DEV Community

Cover image for Say Goodbye to Extra CodeBuild Projects: AWS CodePipeline’s New Commands Action Explained
AWS Community Builders profile image Jatin Mehrotra
Jatin Mehrotra for AWS Community Builders

Posted on

Say Goodbye to Extra CodeBuild Projects: AWS CodePipeline’s New Commands Action Explained

#codebuild #codepipeline #aws #cicd

Until Now, if you wanted to run AWS CLI commands, third-party CLI commands, or simply invoke an API, you had to create a CodeBuild project, configure the project with the appropriate commands, and add a CodeBuild action to your pipeline to run the project.

Clearly Users had to deal with 2 components CodePipeline and CodeBuild and of course learn the internals for both in order to use the.

This blog explains about CodePipeline's Command Action, a new update to Codepipeline, which enables you to easily run shell commands as part of your pipeline execution.

With the Commands action, you can run AWS CLI, third-party tools, or any shell commands.

In the end we will also discuss do we really don't need codeBuild or where could be the situations we can use codeBuild where command action would not suffice.

Motivation

Prerequisites

  • Basic working of CodePipeline, CodeBuild (as this blog will majorly focus only on the update)
  • Radical knowledge of Terraform
  • Understanding of core AWS and its operations

Understanding CodePipeline Command Action

  • In the most basic essence allows you to run shell commands in a virtual compute instance.
  • When it runs, the commands you set up are executed in their seperate container.
  • Any files or data needed from earlier steps (input artifacts) in the pipeline are available for use in this environment. The best part is you don’t need to set up a separate CodeBuild project to use it.

What happens behind the scenes of Command Action

  • CODEBUILD is STILL BEING USED !!!

Its just that whole process of creating codeBuild project first and then adding as action to CodePipeline has been abstracted by this action.

  • Since it relies on CodeBuild resources, any builds triggered by the Commands action will count toward your CodeBuild account's build limits, including timeout of build which is 55 minutes and the number of concurrent builds allowed.
  • Note: The Commands action runs CodeBuild managed on-demand EC2 compute, and uses an Amazon Linux 2023 standard 5.0 image.

Some caveats for Command action:

  • All command formats are supported except multi-line formats.

  • The commands action is not supported for cross-account or cross-Region actions.

  • When CodePipeline runs the action, CodePipeline creates a log group using the name of the pipeline hence The command action needs the following permission :



logs:CreateLogGroup
logs:CreateLogStream
logs:PutLogEvents
Enter fullscreen mode Exit fullscreen mode
  • Because the isolated build environment is used at the account level, an instance might be reused for another pipeline execution.

Let's see how Command Action works !!!

  • We will be creating a simple CD pipeline which creates terraform resources in our AWS account
  • The basic premise of this pipeline is exactly same my previous blog.


Upload terraform zip to s3 -> CodePipeline is triggered -> Comman action runs terraform apply
Enter fullscreen mode Exit fullscreen mode

Step 1: Create S3 bucket for storing terraform backend and source

  • Create versioned s3 bucket to store our terraform zip ( source artifact)
  • Uploading to this bucket will trigger pipeline
  • Create another versioned s3 bucket to store terraform backend for its state.

s3 bucket

tf backend bucket

Step 2: Create Pipeline

  • To keep this blog simple I am keeping everything default.
  • Note I am using new service role as per docs it has the permissions for command action. If you are using existing role you need to add the permissions manually which I mentioned earlier.

Creating codepipline

Step 3: Choose Source stage

  • Choose the S3 bucket used in step 1
  • Note the name of S3 Object key: tf.zip.
  • of course you can choose any name

source stage

Step 4: Add build stage / add commands

  • This is the most important step of our pipeline. The jist of this blog.
  • Here in this following command I am doing 3 things 


sudo dnf install -y yum-utils shadow-utils
sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
sudo dnf -y install terraform
terraform --version
terraform init -no-color -input=false
terraform apply -auto-approve -no-color -input=false
aws s3 ls
Enter fullscreen mode Exit fullscreen mode

Note: Don't add a white space between command other you will see an error for length constraint

Build stage

Step 5: Skip deploy and Review

  • In the final stage skip deploy stage and review.

review pipeline

_Voila, you just created a CD pipeline without even Knowing or involving Codebuild ( at least by your own)
_

Did it Actually work

  • Make the zip of terraform code 



// optional step for backend
terraform {
  backend "s3" {
    bucket = "codepipeline-command-action-backend-jatin"
    region = "us-east-1"
    key    = "terraform-deployment.tfstate"
  }
}

resource "aws_s3_bucket" "deploy-bucket" {
  bucket = "codepipeline-command-action-backend-1-jatin"

  tags = {
    Project     = "For CI CD deploy test"
    Environment = "Dev"
  }
}

resource "aws_s3_bucket" "deploy-bucket-two" {
  bucket = "codepipeline-command-action-backend-2-jatin"

  tags = {
    Project     = "For CI CD deploy test"
    Environment = "Dev"
  }
}
Enter fullscreen mode Exit fullscreen mode 


zip -r tf.zip main.tf
Enter fullscreen mode Exit fullscreen mode
  • Upload to s3 bucket

Upload to s3 bucket

  • At this moment of the blog there is bug in the service role created by CodePipeline. It does not have permissions for Command Action.

Permission bug

  • Manually add the permissions as discussed previously. For the purpose of blog I will attach CloudWatchLogsFullAccess Policy to the role

fixed permission bug

  • This step is optional. Also add the permission to able to upload terraform state to s3 bucket (AmazonS3FullAccess) as we used terraform backend configuration.

Check the CodePipeline Logs and s3 bucket

  • We can clearly confirm terraform was able to create buckets and list buckets present in the account.

codepipeline results

Buckets

From DevOps Architect Perspective

With Commands Action I don't need to touch or deal with CodeBuild action, Just focus on building my CI/CD Pipeline. But does it actually suffice for the abstraction?

  • As per Docs runs CodeBuild managed on-demand EC2 compute so clearly we dont know the limits of memory, vCpus and Disk Space

  • If we are using CodeBuild we would have the freedom to choose the optimized flexibility during your build or even Lambda as compute for faster builds and deployments.

  • Clearly this abstraction of command action is the tradeoff between Flexibility, cost savings, giving extra time to learn CodeBuild v/s simplicity, ease and time saving.

  • From cost perspective this abstraction should not be confused for "cheaper" CI CD pipelines.Running the commands action will incur separate charges in AWS CodeBuild.

I am very curious how The community will use this update for their Pipelines and how do they think it's going to help them with their efficiency?

Leave your questions, comments and let's make our life easy for CI CD pipelines. You can always reach out to me on Linkedin, X

Top comments (0)

Read next

subhashbohra profile image

How to get AWS hands on Cloud Experience

Subhash Bohra -

vkazulkin profile image

AWS SnapStart - Part 25 Measuring cold and warm starts with Java 21 using Lambda layer (2)

Vadym Kazulkin -

stefanomartins profile image

Configurando o Terraform para funcionar corretamente com o LocalStack

Stefano Martins -

francotel profile image

🚀 IaC vs IfC: The Battle of Cloud Automation! 🥊

francotel -