AWS Developer Tools & CI/CD
CodeDeploy
Automate application deployments to EC2, Lambda, ECS, and on-premises servers
AWS CodeDeploy automates application deployments to EC2 instances, Lambda functions, ECS services, and on-premises servers, enabling consistent and repeatable releases without manual SSH steps. It supports rolling, blue/green, and canary deployment strategies with automatic rollback on failure, making it a critical service for zero-downtime deployments.
Deployment Targets: EC2, Lambda, ECS, On-Premises
CodeDeploy uses the concept of a "compute platform" which determines how deployments work fundamentally:
| Platform | What Deploys | Agent Required | Key Use Case |
|---|---|---|---|
| EC2/On-Premises | Revision (zip/tar from S3 or GitHub) | Yes - CodeDeploy agent on instance | Traditional app deployments to servers |
| Lambda | Lambda function version shift | No - API-driven | Canary/linear traffic shifting for functions |
| ECS | ECS task definition revision | No - API-driven | Blue/green container deployments |
For EC2 deployments, the CodeDeploy agent must be installed on every instance. It polls CodeDeploy for pending deployments and executes the appspec.yml lifecycle hooks.
# Install CodeDeploy agent on Amazon Linux 2
yum install -y ruby wget
cd /home/ec2-user
wget https://bucket-name.s3.region.amazonaws.com/latest/install
chmod +x ./install
./install auto
systemctl enable codedeploy-agent
systemctl start codedeploy-agentAppSpec File and Lifecycle Event Hooks
The appspec.yml file defines how CodeDeploy deploys your application. Its structure differs between EC2/On-Premises and Lambda/ECS.
EC2/On-Premises appspec.yml:
version: 0.0
os: linux
files:
- source: /
destination: /var/www/myapp
permissions:
- object: /var/www/myapp
owner: www-data
group: www-data
mode: "755"
hooks:
BeforeInstall:
- location: scripts/stop_server.sh
timeout: 60
runas: root
AfterInstall:
- location: scripts/install_dependencies.sh
timeout: 120
ApplicationStart:
- location: scripts/start_server.sh
timeout: 60
ValidateService:
- location: scripts/validate.sh
timeout: 60EC2 lifecycle event order for a standard (in-place) deployment:
| Hook | When It Runs | Typical Action |
|---|---|---|
| ApplicationStop | Before new revision is downloaded | Gracefully stop old app |
| DownloadBundle | CodeDeploy downloads revision | Automatic - no hook |
| BeforeInstall | Before files are copied | Pre-install setup, backup |
| Install | Files are copied to destination | Automatic - no hook |
| AfterInstall | After files are copied | Set permissions, config files |
| ApplicationStart | Start the application | Start service/process |
| ValidateService | Verify app is running correctly | Health check, smoke test |
If ApplicationStop fails on the FIRST deployment to a new instance (because there is no running app to stop), CodeDeploy will mark the deployment as failed. Use "exit 0" defensively in ApplicationStop scripts when the application may not be running.
Deployment Strategies: In-Place, Rolling, Blue/Green, Canary
CodeDeploy supports multiple deployment strategies. The right choice depends on your downtime tolerance, rollback requirements, and infrastructure cost constraints.
| Strategy | Platform | How It Works | Rollback Speed | Cost |
|---|---|---|---|---|
| All-at-once (in-place) | EC2 | Deploy to all instances simultaneously | Redeploy (slow) | No extra cost |
| Rolling | EC2 | Deploy to one batch at a time, rest stay live | Redeploy | No extra cost |
| Rolling with additional batch | EC2 | Spin up extra instances, deploy, remove old | Redeploy | Brief extra instance cost |
| Blue/Green (EC2) | EC2 | New ASG created, traffic shifted at ALB | Re-route to blue (fast) | Double capacity briefly |
| Blue/Green (ECS) | ECS | New task set created, traffic shifted at ALB | Re-route to blue (instant) | Double task capacity briefly |
| Canary (Lambda) | Lambda | X% to new version, 100% after interval | Rollback alias (instant) | No extra cost |
| Linear (Lambda) | Lambda | Increment % each interval until 100% | Rollback alias (instant) | No extra cost |
For ECS Blue/Green deployments, CodeDeploy integrates with an Application Load Balancer. It creates a new task set (green), routes test traffic to a test listener, then shifts production traffic. The original task set (blue) stays live for the configured termination time, enabling instant rollback.
Automatic Rollback and CloudWatch Alarm Integration
CodeDeploy can automatically roll back when a deployment fails or when a CloudWatch alarm fires. This is a key resilience feature for production deployments.
| Rollback Trigger | How to Configure | Behavior |
|---|---|---|
| Deployment failure | Enable automatic rollback on failure in deployment group | Re-deploys last successful revision |
| CloudWatch alarm | Associate alarms with deployment group | Stops in-progress deploy, re-deploys last good revision |
| Manual rollback | Redeploy a previous revision via console or CLI | Explicit operator action |
# Trigger a manual rollback by redeploying the last successful revision
aws deploy create-deployment \
--application-name my-app \
--deployment-group-name my-dg \
--deployment-config-name CodeDeployDefault.OneAtATime \
--auto-rollback-configuration enabled=true,events=DEPLOYMENT_FAILURE \
--description "Rollback to previous version"
# Check deployment status
aws deploy get-deployment --deployment-id d-XXXXXXXXXAutomatic rollback re-runs the appspec.yml lifecycle hooks in reverse order. If your ApplicationStop script is not idempotent, a rollback can fail. Always write deployment scripts defensively to handle being run multiple times.
IAM Roles: Service Role vs Instance Profile
CodeDeploy requires two distinct IAM entities that are commonly confused:
| IAM Entity | Attached To | Purpose | Key Permissions |
|---|---|---|---|
| CodeDeploy service role | Deployment group | Allows CodeDeploy to call EC2, ELB, ASG, ECS APIs | AWSCodeDeployRole managed policy |
| EC2 instance profile | EC2 instances in deployment group | Allows agent on instance to download revision from S3 | s3:GetObject on the artifact bucket |
A common setup mistake is attaching the wrong role type. The CodeDeploy service role goes on the deployment group configuration - not on the EC2 instance. The instance profile goes on the EC2 instance. Getting this backwards causes either permission errors or deployment failures.
Interview Focus Points
- 1What is the difference between in-place and blue/green deployment in CodeDeploy?
- 2Walk me through the lifecycle event hooks for an EC2 deployment in order.
- 3How does CodeDeploy integrate with an Application Load Balancer for blue/green deployments?
- 4How does CodeDeploy handle rollbacks - what triggers them and what happens?
- 5What two IAM roles are required for a CodeDeploy EC2 deployment and why?
- 6How does the CodeDeploy agent work and where does it need to be installed?
- 7What are the different deployment strategies for Lambda functions in CodeDeploy?
- 8What happens if ApplicationStop fails on the first deployment to a new instance?
- 9How do you integrate CloudWatch alarms with a CodeDeploy deployment group?