← Back to Home

DevSecOps - Blue-Green Deployment on AWS ECS with AWS Code Pipeline

View on GitHub

Tech Stack

Version Control and CI/CD: GitHub, AWS CodePipeline, AWS CodeBuild.

Infrastructure as Code: Terraform (IAM, ECS, ALB, ECR, S3, CodeDeploy, CodePipeline, CodeBuild).

Cloud Provider: AWS (ECS Fargate/EC2, ALB, ECR, S3, IAM, CloudWatch).

Application: Dockerized app (Node.js/Java).

Deployment Strategy: Blue-Green deployment with AWS CodeDeploy.

Project Goal

The goal of this project was to build a fully automated CI/CD pipeline for deploying a containerized application on Amazon ECS using a Blue-Green strategy. The process ensures zero downtime and automatic rollback by leveraging AWS CodeDeploy’s traffic shifting capabilities. All stages are triggered from GitHub and executed automatically within AWS.

Project Description

This project demonstrates a complete deployment pipeline managed by Terraform and orchestrated by AWS native CI/CD services. Terraform provisions all core infrastructure, including ECR, ECS Cluster, ALB with Blue/Green Target Groups, IAM roles, S3 buckets, CodeBuild, CodeDeploy, and CodePipeline. CodeBuild builds and pushes Docker images to ECR, generates deployment artifacts (appspec.yaml and taskdef.json), and uploads them to S3. CodePipeline connects Source → Build → Deploy, while CodeDeploy handles Blue-Green traffic shifting and rollbacks on ECS.

image

Architecture Overview

  • ECR: Stores versioned Docker images built from source.
  • ECS Service: Uses deployment_controller = CODE_DEPLOY for Blue-Green updates.
  • ALB + Target Groups (Blue/Green): Handle traffic routing and health checks.
  • CodeDeploy: Executes deployments based on appspec.yaml and taskdef.json.
  • CodeBuild: Builds the Docker image, pushes it to ECR, and prepares deployment artifacts.
  • CodePipeline: Orchestrates Source → Build → Deploy stages triggered on code commits.

Implementation Details

Infrastructure (Terraform)
  • IAM: Roles for CodeBuild, CodeDeploy, CodePipeline, ECS tasks.
  • ECR: Private Docker repository.
  • ECS: Cluster, Task Definition, and Service configured for Blue-Green.
  • ALB: Load balancer with listeners and two target groups (blue/green).
  • S3: Stores deployment artifacts.
  • CodeDeploy: ECS Application and Deployment Group linked to target groups.
Build and Packaging (CodeBuild)
  • Log in to ECR.
  • Build and tag Docker image with latest and commit-based tag.
  • Push image to ECR.
  • Render taskdef.json dynamically with the new image tag.
  • Package appspec.yaml and taskdef.json for deployment.
Deployment (CodeDeploy – ECS)
  • Create a new task set (“green”) with the new image.
  • Gradually shift traffic from “blue” to “green” target group.
  • Validate health checks during shifting.
  • Automatically roll back if deployment fails.

CI/CD Workflow

  1. Source (GitHub): Code commit or pull request triggers pipeline.
  2. Build (CodeBuild): Builds and pushes Docker image, packages deployment files.
  3. Deploy (CodeDeploy): Launches Blue-Green deployment, shifts traffic, monitors health, rolls back on failure.

Access and Routing

  • ALB exposes ECS service publicly on HTTP/HTTPS.
  • DNS record (Route 53) points to ALB.
  • Only healthy targets receive traffic after deployment.

Security and Observability

  • Least-privilege IAM roles for each AWS service.
  • Logs stored in CloudWatch for ECS, CodeBuild, and CodeDeploy.
  • Encryption for ECR and S3.
  • Sensitive data managed through AWS Secrets Manager or Parameter Store.

Outcomes

  • Fully automated, repeatable, and auditable Blue-Green deployments.
  • Zero-downtime releases with safe rollback capability.
  • Complete AWS-native CI/CD solution managed via Terraform.
  • Reproducible and traceable infrastructure and application updates.

GitHub: View Repository