Challenge
Firms typically face two main challenges while integrating Bitbucket Cloud Pipelines for CI/CD:
- Pipelines do not support VPN connections, thereby constraining the ability to fetch artifacts from Nexus and BitBucket Cloud that require VPN access.
- Pipelines do not support managing Build server memory requirements.
Why AWS
EZOPS chose AWS as it provides the security tools and features needed to create CI/CD while meeting the firm’s security requirements to restrict access to source code and Nexus to only users and servers on the VPN. The following components were leveraged:
- AWS Site-to-Site VPN to create connection to the EZOPS network
- AWS IAM User to provide access for Bitbucket to trigger CodeBuild
- AWS IAM rules to provide secure access to servers in the VPN/Private network
- AWS CodeBuild to support server memory requirements and make it cost effective (we only pay for minutes that builds run)
- AWS CodeDeploy to automate deployment of Liquibase database changes and deployment to Docker Swarm
Solution Schematic
The obvious question is, why use Pipelines and pay the extra fees if CodeDeploy supports BitBucket natively? This was necessary because we cannot run CodeDeploy within the VPN and control the IP address access to the code repository. We used an example script from Atlassian and enhanced it to give real-time feedback in the UI.
Results and Benefits
We were able to create a secure, scalable and cost effective CI/CD solution that can establish a secure connection between BitBucket & Nexus on VPN, and the servers used for CI/CD without opening any other ports in BitBucketCloud thereby ensuring that the EZOPS source code is protected.