtime, instant rollback by swapping traffic back |
| Manual approval gate | Prevents unreviewed code from reaching production |
| buildspec.yml in repo | Build configuration as code – versioned with the source |
| S3 for artifacts | Durable, cheap, cross-region replication for DR |
| Auto-rollback | Automatically reverts deployment if CloudWatch alarms trigger |
Build Specification Example#
# buildspec.yml
version: 0.2
phases:
install:
runtime-versions:
nodejs: 20
commands:
- npm ci
pre_build:
commands:
- npm run lint
- npm run test:unit
- npm audit
build:
commands:
- npm run build
- npm run test:integration
post_build:
commands:
- aws s3 sync ./dist/ s3://$ARTIFACT_BUCKET/$CODEBUILD_BUILD_ID/
- printf '[{"name":"app","imageUri":"%s"}]' $REPOSITORY_URI:$IMAGE_TAG > imagedefinitions.json
artifacts:
files:
- imagedefinitions.json
- appspec.yml
- scripts/*
cache:
paths:
- 'node_modules/**/*'
reports:
jest_reports:
files:
- '**/test-results.xml'
base-directory: 'reports'
file-format: JUNITXMLPipeline as Code (CloudFormation)#
AWSTemplateFormatVersion: '2010-09-09'
Resources:
Pipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
Name: my-app-pipeline
RoleArn: !GetAtt PipelineRole.Arn
ArtifactStore:
Type: S3
Location: !Ref ArtifactBucket
Stages:
- Name: Source
Actions:
- Name: SourceAction
ActionTypeId:
Category: Source
Provider: CodeCommit
Owner: AWS
Version: '1'
Configuration:
RepositoryName: my-app
BranchName: main
OutputArtifacts:
- Name: source_output
- Name: Build
Actions:
- Name: BuildAction
ActionTypeId:
Category: Build
Provider: CodeBuild
Owner: AWS
Version: '1'
Configuration:
ProjectName: !Ref BuildProject
InputArtifacts:
- Name: source_output
OutputArtifacts:
- Name: build_output
- Name: DeployToStaging
Actions:
- Name: DeployAction
ActionTypeId:
Category: Deploy
Provider: CodeDeploy
Owner: AWS
Version: '1'
Configuration:
ApplicationName: my-app
DeploymentGroupName: staging
InputArtifacts:
- Name: build_output
- Name: Approval
Actions:
- Name: ApprovalAction
ActionTypeId:
Category: Approval
Owner: AWS
Version: '1'
Configuration:
NotificationArn: !Ref ApprovalTopic
CustomData: 'Review staging deployment before production release'
- Name: DeployToProd
Actions:
- Name: DeployAction
ActionTypeId:
Category: Deploy
Provider: CodeDeploy
Owner: AWS
Version: '1'
Configuration:
ApplicationName: my-app
DeploymentGroupName: production
InputArtifacts:
- Name: build_outputReal-World Use Case#
Scenario: A SaaS team of 8 developers shipping updates 5x per week with automated quality gates.
Pipeline flow:
- Commit: Developer merges PR to
main-> triggers pipeline - Build: CodeBuild runs linting, unit tests, security audit (~3 min)
- Test: Integration tests against staging database (~5 min)
- Approve: DevOps lead reviews staging output, approves via SNS link
- Deploy: CodeDeploy blue/green to prod – shifts 10% -> 50% -> 100%
- Monitor: CloudWatch alarms watch error rates for 10 minutes
- Rollback: If errors spike, CodePipeline auto-rolls back to the previous version
Cost Estimate (Monthly)#
| Service | Estimated Cost |
|---|---|
| CodePipeline | ~$15 |
| CodeBuild (500 build minutes) | ~$5 |
| CodeCommit (5 active repos) | ~$5 |
| S3 artifacts | ~$3 |
| Total | ~$28/month |
Key Exam Takeaways#
- CodePipeline orchestrates the entire CI/CD workflow
- CodeBuild = managed build service (no build servers to manage)
- CodeDeploy supports blue/green, rolling, and canary deployments
- Manual approval gates prevent unreviewed production deployments
- Auto-rollback reverts deployments when CloudWatch alarms trigger
- buildspec.yml defines the build steps as code
- appspec.yml defines the deployment lifecycle hooks
- S3 artifacts are versioned and encrypted – enables rollback to any version