CICD Flashcards
What is Continuous Integration?
- Developers to push the code to a repository
- A testing/build server checks the code as soon as it’s pushed
- The developer gets feedback about the tests and checks that have passed/failed
What is Continuous Delivery?
- Ensure that the software can be released reliably whenever needed.
- Ensures deployments are automated, happen often and are quick
How many repositories are you allowed to have in CodeCommit?
No size limit on repositories (scale seamlessly)
How can you authenticate in CodeCommit?
o SSH Keys: AWS Users can use SSH public keys in their IAM Console.
o HTTPS: Done through the AWS CLI Authentication helper or Generating HTTPS credentials (user name and password)
How can you add extra safety to CodeCommit?
Enabling MFA
How works authorization in CodeCommit?
IAM Policies manage user / roles rights to repositories
How is Encryption in CodeCommit?
o Repositories are automatically encrypted at rest using KMS
o Encrypted in transit (can only use HTTPS or SSH – both secure)
How can you grant Cross Account access in CodeCommit?
o Do not share your SSH keys
o Do not share your AWS credentials
o Use IAM Role in your AWS Account and use AWS STS (with AssumeRole API)
What can you use to trigger notifications in CodeCommit?
• You can trigger notifications in CodeCommit using
o SNS
o Lambda
o CloudWatch Event Rules
What are the use cases for SNS / Lambda notifications in CodeCommit?
• Use cases for SNS / AWS Lambda notifications:
o Deletion of branches
o Trigger for pushes that happens in master branch
o Notify external Build System
o Trigger AWS Lambda function to perform codebase analysis (maybe credentials got committed in the code?)
What are the use cases for CloudWatch Event Rules in CodeCommit?
• Use cases for CloudWatch Event Rules notifications:
o Trigger for pull request updates (created / updated / deleted / commented)
o Commit comment events
o CloudWatch Event Rules goes into an SNS topic
How many files can you upload directly from the console to your CodeCommit repository?
You can’t upload more than 1 file directly from the AWS console to your repository.
What is made of CodePipeline?
Made of stages
What is compossed of a CodePipeline stage?
Each stage might have multiple action groups
What are the CodePipeline stages?
There are some pre-defined stages like: Source / Build / Deploy. You can create your own stages
How are CodePipeline stages action groups?
Action groups are sequential and contain actions
What does contain a CodePipeline stage action?
name of the action and the action provider
What are the CodePipeline stage action providers?
o Source action integrations o Build action integrations o Test action integrations o Deploy action integrations o A manual approval o Invoke a Lambda function
What can a pipeline stage create?
Each pipeline stage can create ”artifacts”
How does CodePipeline manage the stage artifacts?
Artifacts are stored in Amazon S3 before they are passed on to the next stage
What can you do to troubleshooting failed pipelines?
create CloudWatch Events, which can in return create SNS notifications
If pipeline can’t perform an action, what you should do?
If Pipeline can’t perform an action, make sure the “IAM Service Role” attached does have enough permissions (IAM Policy)
What is AWS alternative to Jenkins?
CodeBuild
What you pay for in CodeBuild?
Pay for usage: the time it takes to complete the builds
What leverages CodeBuild?
Leverages Docker under the hood for reproducible builds
Where are build instructions defined in CodeBuild?
Build instructions can be defined in code (buildspec.yml)
What ability can you leverage to troubleshoot CodeBuild in case of errors
to reproduce CodeBuild locally
What can CodeBuild use to increase performance?
It can optionally use a S3 bucket to cache some artifacts to increase performance
Where can you store CodeBuild logs?
S3, CloudWatch
What you need to define in your code to use CodeBuild?
buildspec.yml file must be at the root of your code
What can you define in your buildspec.yml file?
- Environment variables
- Phases (specify commands to run)
- Artifacts
- Cache
How can you define the environment variables in your buildspec.yml file?
o Plaintext variables
o Secure secrets: use SSM Parameter store
What phases can you define in your buildspec.yml file?
- Install: install dependencies you may need for your build
- Pre build: final commands to execute before build
- BUILD: actual build commands
- Post build: finishing touches (zip output for example)
What can you define in the section Artifacts in your buildspec.yml file?
What to upload to S3 (encrypted with KMS)
What can you define in the section Cache in your buildspec.yml file?
Files to cache (usually dependencies) to S3 for future build speedup
What you need to install to run CodeBuild locally?
Docker
What is the range and default Timeout values of CodeBuild?
5 min < 1 hours < 8 hours
What is the range and default Queued Timeout values of CodeBuild?
5 min < 8 hours < 8 hours
How can CodeBuild access the resources in the VPC?
• By default, your CodeBuild containers are launched outside your VPC
• Therefore, by default it cannot access resources in a VPC
• You can specify a VPC configuration:
o VPC ID
o Subnet IDs
o Security Group IDs
• Then your build can access resources in your VPC (RDS, ElastiCache, EC2, ALB…)
• Use cases: integration tests, data query, internal load balancers
What option do you have for not storing secrets as plaintext in environment variables in CodeBuild?
environment variables can reference parameter store parameters or secrets manager secrets
What is AWS alternative to Ansible, Terraform, Chef, Puppet?
CodeDeploy
What resources are provisioned by CodeDeploy?
CodeDeploy does not provision resources, so you must create by yourself your EC2 instances, IAM roles, etc
What must be running the CodeDeploy Agent?
Each EC2 Machine (or On-Premise machine) must be running the CodeDeploy Agent
What are the tasks of the CodeDeploy Agent?
- The agent is continuously polling AWS CodeDeploy for work to do
- CodeDeploy Agent will report of success / failure of deployment on the instance
What are the CodeDeploy primary components?
- IAM instance profile/role
- Service role
- Application: unique name
- Compute platform
- Deployment group
- Deployment type
- Environment configuration
- Deployment configuration
- Application Revision
- Target revision
What you must create before configuring CodeDeploy components?
You must create two IAM roles:
• IAM instance profile/role
• Service role
What is used for the created IAM instance role by CodeDeploy?
need to give EC2 the permissions to pull from S3 / GitHub
What is used for the created Service Role by CodeDeploy?
Role for CodeDeploy to perform what it needs
What are the CodeDeploy compute platforms?
o EC2/On-Premise
o Lambda
o ECS
What is a CodeDeploy Deployment group?
set of EC2 instances where you are going to deploy. You must first tag your EC2 instance, something like environment -> dev, you can have whatever you want.
What are the CodeDeploy deployment types?
o In-place deployment
o Blue/green deployment (does not work with On-prem instances)
What are the CodeDeploy environment configuration options?
Any combination of:
o ASGs
o EC2 instances
o On-prem instances
What is defined by the Code Deploy deployment configuration?
How fast the app will be deployed and deployment rules for success / failures
o EC2/On-Premise: you can specify the minimum number of healthy instances for the deployment.
o AWS Lambda: specify how traffic is routed to your updated Lambda function versions.
What are the CodeDeploy deployment configuration options?
- One at a time: one instance at a time, one instance fails => deployment stops
- Half at a time: 50%
- All at once: quick but no healthy host, downtime. Good for dev
- Custom
What is the composition of appspec.yml?
- File section: how to source and copy from S3 / GitHub to filesystem
- Hooks: set of instructions to do to deploy the new version (hooks can have timeouts).
What is the order of CodeDeploy hooks?
o ApplicationStop o DownloadBundle o BeforeInstall o Install o AfterInstall o ApplicationStart o ValidateService: really important o BeforeAllowTraffic o AllowTraffic o AfterAllowTraffic
How does work CodeDeploy Blue/Green deployment type?
A new ASG with new version, similar to existing ASG with existing version and must be using an ELB
Where does CodeDeploy try to deploy first?
New deployments will first be deployed to “failed state” instances
When can you trigger automated rollbacks in CodeDeploy?
- when a deployment fails
- when alarm thresholds are met
Can you disable CodeDeploy automated rollbacks?
You can disable rollbacks by specifying to not perform rollbacks for a specific deployment
What is deployed by CodeDeploy when a rollback happens?
If a rollback happens, CodeDeploy redeploys the last known good revision as a new deployment, therefore a new version id.
What is CodeStar?
CodeStar is an integrated solution that regroups: GitHub, CodeCommit, CodeBuild, CodeDeploy, CloudFormation, CodePipeline, CloudWatch
How much do you pay for using CodeStar?
Free service, pay only for the underlying usage of other services
What can be integrated CodeStar to?
- Issue tracking integration with: JIRA / GitHub Issues
* Ability to integrate with Cloud9 to obtain a web IDE (not all regions)