Code Pipes' Use of Customer Cloud Accounts

Use of your Cloud Accounts

When you use Code Pipes to deploy applications in your environment, Code Pipes utilizes certain services in your AWS or GCP cloud account. These services are in addition to the ones you explicitly specify in your Terraform files. Here are the services used by Code Pipes in AWS and GCP:

AWS

  • CodeBuild service: Code Pipes uses the CodeBuild service to compile your source code, run unit tests, and generate artifacts for deployment.

  • CodeDeploy service: Code Pipes leverages the CodeDeploy service to automate application deployments.

  • S3 buckets: Code Pipes utilizes S3 buckets to store data such as logs and state files related to your deployments.

  • Secrets Manager: Code Pipes uses Secrets Manager to safely rotate secret variables in both the Application Deployment and Infrastructure pipelines.

  • SNS topic and subscription, SNS queue, CloudWatch rule: These components are utilized by Code Pipes to manage messaging between cloud-native pipelines and Code Pipes services.

GCP

  • Cloud Build: Code Pipes utilizes Cloud Build to automate application and infrastructure deployments.

  • Cloud Storage buckets: Code Pipes uses Cloud Storage buckets to store data such as logs and state files associated with your deployments.

  • KMS: Code Pipes employs Key Management Service (KMS) to rotate secret keys.

  • Cloud Pub/Sub: This service is used by Code Pipes to manage messaging between cloud-native pipelines and Code Pipes services.

Cleanup Procedures

When it comes to cleanup procedures, here's how Code Pipes handles the various resources:

  • CloudBuild/CodeBuild: Cleanup is not required for these services as they are short-lived pipeline execution instances.

  • Buckets: Code Pipes does not perform automatic cleanup of buckets. This allows you to access logs and Terraform artifacts at any time, even after off-boarding.

  • GCP KMS: Code Pipes creates one GCP key per project and reuses it. During off-boarding, there may be remaining artifacts encrypted by this key. Therefore, Code Pipes does not delete the key to ensure data access if needed.

By understanding the services utilized by Code Pipes and the cleanup procedures, you can effectively manage your resources and ensure the appropriate handling of artifacts and data in your AWS or GCP cloud accounts.