Multi-branch pipeline management and infrastructure deployment using AWS CDK Pipelines

January 26, 2023 By Mark Otto Off

This post describes how to use the AWS CDK Pipelines module to follow a Gitflow development model using AWS Cloud Development Kit (AWS CDK). Software development teams often follow a strict branching strategy during a solutions development lifecycle. Newly-created branches commonly need their own isolated copy of infrastructure resources to develop new features.

CDK Pipelines is a construct library module for continuous delivery of AWS CDK applications. CDK Pipelines are self-updating: if you add application stages or stacks, then the pipeline automatically reconfigures itself to deploy those new stages and/or stacks.

The following solution creates a new AWS CDK Pipeline within a development account for every new branch created in the source repository (AWS CodeCommit). When a branch is deleted, the pipeline and all related resources are also destroyed from the account. This GitFlow model for infrastructure provisioning allows developers to work independently from each other, concurrently, even in the same stack of the application.

Solution overview

The following diagram provides an overview of the solution. There is one default pipeline responsible for deploying resources to the different application environments (e.g., Development, Pre-Prod, and Prod). The code is stored in CodeCommit. When new changes are pushed to the default CodeCommit repository branch, AWS CodePipeline runs the default pipeline. When the default pipeline is deployed, it creates two AWS Lambda functions.

These two Lambda functions are invoked by CodeCommit CloudWatch events when a new branch in the repository is created or deleted. The Create Lambda function uses the boto3 CodeBuild module to create an AWS CodeBuild project that builds the pipeline for the feature branch. This feature pipeline consists of a build stage and an optional update pipeline stage for itself. The Destroy Lambda function creates another CodeBuild project which cleans all of the feature branch’s resources and the feature pipeline.

Figure 1. Architecture diagram.

Figure 1. Architecture diagram.

Prerequisites

Before beginning this walkthrough, you should have the following prerequisites:

  • An AWS account
  • AWS CDK installed
  • Python3 installed
  • Jq (JSON processor) installed
  • Basic understanding of continuous integration/continuous development (CI/CD) Pipelines

Initial setup

Download the repository from GitHub:

# Command to clone the repository
git clone https://github.com/aws-samples/multi-branch-cdk-pipelines.git
cd multi-branch-cdk-pipelines

Create a new CodeCommit repository in the AWS Account and region where you want to deploy the pipeline and upload the source code from above to this repository. In the config.ini file, change the repository_name and region variables accordingly.

Make sure that you set up a fresh Python environment. Install the dependencies:

pip install -r requirements.txt

Run the initial-deploy.sh script to bootstrap the development and production environments and to deploy the default pipeline. You’ll be asked to provide the following parameters: (1) Development account ID, (2) Development account AWS profile name, (3) Production account ID, and (4) Production account AWS profile name.

sh ./initial-deploy.sh --dev_account_id <YOUR DEV ACCOUNT ID> --
dev_profile_name <YOUR DEV PROFILE NAME> --prod_account_id <YOUR PRODUCTION
ACCOUNT ID> --prod_profile_name <YOUR PRODUCTION PROFILE NAME>

Default pipeline

In the CI/CD pipeline, we set up an if condition to deploy the default branch resources only if the current branch is the default one. The default branch is retrieved programmatically from the CodeCommit repository. We deploy an Amazon Simple Storage Service (Amazon S3) Bucket and two Lambda functions. The bucket is responsible for storing the feature branches’ CodeBuild artifacts. The first Lambda function is triggered when a new branch is created in CodeCommit. The second one is triggered when a branch is deleted.

if branch == default_branch: ... # Artifact bucket for feature AWS CodeBuild projects artifact_bucket = Bucket( self, 'BranchArtifacts', encryption=BucketEncryption.KMS_MANAGED, removal_policy=RemovalPolicy.DESTROY, auto_delete_objects=True )
... # AWS Lambda function triggered upon branch creation create_branch_func = aws_lambda.Function( self, 'LambdaTriggerCreateBranch', runtime=aws_lambda.Runtime.PYTHON_3_8, function_name='LambdaTriggerCreateBranch', handler='create_branch.handler', code=aws_lambda.Code.from_asset(path.join(this_dir, 'code')), environment={ "ACCOUNT_ID": dev_account_id, "CODE_BUILD_ROLE_ARN": iam_stack.code_build_role.role_arn, "ARTIFACT_BUCKET": artifact_bucket.bucket_name, "CODEBUILD_NAME_PREFIX": codebuild_prefix }, role=iam_stack.create_branch_role) # AWS Lambda function triggered upon branch deletion destroy_branch_func = aws_lambda.Function( self, 'LambdaTriggerDestroyBranch', runtime=aws_lambda.Runtime.PYTHON_3_8, function_name='LambdaTriggerDestroyBranch', handler='destroy_branch.handler', role=iam_stack.delete_branch_role, environment={ "ACCOUNT_ID": dev_account_id, "CODE_BUILD_ROLE_ARN": iam_stack.code_build_role.role_arn, "ARTIFACT_BUCKET": artifact_bucket.bucket_name, "CODEBUILD_NAME_PREFIX": codebuild_prefix, "DEV_STAGE_NAME": f'{dev_stage_name}-{dev_stage.main_stack_name}' }, code=aws_lambda.Code.from_asset(path.join(this_dir, 'code')))

Then, the CodeCommit repository is configured to trigger these Lambda functions based on two events:

(1) Reference created

# Configure AWS CodeCommit to trigger the Lambda function when a new branch is created
repo.on_reference_created( 'BranchCreateTrigger', description="AWS CodeCommit reference created event.", target=aws_events_targets.LambdaFunction(create_branch_func))

(2) Reference deleted

# Configure AWS CodeCommit to trigger the Lambda function when a branch is deleted
repo.on_reference_deleted( 'BranchDeleteTrigger', description="AWS CodeCommit reference deleted event.", target=aws_events_targets.LambdaFunction(destroy_branch_func))

Lambda functions

The two Lambda functions build and destroy application environments mapped to each feature branch. An Amazon CloudWatch event triggers the LambdaTriggerCreateBranch function whenever a new branch is created. The CodeBuild client from boto3 creates the build phase and deploys the feature pipeline.

Create function

The create function deploys a feature pipeline which consists of a build stage and an optional update pipeline stage for itself. The pipeline downloads the feature branch code from the CodeCommit repository, initiates the Build and Test action using CodeBuild, and securely saves the built artifact on the S3 bucket.

The Lambda function handler code is as follows:

def handler(event, context): """Lambda function handler""" logger.info(event) reference_type = event['detail']['referenceType'] try: if reference_type == 'branch': branch = event['detail']['referenceName'] repo_name = event['detail']['repositoryName'] client.create_project( name=f'{codebuild_name_prefix}-{branch}-create', description="Build project to deploy branch pipeline", source={ 'type': 'CODECOMMIT', 'location': f'https://git-codecommit.{region}.amazonaws.com/v1/repos/{repo_name}', 'buildspec': generate_build_spec(branch) }, sourceVersion=f'refs/heads/{branch}', artifacts={ 'type': 'S3', 'location': artifact_bucket_name, 'path': f'{branch}', 'packaging': 'NONE', 'artifactIdentifier': 'BranchBuildArtifact' }, environment={ 'type': 'LINUX_CONTAINER', 'image': 'aws/codebuild/standard:4.0', 'computeType': 'BUILD_GENERAL1_SMALL' }, serviceRole=role_arn ) client.start_build( projectName=f'CodeBuild-{branch}-create' ) except Exception as e: logger.error(e)

Create branch CodeBuild project’s buildspec.yaml content:

version: 0.2
env: variables: BRANCH: {branch} DEV_ACCOUNT_ID: {account_id} PROD_ACCOUNT_ID: {account_id} REGION: {region}
phases: pre_build: commands: - npm install -g aws-cdk && pip install -r requirements.txt build: commands: - cdk synth - cdk deploy --require-approval=never
artifacts: files: - '**/*'

Destroy function

The second Lambda function is responsible for the destruction of a feature branch’s resources. Upon the deletion of a feature branch, an Amazon CloudWatch event triggers this Lambda function. The function creates a CodeBuild Project which destroys the feature pipeline and all of the associated resources created by that pipeline. The source property of the CodeBuild Project is the feature branch’s source code saved as an artifact in Amazon S3.

The Lambda function handler code is as follows:

def handler(event, context): logger.info(event) reference_type = event['detail']['referenceType'] try: if reference_type == 'branch': branch = event['detail']['referenceName'] client.create_project( name=f'{codebuild_name_prefix}-{branch}-destroy', description="Build project to destroy branch resources", source={ 'type': 'S3', 'location': f'{artifact_bucket_name}/{branch}/CodeBuild-{branch}-create/', 'buildspec': generate_build_spec(branch) }, artifacts={ 'type': 'NO_ARTIFACTS' }, environment={ 'type': 'LINUX_CONTAINER', 'image': 'aws/codebuild/standard:4.0', 'computeType': 'BUILD_GENERAL1_SMALL' }, serviceRole=role_arn ) client.start_build( projectName=f'CodeBuild-{branch}-destroy' ) client.delete_project( name=f'CodeBuild-{branch}-destroy' ) client.delete_project( name=f'CodeBuild-{branch}-create' ) except Exception as e: logger.error(e)

Destroy the branch CodeBuild project’s buildspec.yaml content:

version: 0.2
env: variables: BRANCH: {branch} DEV_ACCOUNT_ID: {account_id} PROD_ACCOUNT_ID: {account_id} REGION: {region}
phases: pre_build: commands: - npm install -g aws-cdk && pip install -r requirements.txt build: commands: - cdk destroy cdk-pipelines-multi-branch-{branch} --force - aws cloudformation delete-stack --stack-name {dev_stage_name}-{branch} - aws s3 rm s3://{artifact_bucket_name}/{branch} --recursive

Create a feature branch

On your machine’s local copy of the repository, create a new feature branch using the following git commands. Replace user-feature-123 with a unique name for your feature branch. Note that this feature branch name must comply with the CodePipeline naming restrictions, as it will be used to name a unique pipeline later in this walkthrough.

# Create the feature branch
git checkout -b user-feature-123
git push origin user-feature-123

The first Lambda function will deploy the CodeBuild project, which then deploys the feature pipeline. This can take a few minutes. You can log in to the AWS Console and see the CodeBuild project running under CodeBuild.

Figure 2. AWS Console - CodeBuild projects.

Figure 2. AWS Console – CodeBuild projects.

After the build is successfully finished, you can see the deployed feature pipeline under CodePipelines.

Figure 3. AWS Console - CodePipeline pipelines.

Figure 3. AWS Console – CodePipeline pipelines.

The Lambda S3 trigger project from AWS CDK Samples is used as the infrastructure resources to demonstrate this solution. The content is placed inside the src directory and is deployed by the pipeline. When visiting the Lambda console page, you can see two functions: one by the default pipeline and one by our feature pipeline.

Figure 4. AWS Console - Lambda functions.

Figure 4. AWS Console – Lambda functions.

Destroy a feature branch

There are two common ways for removing feature branches. The first one is related to a pull request, also known as a “PR”. This occurs when merging a feature branch back into the default branch. Once it’s merged, the feature branch will be automatically closed. The second way is to delete the feature branch explicitly by running the following git commands:

# delete branch local
git branch -d user-feature-123 # delete branch remote
git push origin --delete user-feature-123

The CodeBuild project responsible for destroying the feature resources is now triggered. You can see the project’s logs while the resources are being destroyed in CodeBuild, under Build history.

Figure 5. AWS Console - CodeBuild projects.

Figure 5. AWS Console – CodeBuild projects.

Cleaning up

To avoid incurring future charges, log into the AWS console of the different accounts you used, go to the AWS CloudFormation console of the Region(s) where you chose to deploy, and select and click Delete on the main and branch stacks.

Conclusion

This post showed how you can work with an event-driven strategy and AWS CDK to implement a multi-branch pipeline flow using AWS CDK Pipelines. The described solutions leverage Lambda and CodeBuild to provide a dynamic orchestration of resources for multiple branches and pipelines.
For more information on CDK Pipelines and all the ways it can be used, see the CDK Pipelines reference documentation.

About the authors:

Iris Kraja

Iris is a Cloud Application Architect at AWS Professional Services based in New York City. She is passionate about helping customers design and build modern AWS cloud native solutions, with a keen interest in serverless technology, event-driven architectures and DevOps.  Outside of work, she enjoys hiking and spending as much time as possible in nature.

Jan Bauer

Jan is a Cloud Application Architect at AWS Professional Services. His interests are serverless computing, machine learning, and everything that involves cloud computing.

Rolando Santamaria Maso

Rolando is a senior cloud application development consultant at AWS Professional Services, based in Germany. He helps customers migrate and modernize workloads in the AWS Cloud, with a special focus on modern application architectures and development best practices, but he also creates IaC using AWS CDK. Outside work, he maintains open-source projects and enjoys spending time with family and friends.

Caroline Gluck

Caroline is an AWS Cloud application architect based in New York City, where she helps customers design and build cloud native data science applications. Caroline is a builder at heart, with a passion for serverless architecture and machine learning. In her spare time, she enjoys traveling, cooking, and spending time with family and friends.