Infrastructure as Code & Deployment: CI-CD Basics

In the AWS Certified Solutions Architect – Associate (SAA-C03) exam, CI/CD (Continuous Integration and Continuous Delivery/Deployment) represents the “automation” pillar of operational excellence. It focuses on how code moves from a developer’s machine to a production environment with minimal manual intervention, high consistency, and rapid feedback loops.

The “Fast-Food Kitchen” Analogy

Imagine a modern fast-food kitchen. Continuous Integration is the prep station where ingredients are chopped and checked for freshness as they arrive (CodeCommit & CodeBuild). Continuous Delivery is the assembly line where burgers are built and placed under a heat lamp, ready for a manager to approve the final tray (CodePipeline with Manual Approval). Continuous Deployment is the fully automated system where the burger is delivered directly to the customer’s table the moment it’s ready (Full Automation).

Core AWS CI/CD Services

1. AWS CodeCommit

A managed source control service that hosts private Git repositories. For the exam, remember that it is highly scalable, encrypted at rest via KMS, and integrates directly with IAM for permissions. Unlike GitHub, you don’t manage the underlying infrastructure.

2. AWS CodeBuild

A fully managed build service that compiles source code, runs tests, and produces software packages.

• Scaling: It scales automatically; you don’t manage build servers.
• Configuration: Uses a buildspec.yml file located in the root of your source code.
• Security: Can run inside a VPC to access private resources (like an RDS database for integration tests).

3. AWS CodeDeploy

Automates code deployments to any instance, including EC2, Lambda, and ECS.

• Configuration: Uses an appspec.yml file to define how the deployment should behave.
• Strategies: Supports In-place and Blue/Green deployments.

4. AWS CodePipeline

The orchestrator. It links the other services together into a workflow. It can trigger a build when code is pushed to CodeCommit and then trigger a deployment when the build succeeds.

Deployment Strategy Comparison

Decision Matrix: If-Then Guide

• If you need to run tests in a clean environment for every commit then use AWS CodeBuild.
• If you need to deploy to Lambda with a gradual traffic shift (10% every 10 mins) then use CodeDeploy Canary.
• If you need to ensure a human reviews the code before production then add a Manual Approval Stage in CodePipeline.
• If you need to store secrets for your build (like API keys) then use Secrets Manager or Parameter Store and reference them in the buildspec.yml.

Exam Tips and Gotchas

• AppSpec vs. BuildSpec: This is a classic trap. buildspec.yml is for CodeBuild (compiling). appspec.yml is for CodeDeploy (deploying).
• Rollbacks: CodeDeploy can automatically roll back to the last known good version if a deployment fails or a CloudWatch Alarm is triggered.
• Cross-Account: CodePipeline can manage deployments across different AWS accounts, but you must use S3 bucket policies and IAM roles to grant access to the artifacts.
• Lambda Deployments: CodeDeploy handles Lambda traffic shifting (Linear or Canary) using Lambda Aliases.

Topics covered:

Summary of key subtopics covered in this guide:

• CI/CD Core Concepts (Integration vs. Delivery vs. Deployment)
• AWS CodeCommit (Secure Git hosting)
• AWS CodeBuild (Serverless build environments & buildspec.yml)
• AWS CodeDeploy (Deployment patterns: In-place, Blue/Green, Canary)
• AWS CodePipeline (Workflow orchestration & Manual approvals)
• Security & Compliance (IAM roles, KMS encryption, VPC integration)