Building a nodejs app across multiple AWS accounts

Question

Ok so I have the exact build script to build my nodejs app. The idea is to setup a CI/CD pipeline that will build our app across different aws accounts such as DEV, STAGING, and PROD.

I have a repo in Account A (Dev) that hosts a nodejs app I want to be able to create a pipeline in Account B that checks out code from repo in account A And finally when the pipeline is complete, it should deploy the built/compiled nodejs app to Account C (QA) and D (Prod)

My issue is not on how to build a nodejs app but rather how to allow codepipeline, in account B, to checkout the repo in account A and finally deploy the built app to staging and prod.

My ideas from reading around:

1. Create IAM roles for the pipeline in Account A which allows to checkout codecommit repos
2. Have the pipeline in account B assume the role from account A somehow

It's still not clear to me how to go about doing this; I'm just getting into aws

I will update this post if I come across a solution but maybe someone has a tutorial or could point me to a documentation or list the steps or an example here

Answer 1

It is possible to build and trigger multiple codepipelines in different accounts with one central codecommit repository from another AWS account based on the branches of the repository. You need to make sure the cross account IAM roles are in place, event buses need to be configured to receive events from cross accounts and also KMS permissions should be in place as well. Here is an article which covers exactly what you need: AWS Codepipeline with Cross Account CodeCommit Repo Hope it helps.

Answer 2

From my understanding it is not possible to build a cross account pipeline using codepipeline. What you need to do is build your pipeline in your central account first.

The central account pipeline would include the appropriate number of stages which result in a release candidate for the AWS accounts dev, staging and prod.

As you get to the different account stages, you should push your artifacts to S3 buckets in the related accounts. And these S3 buckets should be the sources of codepipelines the those accounts.

This way you create "deployment" pipelines in each account which start in S3 and end in whatever environment you are thinking of. The S3 buckets of these accounts can be created to have bucket policies to only receive files from your central account.

This is of course, not ideal but its how I solved this issue before hand. Build in one account and deliver to deployment pipelines in other accounts. If someone knows a better solution, I would love to hear it.

Good luck!

Answer 3

AWS provide a guide with source that does something close to what you are trying to do.

It should get you close enough and covers the permissions needed for the account to assume a role to checkout your repo in another account.