Can AWS CodeDeploy do cross-account deployments for lambdas?

0
votes

I have not been able to find any information how to set up CodePipeline with a CodeDeploy action that deploys a new version of an existing lambda deployed by a CloudFormation stack into another AWS account. I.e. cross-account deployment with the pipeline in one account deploying into Dev, Test and Prod.

I would like to use CodeDeploy as I would expect this to simply deploy an existing lambda no matter if in a stack or not. Is this the correct assumption?

Is it possible to deploy a lambda cross-account with CodeDeploy?

What I have done

I have tested with a pipeline like this:

DeployApplication:
  Type: AWS::CodeDeploy::Application
  Properties:
    ComputePlatform: Lambda
LambdaDeploymentGroup:
  Type: AWS::CodeDeploy::DeploymentGroup
  Properties:
    ApplicationName: !Ref DeployApplication
    ServiceRoleArn: !ImportValue delivery-pipeline-foundation-codedeploy-role
    DeploymentStyle:
      DeploymentOption: WITH_TRAFFIC_CONTROL
      DeploymentType: BLUE_GREEN

...and with a stage/action like so:

- Name: Deploy_to_Dev
  Actions:
    - Name: CreateChangeSet
      ActionTypeId:
        Category: Deploy
        Owner: AWS
        Provider: CodeDeploy
        Version: 1
      Configuration:
        ApplicationName: !Ref DeployApplication
        DeploymentGroupName: !Ref LambdaDeploymentGroup
      InputArtifacts:
        - Name: !Sub ${AWS::StackName}-build-output
      RunOrder: 1

Problem 1

A first problem is that I do not know how to set up the permissions to deploy cross-account! I know how to do that when using CloudFormation with three levels of permissions: CodePipeline, Stage/action and CloudFormation where the last is in the destination account while the two first in the pipeline account.

With a pipeline account having CodePipeline with CodeDeploy it seems they need roles that are in that account, not in the target account. To deploy one obviously must have permission to deploy in that account as well.

How to set permissions for CodeDeploy to deploy a lambda cross-account?

Problem 2

Another problem is that I do not know what exactly needs to be as artifact for CodeDeploy to function. I have read various things online, but nobody seems to know and there's a mix of using buildspec.yml with aws cloudformation commands or moving to use CloudFormation.

What input artifact does CodeDeploy need to deploy a lambda?

Many thanks!

1
amazon-web-servicesaws-lambdaamazon-cloudformationaws-code-deployaws-codepipeline

1 Answers

0
votes

Using CodePipeline to Deploy Lambda - preferred approach is to use CloudFormation as deployment provider instead of CodeDeploy service as there are some pending issues as to how CodeDeploy service accept the appspec file (Codepipeline zips the artifact while CD requires unzipped appspec file)

Recommended approach is as defined here: https://docs.aws.amazon.com/lambda/latest/dg/build-pipeline.html

CloudFormation supports cross account action so it should serve your use case well. Details here: https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-create-cross-account.html