This chapter covers AWS CodePipeline deployment patterns, a core topic for the DVA-C02 exam. CodePipeline is a fully managed continuous delivery service that automates the build, test, and deploy phases of your release process. Approximately 10-15% of exam questions touch on CI/CD concepts, with CodePipeline being the primary service. Understanding how to design pipelines for different deployment strategies—such as blue/green, canary, and rolling—is essential for passing the exam and for real-world DevOps practices.
Jump to a section
Imagine a car factory assembly line. Each car moves through several stations: frame welding, painting, engine installation, interior assembly, and final testing. Each station is a stage. The line is the pipeline. At each station, automated robots perform specific tasks (build actions). After a station, a quality inspector (approval gate) checks the car. If it fails, the car is sent back (rollback) or scrapped. The line has a conveyor belt that moves cars only when the next station is ready (sequential execution). Now, imagine the factory has multiple lines for different car models (branches). A car from the sports car line might need to merge onto the SUV line for a shared painting station (artifact sharing). The factory manager (pipeline trigger) starts a new car when a customer order arrives (code push). This analogy mirrors CodePipeline: source code changes trigger a pipeline, which passes artifacts through stages like Build, Test, and Deploy, with optional approval actions and automatic rollbacks on failure.
What is AWS CodePipeline?
AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. It models the entire release process as a series of stages, each containing one or more actions. A pipeline is triggered by a source change (e.g., a commit to a CodeCommit repository, an S3 upload, or a GitHub webhook) and then moves artifacts through each stage sequentially. Each stage can have multiple parallel actions, and approval actions can pause the pipeline for manual sign-off.
How It Works Internally
When a pipeline is triggered, CodePipeline creates a pipeline execution. The execution transitions through states: InProgress, Succeeded, Failed, Superseded, or Cancelled. Each action within a stage also has its own state. Artifacts are passed between stages using Amazon S3. CodePipeline uses a series of polling or event-based mechanisms to detect source changes. For example, for a CodeCommit source, CodePipeline can use CloudWatch Events to trigger on repository changes. For GitHub, it uses webhooks.
Key Components
Pipeline: A workflow that defines the release process. It consists of stages and actions.
Stage: A logical grouping of actions. Stages run sequentially; actions within a stage can run in parallel.
Action: A single step in a stage. Types include Source, Build, Test, Deploy, Approval, and Invoke.
Artifact: The output of an action, stored in S3 and passed to subsequent stages.
Execution: A specific run of a pipeline, with a unique ID.
Transition: The movement from one stage to the next. Transitions can be disabled to stop the pipeline.
Defaults and Limits
Maximum number of stages per pipeline: 50
Maximum number of actions per stage: 20
Maximum number of pipelines per AWS account: 1000 (soft limit, can be increased)
Artifact store: S3 bucket in the same region as the pipeline. Default bucket name pattern: codepipeline-<region>-<account-id>
Pipeline execution history retention: 1 year
Approval action timeout: 7 days (default 7 days, can be set up to 7 days)
Polling interval for source changes: 1 minute (for CodeCommit, S3, ECR)
Deployment Patterns
CodePipeline supports several deployment patterns through its integration with CodeDeploy, Elastic Beanstalk, ECS, EKS, and Lambda. The most common patterns are:
In-place Deployment: The application is updated on the same set of instances. This is typical for CodeDeploy with EC2/On-Premises. The deployment group can have a load balancer to route traffic away during deployment.
Blue/Green Deployment: A new environment (green) is created alongside the existing one (blue). Traffic is switched to green after validation. Supported by CodeDeploy (EC2, Lambda) and ECS (using task sets).
Canary Deployment: Traffic is gradually shifted to the new version in increments. Supported by CodeDeploy (Lambda) and ECS (via CodeDeploy).
Rolling Deployment: Instances are updated in batches. Supported by Elastic Beanstalk and CodeDeploy (EC2/On-Premises).
How to Configure a Pipeline
Using the AWS CLI, you can create a pipeline with a JSON configuration file. Example command:
aws codepipeline create-pipeline --cli-input-json file://pipeline.jsonA sample pipeline.json:
{
"pipeline": {
"name": "MyAppPipeline",
"roleArn": "arn:aws:iam::123456789012:role/MyCodePipelineRole",
"artifactStore": {
"type": "S3",
"location": "codepipeline-us-east-1-123456789012"
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"configuration": {
"RepositoryName": "MyRepo",
"BranchName": "main"
},
"outputArtifacts": [
{
"name": "source_output"
}
],
"runOrder": 1
}
]
},
{
"name": "Build",
"actions": [
{
"name": "Build",
"actionTypeId": {
"category": "Build",
"owner": "AWS",
"provider": "CodeBuild",
"version": "1"
},
"configuration": {
"ProjectName": "MyBuildProject"
},
"inputArtifacts": [
{
"name": "source_output"
}
],
"outputArtifacts": [
{
"name": "build_output"
}
],
"runOrder": 1
}
]
},
{
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "CodeDeploy",
"version": "1"
},
"configuration": {
"ApplicationName": "MyApp",
"DeploymentGroupName": "MyDeploymentGroup"
},
"inputArtifacts": [
{
"name": "build_output"
}
],
"runOrder": 1
}
]
}
]
}
}Interaction with Related Services
CodeCommit: Source provider. CodePipeline can be triggered by commits or pull request merges.
CodeBuild: Build and test provider. CodePipeline passes source artifacts to CodeBuild and receives build output.
CodeDeploy: Deployment provider. Supports EC2, Lambda, and ECS deployments.
Elastic Beanstalk: Deployment provider for Beanstalk environments.
ECS: Deploy using ECS with CodeDeploy for blue/green and canary.
Lambda: Invoke Lambda functions as actions (e.g., for custom validation).
S3: Source for artifacts, can be used as a source provider (e.g., for uploading a ZIP file).
CloudWatch Events: Used to trigger pipelines on schedule or in response to events.
CloudFormation: Can be used as a deploy action to create/update stacks.
Approval Actions
Approval actions allow manual sign-off before proceeding. They are configured with a configuration object containing NotificationArn (SNS topic) and CustomData (optional message). The pipeline pauses until an IAM user or role approves or rejects. The approver must have codepipeline:PutApprovalResult permission.
Execution Details and Debugging
You can view execution details in the AWS Console. Each action shows start/end times, status, and links to logs (e.g., CloudWatch Logs for CodeBuild). For failures, the pipeline can be retried from the failed stage. Use aws codepipeline list-action-executions to get action-level details.
Cross-Region Actions
CodePipeline supports cross-region actions. You can have source in one region, build in another, and deploy in a third. The artifact store must be in the same region as the pipeline, but actions can be in different regions. You need to create an S3 bucket in each region for artifacts, and the pipeline role must have cross-region permissions.
Source Stage: Code Commit
The pipeline is triggered by a source change. For CodeCommit, a CloudWatch Event is generated on a commit to the repository. CodePipeline catches this event and starts a new execution. It then clones the repository and packages the source code into a ZIP file, which is stored as an artifact in the S3 artifact store (e.g., codepipeline-us-east-1-123456789012). The artifact is named according to the output artifact name defined in the action (e.g., 'source_output'). The execution moves to the next stage only after the source action succeeds.
Build Stage: Compile and Test
CodePipeline passes the source artifact to CodeBuild. CodeBuild downloads the artifact, runs the build commands defined in buildspec.yml (e.g., compile, run unit tests, package artifacts). The build output (e.g., a WAR file or Docker image) is uploaded back to S3 as a new artifact (e.g., 'build_output'). The build project must be in the same region as the pipeline unless cross-region is configured. If the build fails, the pipeline stops and the execution status is 'Failed'.
Approval Stage: Manual Gate
An approval action pauses the pipeline. It sends a notification to an SNS topic (e.g., email to a reviewer). The reviewer must log into the AWS Console or use the CLI to approve or reject. The pipeline waits up to the configured timeout (default 7 days). If approved, the pipeline proceeds; if rejected or timeout, the execution fails. The approval action uses an IAM role with permissions to publish to SNS and to be assumed by CodePipeline.
Deploy Stage: Blue/Green Deployment
CodePipeline triggers a CodeDeploy deployment with a blue/green configuration. CodeDeploy creates a new set of instances (green) alongside the existing ones (blue). It installs the application on green instances, runs validation tests, and then switches the load balancer to route traffic to green. If validation fails, the deployment can be automatically rolled back to blue. The entire process is orchestrated by CodeDeploy's deployment configuration (e.g., CodeDeployDefault.LambdaAllAtOnce).
Post-Deploy Validation
After deployment, an optional Invoke action can run a Lambda function to perform integration tests or health checks. The Lambda function receives the event with pipeline details (e.g., execution ID, artifact locations). If the function returns an error, the action fails and the pipeline stops. This step ensures that the deployment is working as expected before marking the pipeline as successful.
Enterprise Scenario 1: E-commerce Platform with Blue/Green Deployments
A large e-commerce company uses CodePipeline to deploy their web application to ECS Fargate. They have a multi-branch pipeline: feature branches deploy to a staging environment, and the main branch deploys to production using a blue/green strategy. The pipeline includes a source stage from CodeCommit, a build stage that builds a Docker image and pushes it to ECR, a test stage that runs integration tests in a temporary ECS service, an approval stage that requires sign-off from a QA lead, and a deploy stage that uses CodeDeploy to perform a blue/green deployment on ECS. Traffic is shifted gradually using a canary configuration (10% for 5 minutes, then 100%). If the canary fails, CodeDeploy automatically rolls back. The pipeline is triggered by CloudWatch Events on pull request merges. The team has set up SNS notifications for approval and failure alerts. Performance considerations: The artifact store S3 bucket is versioned to retain deployment history. The pipeline runs about 20 times per day, and the artifact size is around 500 MB. They have encountered issues with cross-region artifacts when they tried to deploy to multiple regions; they had to create separate pipelines per region with shared source.
Enterprise Scenario 2: Microservices with Parallel Deployments
A fintech startup uses CodePipeline to deploy multiple microservices independently. Each microservice has its own pipeline with a common source monorepo. They use a build stage that runs a CodeBuild project for each service, producing separate artifacts. The deploy stage uses Elastic Beanstalk for some services and Lambda for others. They use a manual approval stage before production deployment to ensure compliance. One challenge they faced was pipeline concurrency: when multiple commits were pushed simultaneously, some executions were superseded. They mitigated this by using a queueing mechanism with a custom Lambda action that serializes deployments. They also use CloudWatch Events to trigger pipelines on a schedule for nightly builds. The pipelines are configured with a maximum of 10 concurrent executions per pipeline (default limit is 1, but they requested an increase). They learned that artifacts are stored in S3 with a lifecycle policy to delete old artifacts after 30 days to save costs.
Common Failure Modes
Permission errors: The pipeline role must have sufficient permissions to invoke actions (e.g., CodeBuild, CodeDeploy). Missing permissions cause the pipeline to fail at the first action.
Artifact conflicts: If two pipelines use the same S3 bucket for artifacts and have overlapping names, executions can interfere. Solution: use unique artifact names per pipeline.
Timeout on approval: If the approver is on vacation, the pipeline times out after 7 days. Solution: use a shorter timeout or have a backup approver.
Cross-region issues: The artifact store must be in the same region as the pipeline. For cross-region actions, you need additional S3 buckets and IAM roles.
Exam Focus for DVA-C02
The DVA-C02 exam covers CodePipeline under Domain 3 (Deployment) Objective 3.4: 'Set up and configure a CI/CD pipeline using AWS services.' The exam focuses on: - Pipeline structure: Understand stages, actions, and transitions. Know that actions within a stage can run in parallel, but stages are sequential. - Source providers: CodeCommit, S3, GitHub, ECR. Know that CodePipeline can be triggered by CloudWatch Events or webhooks. - Deployment strategies: Blue/green, canary, rolling, in-place. Know which services support which (e.g., CodeDeploy supports blue/green for EC2 and Lambda; ECS supports blue/green via CodeDeploy). - Approval actions: Know the timeout (7 days), the need for SNS topic, and the IAM permissions required. - Artifact handling: Artifacts are stored in S3. The default bucket is automatically created. Artifacts can be passed between stages. - Error handling: Know that a failed pipeline can be retried from the failed stage. Execution history is retained for 1 year. - Cross-region pipelines: Understand that the artifact store must be in the same region as the pipeline, but actions can be in other regions with proper permissions.
Common Wrong Answers
'Approval actions can be automated with Lambda.' This is false. Approval actions require manual intervention. Lambda can be used for custom validation via Invoke action, but not for approval.
'All actions in a stage run sequentially.' This is false. By default, actions in a stage run in parallel unless you set runOrder to sequential.
'CodePipeline can deploy directly to EC2 without CodeDeploy.' This is false. CodePipeline does not have a native EC2 deploy action; it must use CodeDeploy or Elastic Beanstalk.
'Artifacts are stored in the pipeline's own storage.' This is false. Artifacts are stored in an S3 bucket managed by CodePipeline.
Specific Numbers and Terms
Max stages: 50
Max actions per stage: 20
Approval timeout: 7 days (default)
Execution history retention: 1 year
Artifact store S3 bucket name pattern: codepipeline-<region>-<account-id>
Polling interval for source changes: 1 minute
Edge Cases
If a pipeline has multiple source actions, they all must succeed before the pipeline proceeds.
If a source action is from S3, the bucket must have versioning enabled.
For GitHub sources, you must use a personal access token or a GitHub App.
CodePipeline does not support parallel stage execution; stages are always sequential.
CodePipeline is a fully managed CI/CD service that automates build, test, and deploy phases.
Pipelines consist of stages (sequential) and actions (parallel by default).
Artifacts are stored in S3 and passed between stages.
Approval actions pause the pipeline for manual sign-off, with a default timeout of 7 days.
Supported deployment strategies: in-place, blue/green, canary, rolling.
Maximum stages per pipeline: 50; maximum actions per stage: 20.
Execution history is retained for 1 year.
Cross-region actions require additional S3 buckets and IAM roles.
Common exam traps: approval actions are not automatable, stages are sequential, artifacts are in S3.
These come up on the exam all the time. Here's how to tell them apart.
CodePipeline
Fully managed, no servers to maintain
Native integration with AWS services (CodeCommit, CodeBuild, CodeDeploy)
Pay per pipeline execution (no charge for idle time)
Limited plugin ecosystem compared to Jenkins
Best for AWS-native workloads
Jenkins
Self-hosted, requires server maintenance
Rich plugin ecosystem for many tools
Free software but requires infrastructure costs
More flexible for non-AWS environments
Steeper learning curve for setup
Mistake
CodePipeline can run stages in parallel.
Correct
Stages are always sequential. Only actions within a stage can run in parallel (by default). To run stages in parallel, you must create separate pipelines.
Mistake
Approval actions can be automated using Lambda functions.
Correct
Approval actions require a human to approve or reject via the AWS Console or CLI. Lambda cannot automate approval. However, you can use an Invoke action to run custom logic, but that is not an approval action.
Mistake
Artifacts are stored in the pipeline's internal storage and are not accessible.
Correct
Artifacts are stored in an S3 bucket that you can access. The bucket is automatically created in your account with the name `codepipeline-<region>-<account-id>`. You can also specify a custom bucket.
Mistake
CodePipeline can deploy directly to EC2 instances without CodeDeploy.
Correct
CodePipeline does not have a built-in EC2 deploy action. To deploy to EC2, you must use CodeDeploy or Elastic Beanstalk as the deploy provider.
Mistake
A pipeline can have only one source action.
Correct
A pipeline can have multiple source actions in the same stage (e.g., multiple repositories). However, all source actions must succeed before the pipeline proceeds. The outputs are combined as separate artifacts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
For CodeCommit, you can enable CloudWatch Events on the repository to trigger the pipeline. When you create the pipeline, you can select 'Amazon CloudWatch Events' as the trigger. Alternatively, you can set up a webhook for GitHub. The pipeline polls for changes every 1 minute by default for CodeCommit, but CloudWatch Events provide near-instant triggering.
Yes, CodePipeline supports GitHub as a source provider. You need to connect your GitHub account using OAuth or a personal access token. You can also use GitHub App integration. The pipeline is triggered by webhooks on push or pull request events.
The pipeline execution stops and is marked as 'Failed'. You can view the details in the console to see which action failed. You can retry the pipeline from the failed stage using the 'Retry' button or the AWS CLI command `aws codepipeline retry-stage-execution`. The retry will re-run the failed stage and subsequent stages.
Artifacts are automatically passed between stages via S3. Each action defines input and output artifacts. The output artifact of a previous stage becomes the input artifact of the next stage. You must ensure the artifact names match. For example, if the source action outputs 'source_output', the build action must reference 'source_output' as an input artifact.
Yes, by default actions within a stage run in parallel. You can control the order using the `runOrder` parameter. Actions with the same `runOrder` run in parallel; actions with different `runOrder` values run sequentially. For example, you can have two test actions run in parallel after a build.
You pay per pipeline execution. The first 1 free pipeline per month (up to 100 executions). After that, it's $1 per pipeline per month (for 1-10 pipelines) plus $0.002 per execution for the first 1,000 executions. There are no charges for idle time. You also pay for S3 storage for artifacts and for other services used (e.g., CodeBuild, CodeDeploy).
When creating a pipeline, you can specify the region for each action. The pipeline itself is in one region (the artifact store region). For actions in other regions, you need to provide an S3 bucket in that region for artifacts. The pipeline role must have permissions to access the cross-region S3 bucket. You also need to create the action providers (e.g., CodeBuild project) in the target region.
You've just covered CodePipeline Deployment Patterns — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?