AWS recently released a reference architecture and a set of reference implementations for deployment pipelines. The recommended architectural patterns are based on best practices and lessons collected at Amazon and customer projects.
The Deployment Pipeline Reference Architecture (DPRA) describes the stages and actions for different types of pipelines and how teams can increase the velocity, stability, and security of software systems through the use of deployment pipelines. Sébastien Stormacq, principal developer advocate at AWS, explains the role of reference architectures:
I frequently hear that our documentation and tutorials are good resources to get started with a new service or a new concept. However, when you want to scale your usage or when you have complex or enterprise-grade use cases, you often lack the resources to dive deeper.
Source: https://pipelines.devops.aws.dev
The DPRA currently covers only application pipelines, with best practices for pipelines deploying compute images, account fleet management, and dynamic configuration still under development. The implementations rely mainly on AWS tools, including the recently released CodeCatalyst, CodePipeline, CodeBuild, and CodeGuru but third-party tools can be used as alternatives. For example, Trivy is chosen in the implementations to detect vulnerabilities in application dependencies.
A reference implementation of an application pipeline from DPRA, available on GitHub, includes a CI/CD pipeline to build a sample application and deploy it across different accounts using CloudFormation.
Packaged using the CDK and deployed on Fargate, the sample applications are developed with Spring Boot and run on Corretto, the OpenJDK distribution managed by AWS. Stormacq adds:
They go well beyond the typical "Hello World" example: They document how to architect and how to implement complex deployment pipelines with multiple environments, multiple AWS accounts, multiple regions, manual approval, automated testing, automated code analysis, etc.
While it documents the mandatory and optional components of the architecture, the DPRA still occasionally simplifies the deployment as the documentation acknowledges:
This reference implementation has intentionally not followed the following AWS Well-Architected best practices to make it accessible by a wider range of customers. Be sure to address these before using this code for any workloads in your own environment.
For example, the sample application relies on HTTP listeners instead of HTTPS ones to avoid creating new ACM certificates and Route53 hosted zones.
Clare Liguori, senior principal software engineer at AWS, previously wrote the guide Automating safe, hands-off deployments which describes Amazon's experience with fully automated pipelines and, balancing deployment safety and deployment speed.
The DPRA is available for free, but customers are charged for the resources created by the reference implementation.