AWS CodeDeploy deployment failed at event BlockTraffic

Question

I am trying to set up auto-deployment from GitHub to AWS, using EC2 behind an ELB.

After following the Tutorial: Use AWS CodeDeploy to Deploy an Application from GitHub , my deployment fails at the BlockTraffic event, after trying for an hour (1h 2min last time) with error code ScriptFailed . I'm not sure how to troubleshoot the issue/where to look.

The ELB target group target health status: healthy

Health Check configuration:

Healthy threshold: 2 Unhealthy threshold: 2 Timeout: 5 Interval: 10 Success codes: 200

Answer 1

Make sure your Code Deploy role has sufficient access to register and de-register instance if it is behind ELB.

Below permissions may required.

"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"

Answer 2

有一个 AWSCodeDeployRole 策略，可以很容易地涵盖使用 codedeploy 所需的权限

Answer 3

I had the same issue and I realised that in the deployment group, I didn't tag the instance id of the target group, upon which I was doing health checks to find whether the target group was healthy or not. Hence deployment group knew the target group, it has to deal traffic with.

Answer 4

don't enable Load Balancer on Code Deploy deployment group for Pipeline and you will get rid off that BlockTraffic and AllowTraffic steps.

Screenshot

Answer 5

The issue I ran into is that for an ELB if the port was not the expected port, code deploy's BlockTraffic would not know how to deregister the instance from the target group.

In my example I had my HTTPS ELB communicate via HTTP to port 3000 on each of my target groups. I found the specific root cause by using this guide: https://aws.amazon.com/premiumsupport/knowledge-center/codedeploy-failed-ec2-deployment/

It gave the following output which identified the instance of me using port 3000 instead of the expected port 80.

During BlockTraffic, Codedeploy service invoke the Loadbalancer to de-register the instance from the target group before start installing the application revision
DeregisterTargets API call can be noticed in cloudtrail logs during BlockTraffic lifecycle hook
Currently Codedeploy does not support the case when the target group have a different port than the port used to register the instance.
** DeregisterTargets API will not be able to deregister the instance if the port configured in the Target group is different
You need to make sure that both the target group and the instance are configured to use the same port.
BlockTraffic depends mainly on the de-registration delay on the target group or connection draining on Classic LB. To speed up this step, the de-registration delay /connection draining value can be reduced to a reasonable value.