Post Syndicated from Ashutosh Pateriya original https://aws.amazon.com/blogs/architecture/field-notes-how-to-deploy-end-to-end-ci-cd-in-the-china-regions-using-aws-codepipeline/
This post was co-authored by Ravi Intodia, Cloud Archiect, Infosys Technologies Ltd, Nirmal Tomar, Principal Consultant, Infosys Technologies Ltd and Ashutosh Pateriya, Solution Architect, AWS.
Today’s businesses must contend with fast-changing competitive environments, expanding security needs, and scalability issues. Businesses must find a way to reconcile the need for operational stability with the need for quick product development. Continuous integration and continuous delivery (CI/CD) enables rapid software iterations while maintaining system stability and security.
With an increase in AWS Cloud and DevOps adoption, many organizations seek solutions which go beyond geographical boundaries. AWS CodePipeline, along with its related services, lets you integrate and deploy your solutions across multiple AWS accounts and Regions. However, it becomes more challenging when you want to deploy your application in multiple AWS Regions as well as in China, due to the unavailability of AWS CodePipeline in the Beijing and Ningxia Regions.
In this blog post, you will learn how to overcome the unique challenges when deploying applications across many parts of the world, including China. For this solution, we will use the power and flexibility of AWS CodeBuild to implement AWS Command Line Interface (AWS CLI) commands to perform custom actions that are not directly supported by CodePipeline or AWS CodeDeploy.
CodePipeline for multi-account and multi-Region deployment consists of the following components:
- ArtifactStore and encryption keys – In the AWS account which hosts CodePipeline, there should be an Amazon Simple Storage Service (Amazon S3) bucket and an AWS Key Management Service (AWS KMS) key for each Region where resources need to be deployed.
- CodeBuild and CodePipeline roles – In the AWS account which hosts CodePipeline there should be roles created that can be used or assumed by CodeBuild and CodePipeline projects for performing required actions.
- Cross-account roles – In each AWS account where cross-account deployments are required, an AWS role with the necessary permissions must be created. The CodePipeline role of the deploying account must be allowed to assume this role for all required accounts. Cross-account roles will also have access to the required S3 buckets and AWS KMS keys for deploying accounts.
Figure 1. High-level solution for AWS Regions
Although the solution works for most Regions, we encounter challenges when we try to expand our current worldwide solutions into the China Regions.
The challenges are as follows:
- Cross-account roles – Cross-account roles cannot be created between accounts in non-China Regions and the China Regions. This means that CodeDeploy will be unable to assume the target account role necessary to complete component deployment.
- Availability of services – Services required to configure a cloud native CI/CD pipeline are unavailable in the China Regions.
- Connectivity – There is no direct network connectivity available between the China Regions and other AWS Regions.
- User management – Accounts by users in China are distinct from AWS Region user accounts, and must be maintained independently.
Due to the lack of cross-account roles and the CodePipeline service, setting up a worldwide CI/CD pipeline that includes the China Regions is not automatically supported.
High-level solution
In the proposed solution, we will build and deploy the application to both Regions using the AWS CI/CD services from the non-China Region, and we will create an access key in a China Region with access to deploy the application using services, such as AWS Lambda, AWS Elastic Beanstalk, Amazon Elastic Container Service, and Amazon Elastic Kubernetes Service. This access key is stored in a non-China account as an SSM parameter after encryption. On committing, the CodePipeline in the non-China Region is initiated, and it builds the package and deploys the application in both Regions from a single place.
Solution architecture
Figure 2. High-level solution for cross-account deployment from AWS Regions to a China Region
In this architecture, AWS CLI commands are used to set an AWS profile of CodeBuild instance with China credentials (retrieved from the AWS Systems Manager Parameter Store). This enables a CodeBuild instance to run an AWS CloudFormation package and deploy commands directly on the China account, thereby deploying required resources in the desired China Region.
This solution is not relying on any AWS CI/CD services like CodeDeploy in the China Region. With this solution we can create a complete CI/CD pipeline running in an AWS Region that can deploy an application in both Regions.
The following key components are needed for deployment:
- AWS Identity and Access Management (IAM) user credentials – An IAM user needs to be created in the target account in China.
- SSM parameter (secure string) – China IAM user access key (secret access key needs to be saved as a secure string SSM parameter in the deployment AWS account).
- Update CloudFormation templates – CloudFormation templates need to be updated to support China Region mappings (such as using
“arn:aws-cn” instead of “arn:aws”).
- Enhance CodeBuild to support build and deployment – CodeBuild
buildspec.yml needs to be enhanced to perform build and deployment to China accounts, as mentioned in the following.
Prerequisites
- Two AWS accounts: One AWS account outside of China, and one account in China.
- Practical experience in deploying Lambda functions using CodeBuild, CodeDeploy, and CodePipeline, and using AWS CLI. Because this example focuses specifically on extending CodePipeline from Regions outside of China to deploy in China Region, we are not going to explore a standard CodePipeline set up.
Detailed Implementation
This solution is built using CodePipeline, CodeCommit, CodeBuild, AWS CloudFormation templates, and IAM.
Steps
- One-time key generation in an account in China with necessary access to deploy application, including creation of one S3 bucket for CodeBuild artifacts.
Note: As a best practice, we suggest rotation of the access key every 30 days.
- Complete the setup of CodePipeline to deploy application in Regions outside of China, as well as including China Region.
As a demonstration, let’s deploy a Lambda function in us-east-1 and cn-north-1 and discuss the steps in detail. The same steps can be followed to deploy any other AWS service.
Part 1 – In the account based in China Region: cn-north-1
- Create an S3 bucket with default encryption enabled for CodeBuild artifacts.
- Create an IAM user (with programmatic access only) with the required permissions to deploy Lambda functions and related resources. The IAM user will also have access to the S3 bucket created for CodeBuild artifacts.To create an IAM policy, refer to the AWS IAM Policy resource.
Part 2 – In AWS account based in non-China Region: us-east-1
- Create two SSM parameters of type secure string.
| SSM Parameter Name |
SSM Parameter Value |
| /China/Dev/UserAccessKey |
<Value of China IAM User Access Key> |
| /China/Dev/UserAccessKey |
<Value of China IAM User Access Key> |
To create secure SSM parameters using the AWS CLI, refer to the Create a Systems Manager parameter (AWS CLI) tutorial.
To create secure SSM parameters using the AWS Management Console, refer to the Create a Systems Manager parameter (console) tutorial.
Note: Creating secure SSM parameters is not supported by CloudFormation templates. Also, as a security best practice, you should not have any sensitive information as part of CloudFormation templates to avoid any possible security breach.
- Create an AWS KMS key for encrypting CodeBuild or CodePipeline artifacts (for cross-Region deployments, create AWS KMS key in all Regions, and create SSM parameters for each in the Region having CodePipeline).
- Create artifacts S3 bucket for CodeBuild or CodePipeline artifacts.
- Create CI/CD related roles. For CI/CD service roles, refer to:
https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-service-role.html
https://docs.aws.amazon.com/codebuild/latest/userguide/setting-up.html#setting-up-service-role
- Create a CodeCommit repository.
- Create SSM parameters for the following.
| SSM Parameter Name |
SSM Parameter Value |
| /China/Dev/DeploymentS3Bucket |
<Artifact Bucket Name in China Region> |
| /US/Dev/CodeBuildRole |
<Role ARN of CodeBuild Service Role> |
| /US/Dev/CodePipelineRole |
<Role ARN of Codepipeline Service Role> |
| /US/Dev/CloudformationRole |
<Role ARN of Cloudformation Service Role> |
| /US/Dev/DeploymentS3Bucket |
<Artifact Bucket Name in Pipeline Region> |
| /US/Dev/CodeBuildImage |
<Code Build Image Details> |
| /US/Stage/CrossAccountStageRole |
<Role ARN for Cross Account Service Role for Stage> |
| /US/Prod/CrossAccountStageRole |
<Role ARN for Cross Account Service Role for Prod> |
- In CodeCommit, push the Lambda code and CloudFormation template for deploying Lambda resources (Lambda function, Lambda role, Lambda log group, and so forth).
- In CodeCommit, push two
buildspec yml files, one for us-east-1, and one for cn-north-1.
- buildspec.yml: For us-east-1
# Buildspec Reference Doc: https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
version: 0.2
phases:
install:
runtime-versions:
python: 3.7
pre_build:
commands:
- echo "[+] Updating PIP...."
- pip install --upgrade pip
- echo "[+] Installing dependencies...."
#- Commands To Install required dependencies
- yum install zip unzip -y -q
- pip install awscli --upgrade
build:
commands:
- echo "Starting build `date` in `pwd`"
- echo "Starting SAM packaging `date` in `pwd`"
- aws cloudformation package --template-file cloudformation_template.yaml --s3-bucket ${S3_BUCKET} --output-template-file transform-packaged.yaml
# Additional package commands for cross-region deployments
- echo "SAM packaging completed on `date`"
- echo "Build completed `date` in `pwd`"
artifacts:
type: zip
files:
- transform-packaged.yaml
# - additional artifacts for cross-region deployments
discard-paths: yes
cache:
paths:
- '/root/.cache/pip'
-
- buildspec-china.yml: For cn-north-1
buildspec-china.yml will be customized for performing build and deployment both. Refer to the following for details.
# Buildspec Reference Doc: https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html
version: 0.2
phases:
install:
runtime-versions:
python: 3.7
pre_build:
commands:
- echo "[+] Updating PIP...."
- pip install --upgrade pip
- echo "[+] Installing dependencies...."
#- Commands To Install required dependencies
- yum install zip unzip -y -q
- pip install awscli --upgrade
# Setting China Region IAM User Profile
- echo "Start setting User Profile `date` in `pwd`"
- USER_ACCESS_KEY=`aws ssm get-parameter --name ${USER_ACCESS_KEY_SSM} --with-decryption --query Parameter.Value --output text`
- USER_SECRET_KEY=`aws ssm get-parameter --name ${USER_SECRET_KEY_SSM} --with-decryption --query Parameter.Value --output text`
- aws configure --profile china set aws_access_key_id ${USER_ACCESS_KEY}
- aws configure --profile china set aws_secret_access_key ${USER_SECRET_KEY}
- echo "Setting User Profile Completed `date` in `pwd`"
build:
commands:
# Creating Deployment Package
- echo "Start build/packaging `date` in `pwd`"
- S3_BUCKET=`aws ssm get-parameter --name ${S3_BUCKET_SSM} --query Parameter.Value --output text`
- zip -q -r package.zip *
- >
bash -c '
aws cloudformation package
--template-file cloudformation_template_china.yaml
--s3-bucket ${S3_BUCKET}
--output-template-file transformed-template-china.yaml
--profile china
--region cn-north-1'
- echo "Completed build/packaging `date` in `pwd`"
post_build:
commands:
# Deploying
- echo "Start deployment `date` in `pwd`"
- >
bash -c '
aws cloudformation deploy
--capabilities CAPABILITY_NAMED_IAM
--template-file transformed-template-china.yaml
--stack-name ${ProjectName}-app-stack-dev
--profile china
--region cn-north-1'
- echo "Completed deployment `date` in `pwd`"
artifacts:
type: zip
files:
- package.zip
- transformed-template-china.yaml
Environment Variables: USER_ACCESS_KEY_SSM, USER_SECRET_KEY_SSM and S3_BUCKET_SSM
After creating and committing the previous files, your CodeCommit repository will look like the following.
Now that we have a CodeCommit repository, next we will create a CodePipeline for Lambda with the following stages:
- Source – Use the previously created CodeCommit repository (CodeRepository-US-East-1) as the source.
- Build – The CodeBuild project uses buildspec.yml by default, and takes output of Source stage as input and builds artifacts for us-east-1.
- Deploy
- Code-Deploy Project for deploying to us-east-1
This takes output of the previous CodeBuild stage as input and performs deployment in two steps: create-changeset and execute-changeset (assuming the required role attached to the Code-Deploy for deployment).
- CodeBuild Project for deploying to cn-north-1
This takes output of Source stage as input and performs build and deployment both to cn-north-1 using buildspec-china.yml. Also, it uses China IAM user credentials and bucket SSM parameters from environment variables.CodeBuild project details are outlined in the following image.
- Optional – Add further steps like manual approval, deployment to higher environment, and so forth, as required.
Congratulations! you have just created a CodePipeline with Lambda deployed in both a non-China Region and a China Region. Your CodePipeline should appear similar to the following.
Figure 3. CodePipeline implementation for both Regions
Note: Actual CodePipeline view will be vertical only where all environment deployment will be one after the other. For the purpose of this example, we have placed them side-by-side to more easily showcase multiple environments.
CodePipeline Implementation Steps
We have created this pipeline with the following high-level steps, and you can add or remove steps as needed.
Step 1. After you commit the source code, CodePipeline will launch in the non-China Region and fetch the source code.
Step 2. Build the package using using buildspec.yml.
Step 3. Deploy the application in both Regions by following the subsection steps for development environment.
-
- Create the changeset for the development environment.
- Implement the changeset for the development environment.
Step 4. Repeat step 3, but deploy the application in the staging environment.
Step 5. Wait for approval from your administrator or application owner before deploying application in production environment.
Step 6. Repeat steps 3 and 4 to deploy the application in the production environment.
Cleaning up
To avoid incurring future charges, clean up the resources created as part of this blog post.
- Delete the CloudFormation stack created in the non-China Region.
- Delete the SSM parameter created to store the access key.
- Delete the access created in the China Region.
Conclusion
In this blog post, we have explored the question: how can you use AWS services to implement CI/CD in a China Region and keep them in sync with an AWS Region? Although we are using us-east-1 as an example here, this solution will work for any Region where CodePipeline services are available, including the China Region.
The question has been answered by dividing it into three problem statements as follows.
Problem 1: CodePipeline is not available in the China Regions.
Solution: Set up CodePipeline in a non-China Region and deploy to a China Region.
Problem 2: AWS cross-account roles are not possible between a non-China Region and the China Regions.
Solution: Use the power and flexibility of CodeBuild to build your application and also deploy your application using the AWS CLI.
Problem 3: Keep a non-China Region and the China Regions in sync.
Solution: Maintain all code and managing deployments from a common deployment AWS account.
Reference:
AWS CodeCommit | Managed Source Control Service
AWS CodePipeline | Continuous Integration and Continuous Delivery
AWS CodeBuild – Fully Managed Build Service
![[Security Nation] Jill Fraser and Deborah Blyth on Securing Colorado](https://blog.rapid7.com/content/images/2021/09/security_nation_logo--1-.jpg){kind=logo}
![[Security Nation] Jill Fraser and Deborah Blyth on Securing Colorado](https://blog.rapid7.com/content/images/2021/09/Jill-Fraser---HeadShot.gif)
![[Security Nation] Jill Fraser and Deborah Blyth on Securing Colorado](https://blog.rapid7.com/content/images/2021/09/Deborah-Blyth-HeadShot.png)
.
.
