{"id":28823536,"url":"https://github.com/stacksimplify/aws-eks-devops","last_synced_at":"2026-02-02T14:11:21.529Z","repository":{"id":293642420,"uuid":"984498305","full_name":"stacksimplify/aws-eks-devops","owner":"stacksimplify","description":"AWS EKS DevOps Implementation using AWS CodePipeline or AWS Developer Tools","archived":false,"fork":false,"pushed_at":"2025-05-16T10:55:57.000Z","size":18,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-16T11:35:19.604Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stacksimplify.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-16T03:11:41.000Z","updated_at":"2025-05-16T10:56:00.000Z","dependencies_parsed_at":"2025-05-16T11:45:40.158Z","dependency_job_id":null,"html_url":"https://github.com/stacksimplify/aws-eks-devops","commit_stats":null,"previous_names":["stacksimplify/aws-eks-devops"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/stacksimplify/aws-eks-devops","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksimplify%2Faws-eks-devops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksimplify%2Faws-eks-devops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksimplify%2Faws-eks-devops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksimplify%2Faws-eks-devops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stacksimplify","download_url":"https://codeload.github.com/stacksimplify/aws-eks-devops/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksimplify%2Faws-eks-devops/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260654702,"owners_count":23042680,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-19T00:09:57.165Z","updated_at":"2026-02-02T14:11:21.523Z","avatar_url":"https://github.com/stacksimplify.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DevOps with AWS Developer Tools on AWS EKS\n\n## Step-01: Introduction to DevOps\n- Understand DevOps concepts\n - CI - Continuous Integration\n - CD - Continuous Deployment or Delivery\n- Understand more about AWS Tools that help us to implement DevOps.\n - GitHub\n - AWS CodeBuild\n - AWS CodePipeline\n- GitHub Repsitory used for Demo: [aws-eks-devops](https://github.com/stacksimplify/aws-eks-devops) \n\n### We are going to implement the following AWS EKS DevOps Pipeline\n![AWS EKS DevOps Pipeline](https://github.com/stacksimplify/aws-eks-kubernetes-masterclass/blob/master/images/aws-eks-devops-pipeline.png)\n\n\n## Step-02: What are we going to learn?\n- We are going to create a AWS Elastic Container Registry (ECR) for our Docker Images\n- We are going to create GitHub Repository and check-in the below to Github Repo\n - **Application code** \n - app1/index.html\n - **Docker File** \n - Dockerfile\n - **Kubernetes Manifests**\n - kube-manifests/01-DEVOPS-Nginx-Deployment.yml\n - kube-manifests/02-DEVOPS-Nginx-NodePortService.yml\n - kube-manifests/03-DEVOPS-Nginx-ALB-IngressService.yml\n - **Build Spec files** \n - buildspec-build.yml\n - buildspec-deploy.yml\n- We are going to have two `buildspec yaml` files for build and deploy stages:\n - **Phase-1:** Build Container Image and Push to ECR - `buildspec-build.yml` \n - **Phase-2:** Authenticate to EKS using STS Assume Role (Secure EKS interaction) and deploy kube-manifests to EKS - `buildspec-deploy.yml`\n \n\n## Step-03: Pre-requisite check\n### Step-03-01: Verify AWS Load Balancer Controller and External DNS\n- We are going to deploy a application which will also have a `AWS Load Balancer Controller` and also will register its DNS name in Route53 using `External DNS`\n- Which means we should have both related pods running in our cluster. \n```sh\n# Verify aws-load-balancer-controller pod running in namespace kube-system\nkubectl get pods -n kube-system\n\n# Verify external-dns pod running in default namespace\nkubectl get pods\n```\n### Step-03-02: Verify Kubernetes Manifests working as expected before implementing DevOps Pipelines\n```sh\n# Verify if all templates are working\n## Step-01: Update 01-DEVOPS-Nginx-Deployment.yml - \"image\" \nimage: ghcr.io/stacksimplify/kube-nginxapp1:1.0.0 # FOR TESTING\n\n## Step-02: Verify and Update Ingress manifest (03-DEVOPS-Nginx-ALB-IngressService.yml) with DNS Names and SSL Cert\nalb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:180789647333:certificate/126847a6-a5ee-41d0-8deb-2d8a85217c73\nexternal-dns.alpha.kubernetes.io/hostname: eksdevops1.stacksimplify.com, eksdevops2.stacksimplify.com\n\n## Step-03: DEPLOY AND VERIFY\ncd 11-NEW-DevOps-with-AWS-Developer-Tools-and-GitHub/github-files\nkubectl apply -f kube-manifets/\n\n## Step-04: Verify Pods, Deployment, svc, ingress\nkubectl get pods\nkubectl get deploy\nkubectl get svc\nkubectl get ingress\n\n## Step-05: Verify External DNS Logs and Route53 Records\nkubectl logs -f $(kubectl get po | egrep -o 'external-dns[A-Za-z0-9-]+')\nGo to Route53 -\u003e Hosted Zones -\u003e stacksimplify.com -\u003e Verify DNS records \"eksdevops1.stacksimplify.com, eksdevops2.stacksimplify.com\"\n\n## Step-06: Access Application\nhttp://eksdevops1.stacksimplify.com/app1/index.html\n\n## Step-07: Clean-up\nkubectl delete -f kube-manifets/\n\n## Step-08: Update 01-DEVOPS-Nginx-Deployment.yml - \"image\" \nimage: CONTAINER_IMAGE # FOR DEVOPS Pipeline\n```\n\n## Step-04: Create ECR Repository for our Application Docker Images\n- Go to Services -\u003e Elastic Container Registry -\u003e Create Repository\n- Name: eks-devops\n- Tag Immutability: Enable\n- Scan On Push: Enable\n- Click on **Create Repository**\n- Make a note of Repository name\n```t\n# Sample ECR Repository URI\n180789647333.dkr.ecr.us-east-1.amazonaws.com/eks-devops-app1\n```\n\n## Step-05: Create GitHub Repository\n- Create GitHub Repository with name as **aws-eks-devops**\n- Create git credentials from IAM Service and make a note of those credentials.\n- Clone the git repository from Code Commit to local repository, during the process provide your git credentials generated to login to git repo\n```\ngit clone git@github.com:stacksimplify/aws-eks-devops.git\n```\n- Copy all files from course section **11-NEW-DevOps-with-AWS-Developer-Tools-and-GitHub/Application-Manifests** to local repository\n - buildspec-build.yml\n - buildspec-deploy.yml\n - Dockerfile\n - app1\n - index.html \n - kube-manifests\n - 01-DEVOPS-Nginx-Deployment.yml\n - 02-DEVOPS-Nginx-NodePortService.yml\n - 03-DEVOPS-Nginx-ALB-IngressService.yml\n- Commit code and Push to GitHub Repo\n```t\n# Change to Git Repo Directory\ncd aws-eks-devops\n\n# Git Commands\ngit status\ngit add .\ngit commit -am \"Base Commit\"\ngit push\ngit status\n```\n- Verify the same on GitHub Repository [aws-eks-devops](https://github.com/stacksimplify/aws-eks-devops)\n\n\n## Step-06: Build Stage: Implement Build Stage\n### Step-06-01: Build Stage: Review buildspec-build.yaml\n```yaml\n# buildspec-build.yml\n\nversion: 0.2\n\n# Environment variables and values used across phases\nenv:\n variables:\n # ECR URI where Docker image will be pushed\n IMAGE_URI: \"180789647333.dkr.ecr.us-east-1.amazonaws.com/eks-devops\"\n exported-variables:\n # Variables that will be shared with downstream phases or pipelines\n - IMAGE_URI\n - IMAGE_TAG\n\nphases:\n install:\n commands:\n # Install phase (empty here since the CodeBuild image has necessary tools)\n - echo \"Install Phase - Nothing to do using latest Amazon Linux Docker Image\"\n\n pre_build:\n commands:\n # Generate a short Docker image tag using GitHub commit SHA (7 characters)\n - IMAGE_TAG=\"$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c1-7)\"\n - export IMAGE_TAG\n # Authenticate Docker with ECR using AWS CLI\n - echo \"Logging into Amazon ECR at $IMAGE_URI...\"\n - aws ecr get-login-password | docker login --username AWS --password-stdin $IMAGE_URI\n\n build:\n commands:\n # Build Docker image using Dockerfile in root directory\n - echo \"Building Docker image...\"\n - docker build -t $IMAGE_URI:$IMAGE_TAG .\n\n post_build:\n commands:\n # Push the built Docker image to ECR repository\n - echo \"Pushing Docker image to ECR...\"\n - docker push $IMAGE_URI:$IMAGE_TAG\n # Export image metadata to be used in the deploy stage\n - echo \"Exporting variables for downstream stages...\"\n - echo \"IMAGE_URI=$IMAGE_URI\" \u003e\u003e $CODEBUILD_SRC_DIR/exported-vars.env\n - echo \"IMAGE_TAG=$IMAGE_TAG\" \u003e\u003e $CODEBUILD_SRC_DIR/exported-vars.env\n\n# Files that will be included as artifacts for the next stage\nartifacts:\n files:\n - exported-vars.env\n - buildspec-deploy.yml\n - '**/kube-manifests/**/*'\n\n```\n\n### Step-06-02: Build Stage: Create GitHub Connection in AWS Developer Tools\n- Go to Settings -\u003e Connections -\u003e Create Connection\n- **Select a Provider:** GitHub\n- **Connection name:** eks-devops-github-connection\n- Click on **Install a new app**\n- WILL BE REDIRECTED TO GITHUB WEBSITE\n- Provide **GitHub Authentication Code**\n- In **AWS Connectior for GitHub**\n - **Repository Access:** Only Select Repositories\n - Select **aws-eks-devops**\n - Click on **Save**\n- WILL BE REDIRECTED BACK TO AWS DEVELOPERS TOOLS (AWS Console)\n- Click on **Connect**\n\n### Step-06-03: Build Stage: Create CodePipeline \n#### CodePipeline Introduction\n- Get a high level overview about CodePipeline Service\n#### Create CodePipeline\n- Create CodePipeline\n- Go to Services -\u003e CodePipeline -\u003e Create Pipeline\n#### Choose creation option\n- **Category:** Build custom pipeline\n- Click NEXT\n#### Choose Pipeline Settings\n- Pipeline Name: eks-devops\n- Execution Mode: Queued\n- Service Role: New Service Role (leave to defaults)\n- Role Name: eks-devops-codepipeline-service-role\n- Rest all leave to defaults and click Next\n#### Add Source Stage\n- Source Provider: GitHub (via GitHub App)\n- Connection: eks-devops-github-connection\n- Repository Name: aws-eks-devops\n- Default Branch: main\n- REST ALL LEAVE TO DEFAULTS and Click NEXT\n#### Add Build Stage\n- Build Provider: Other Build Provider\n- Build Providr Name: AWS CodeBuild\n- Project Name: Click on **Create Project**\n##### Create Build Project\n- **Project Configuration**\n - Project Name: build-eks-devops\n - Project Type: Default Project\n- **Environment**\n - Provisioning Model: OnDemamd\n - Environment Image: Managed Image\n - Compute: EC2\n - Running Mode: Container\n - Operating System: Amazon Linux\n - Runtime(s): Standard\n - Image: aws/codebuild/amazonlinux-x86_64-standard:5.0\n - Image version: Always use the latest image for this runtime\n - Service Role: New Service Role\n - Role Name: buildphase-codebuild-eks-devops-service-role\n - REST ALL LEAVE TO DEFAULTS\n- **Buildspec**\n - Build specifications: Use a buildspec file\n - Buildspec name: **buildspec-build.yml**\n- **Logs**\n - Group Name: buildphase-cb-eks-deveops-group\n - Stream Name:buildphase-cb-eks-deveops-stream\n- Click on **Continue to CodePipeline**\n- We should see a message `Successfully created build-eks-devops in CodeBuild.`\n- Click **Next**\n##### Add Test Stage\n- Click on **Skip Test Stage**\n##### Add Deploy Stage\n- Click on **Skip Deploy Stage**\n##### Review\n- Review and click on **Create Pipeline**\n\n### Step-06-04: Build Stage: Updae CodeBuild Role to have access to ECR full access and CloudWatch Full Access \n- First pipeline run will fail as CodeBuild not able to upload or push newly created Docker Image to ECR Repostory\n- Update the CodeBuild Role to have access to ECR to upload images built by codeBuild. \n - **Role Name:** buildphase-codebuild-eks-devops-service-role\n - **Policy Name:** AmazonEC2ContainerRegistryFullAccess\n - **Policy Name:** CloudWatchLogsFullAccess \n- Make changes to index.html (Update as V2), locally and push change to CodeCommit\n```sh\n# Git Commands\ngit status\ngit commit -am \"V2 Deployment\"\ngit push\n```\n- Verify CodeBuild Logs\n- New image should be uploaded to ECR, verify the ECR with new docker image tag.\n- BUILD PHASE SHOULD BE SUCCESSFUL\n\n## Step-07: DEPLOY STAGE: IMPLEMENT DEPLOY PHASE in Code Pipeline\n### Step-07-01: DEPLOY STAGE: Review buildspec-deploy.yml\n```yaml\n# buildspec-deploy.yml\n\nversion: 0.2\n\n# Environment variables required for EKS authentication\nenv:\n variables:\n # Name of the EKS cluster\n EKS_CLUSTER_NAME: \"eksdemo1\"\n # IAM Role ARN used to assume access to EKS for kubectl\n EKS_KUBECTL_ROLE_ARN: \"arn:aws:iam::180789647333:role/EksCodeBuildKubectlRole\"\n\nphases:\n install:\n commands:\n # Install dependencies/tools (if any)\n - echo \"Install Phase - Installing tools and dependencies\"\n\n pre_build:\n commands:\n # Print info about environment setup\n - echo \"Setting up IMAGE_URI and IMAGE_TAG from previous stage...\"\n # List files to verify presence of artifacts\n - echo \"Listing all files in workspace for debugging:\"\n - ls -R .\n # Source exported variables (IMAGE_URI and IMAGE_TAG)\n - echo \"Sourcing env variables from file\"\n - source ./exported-vars.env\n - echo \"IMAGE_URI=$IMAGE_URI\"\n - echo \"IMAGE_TAG=$IMAGE_TAG\"\n # Replace placeholder in Kubernetes YAML with actual image URI and tag\n - echo \"Updating container image in the Kubernetes Deployment YAML file...\"\n - sed -i 's@CONTAINER_IMAGE@'\"$IMAGE_URI:$IMAGE_TAG\"'@' kube-manifests/01-DEVOPS-Nginx-Deployment.yml\n - echo \"Updated deployment manifest content:\"\n - cat kube-manifests/01-DEVOPS-Nginx-Deployment.yml\n\n build:\n commands:\n # Assume IAM role to gain temporary credentials for kubectl access\n - echo \"Assuming IAM Role to access EKS cluster...\"\n - CREDENTIALS=$(aws sts assume-role --role-arn $EKS_KUBECTL_ROLE_ARN --role-session-name codebuild-kubectl --duration-seconds 900)\n - export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId')\n - export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey')\n - export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.Credentials.SessionToken')\n # Setup kubeconfig to interact with the EKS cluster\n - echo \"Updating kubeconfig with EKS cluster credentials...\"\n - aws eks update-kubeconfig --name $EKS_CLUSTER_NAME\n # Deploy application manifests to EKS\n - echo \"Applying Kubernetes manifests...\"\n - kubectl apply -f kube-manifests/\n # Wait for deployment rollout to complete\n - echo \"Waiting for deployment rollout to complete...\"\n - kubectl rollout status deployment/eks-devops-deployment --timeout=180s\n\n post_build:\n commands:\n # Verification steps to ensure everything is deployed correctly\n - echo \"Verifying Kubernetes resources created:\"\n - echo \"Pods Status:\"\n - kubectl get pods -o wide\n - echo \"Services Status:\"\n - kubectl get svc -o wide\n - echo \"Ingress Status:\"\n - kubectl get ingress -o wide\n```\n### Step-07-02: DEPLOY STAGE: DEPLOY PHASE: EDIT CodePipeline \n#### EDIT CodePipeline\n- EDIT CodePipeline\n- Go to Services -\u003e CodePipeline -\u003e eks-devops -\u003e EDIT\n#### ADD Stage\n- **Stage Name:** Deploy\n- Click on **Add Stage** \n- Click on **Add Action group**\n#### Edit Action\n- Action Name: DeployToEKS\n- Action Provider: AWS CodeBuild\n- Region: United Stages (N.Virginia)\n- Input Artifacts: Build Artifacts\n- Project Name: Click on **CREATE PROJECT**\n#### Create Build Project\n- **Project Configuration**\n - Project Name: deploy-eks-devops\n - Project Type: Default Project\n- **Environment**\n - Provisioning Model: OnDemamd\n - Environment Image: Managed Image\n - Compute: EC2\n - Running Mode: Container\n - Operating System: Amazon Linux\n - Runtime(s): Standard\n - Image: aws/codebuild/amazonlinux-x86_64-standard:5.0\n - Image version: Always use the latest image for this runtime\n - Service Role: New Service Role\n - Role Name: deployphase-codebuild-eks-devops-service-role\n - REST ALL LEAVE TO DEFAULTS\n- **Buildspec**\n - Build specifications: Use a buildspec file\n - Buildspec name: **buildspec-deploy.yml**\n- **Logs**\n - Group Name: deployphase-cb-eks-deveops-group\n - Stream Name: deployphase-cb-eks-deveops-stream\n- Click on **Continue to CodePipeline**\n- We should see a message `Successfully created build-eks-devops in CodeBuild.`\n- Click **Next**\n#### Build Type\n- Build Type: Single Build\n- Click on **Done**\n- Click on **Save**\n\n### Step-07-03: DEPLOY STAGE: Update CodePipeline Role with CodeBuild Full Access\n- Go to Pipelines -\u003e eks-devops -\u003e Settings -\u003e Click on **Service role ARN**\n#### IAM CodePipeline Service Role Update\n- Role Name: eks-devops-codepipeline-service-role\n- Add Policy **AWSCodeBuildAdminAccess** to this role\n\n### Step-07-04: DEPLOY STAGE: Create STS Assume IAM Role for CodeBuild to interact with AWS EKS\n- In an AWS CodePipeline, we are going to use AWS CodeBuild to deploy Kubernetes manifests to EKS Cluster. \n- This requires an AWS IAM role capable of interacting with the EKS cluster.\n- In this step, we are going to create an IAM role and add an inline policy `EKS:Describe` that we will use in the CodeBuild DEPLOY stage to interact with the EKS cluster via kubectl.\n#### Option 1: **macOS / Linux / Windows Git Bash / WSL**\n##### ⚠️ Note:\n\u003e βœ… This script is designed for **Bash-compatible environments**, such as **macOS Terminal**, **Linux shell**, **Windows Git Bash**, or **Windows Subsystem for Linux (WSL)**.\n\u003e ❌ It **will not work in Windows PowerShell or Command Prompt** due to syntax differences.\n##### πŸ’» Script:\n```bash\n# Set variables\nACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)\nROLE_NAME=EksCodeBuildKubectlRole\n\n# Create IAM Role with trust policy\naws iam create-role \\\n --role-name $ROLE_NAME \\\n --assume-role-policy-document \"{\n \\\"Version\\\": \\\"2012-10-17\\\",\n \\\"Statement\\\": [\n {\n \\\"Effect\\\": \\\"Allow\\\",\n \\\"Principal\\\": { \\\"AWS\\\": \\\"arn:aws:iam::${ACCOUNT_ID}:root\\\" },\n \\\"Action\\\": \\\"sts:AssumeRole\\\"\n }\n ]\n }\"\n\n# Attach inline policy to allow EKS describe actions\naws iam put-role-policy \\\n --role-name $ROLE_NAME \\\n --policy-name eks-describe \\\n --policy-document \"{\n \\\"Version\\\": \\\"2012-10-17\\\",\n \\\"Statement\\\": [\n {\n \\\"Effect\\\": \\\"Allow\\\",\n \\\"Action\\\": \\\"eks:Describe*\\\",\n \\\"Resource\\\": \\\"*\\\"\n }\n ]\n }\"\n```\n#### Option 2: **Windows PowerShell**\n##### ⚠️ Note:\n\u003e βœ… This script is designed for **Windows PowerShell**.\n\u003e ❌ Do not use it in Git Bash, WSL, macOS, or Linux β€” it will fail due to syntax and escaping differences.\n##### Script:\n```powershell\n# Set variables\n$ACCOUNT_ID = (aws sts get-caller-identity --query Account --output text)\n$ROLE_NAME = \"EksCodeBuildKubectlRole\"\n\n# Create IAM Role with trust policy\naws iam create-role `\n --role-name $ROLE_NAME `\n --assume-role-policy-document \"{\n `\"Version`\": `\"2012-10-17`\",\n `\"Statement`\": [\n {\n `\"Effect`\": `\"Allow`\",\n `\"Principal`\": { `\"AWS`\": `\"arn:aws:iam::${ACCOUNT_ID}:root`\" },\n `\"Action`\": `\"sts:AssumeRole`\"\n }\n ]\n }\"\n\n# Attach inline policy to allow EKS Describe actions\naws iam put-role-policy `\n --role-name $ROLE_NAME `\n --policy-name \"eks-describe\" `\n --policy-document \"{\n `\"Version`\": `\"2012-10-17`\",\n `\"Statement`\": [\n {\n `\"Effect`\": `\"Allow`\",\n `\"Action`\": `\"eks:Describe*`\",\n `\"Resource`\": `\"*`\"\n }\n ]\n }\"\n```\n\n\n### Step-07-05: Update `aws-auth` ConfigMap with IAM Role for CodeBuild\n- In this step, we will automatically update the EKS cluster's `aws-auth` ConfigMap to include the IAM role created in the previous step (`EksCodeBuildKubectlRole`). This grants the role access to the cluster, which is required for `kubectl` commands in the CodeBuild deployment stage.\n\n#### ⚠️ Works on:\n* **macOS / Linux / WSL / Git Bash**\n* **Windows PowerShell**\n\n#### πŸ“ Directory Structure\n- Make sure you're in the project root (e.g., `11-NEW-DevOps-with-AWS-Developer-Tools-and-GitHub`) and there's a folder named `aws-auth/`:\n```bash\ncd 11-NEW-DevOps-with-AWS-Developer-Tools-and-GitHub\nmkdir -p aws-auth\n```\n\n#### πŸ§ͺ Step-by-step Commands\n##### πŸ–₯️ macOS / Linux / Git Bash / WSL (Bash shell)\n```bash\n# Set variables\nACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)\necho $ACCOUNT_ID\nROLE_ARN=\"arn:aws:iam::$ACCOUNT_ID:role/EksCodeBuildKubectlRole\"\necho $ROLE_ARN\n\n# Backup current aws-auth ConfigMap\nkubectl get configmap aws-auth -n kube-system -o yaml \u003e aws-auth/aws-auth-backup.yml\n\n# Generate patched configmap YAML\nkubectl get configmap aws-auth -n kube-system -o yaml | \\\n awk -v role=\" - rolearn: $ROLE_ARN\\n username: build\\n groups:\\n - system:masters\" \\\n '/mapRoles: \\|/ {print; print role; next} 1' \u003e aws-auth/aws-auth-patch.yml\n\n# Apply updated configmap\nkubectl apply -f aws-auth/aws-auth-patch.yml\n\n# Verify updated config\nkubectl get configmap aws-auth -n kube-system -o yaml\n```\n\n##### πŸͺŸ Windows PowerShell\n\n```powershell\n# Set variables\n$ACCOUNT_ID = (aws sts get-caller-identity --query Account --output text)\n$ROLE_ARN = \"arn:aws:iam::$ACCOUNT_ID:role/EksCodeBuildKubectlRole\"\n$BackupPath = \"aws-auth\\aws-auth-backup.yml\"\n$PatchPath = \"aws-auth\\aws-auth-patch.yml\"\n\n# Backup current config\nkubectl get configmap aws-auth -n kube-system -o yaml \u003e $BackupPath\n\n# Inject new role into mapRoles\n(Get-Content $BackupPath) | ForEach-Object {\n if ($_ -match \"mapRoles: \\|\") {\n $_\n \" - rolearn: $ROLE_ARN\"\n \" username: build\"\n \" groups:\"\n \" - system:masters\"\n } else {\n $_\n }\n} \u003e $PatchPath\n\n# Apply updated configmap\nkubectl apply -f $PatchPath\n\n# Verify update\nkubectl get configmap aws-auth -n kube-system -o yaml\n```\n\n---\n\n### βœ… Outcome\n- The IAM role `EksCodeBuildKubectlRole` is now authorized to access the EKS cluster with `system:masters` permissions. This enables `kubectl` to be used in the CodeBuild stage of your pipeline.\n\n\n\n### Step-07-06: DEPLOY STAGE: Update CodeBuild Role to have access to STS Assume Role we have created using STS Assume Role Policy\n- DEPLOY PHASE Build should be failed due to CodeBuild dont have access to perform updates in EKS Cluster.\n- It even cannot assume the STS Assume role whatever we created. \n- Create STS Assume Policy and Associate that to DEPLOY PHASE CodeBuild Role `deployphase-codebuild-eks-devops-service-role`\n\n#### Create STS Assume Role Policy\n- Go to Services IAM -\u003e Policies -\u003e Create Policy\n- In **Visual Editor Tab**\n- Service: STS\n- Actions: Under Write - Select `AssumeRole`\n- Resources: Specific\n - Add ARN\n - Specify ARN for Role: arn:aws:iam::180789647333:role/EksCodeBuildKubectlRole\n - Click Add\n```\n# For Role ARN, replace your account id here, refer step-07 environment variable EKS_KUBECTL_ROLE_ARN for more details\narn:aws:iam::\u003cyour-account-id\u003e:role/EksCodeBuildKubectlRole\n```\n- Click on Review Policy \n- Name: eks-codebuild-sts-assume-role\n- Description: CodeBuild to interact with EKS cluster to perform changes\n- Click on **Create Policy**\n\n#### Associate Policy to CodeBuild Role\n- Role Name: deployphase-codebuild-eks-devops-service-role\n- Policy to be associated: `deployphase-codebuild-eks-devops-service-role`\n\n\n## Step-08: Test-1: END TO END FLOW (Build and Deploy Stages)\n- Commit the changes to local git repository and push to GitHub Repository\n- Monitor the codePipeline Build and Deploy projects\n- Test by accessing the static html page\n```sh\n# Update app1/index.html\n \u003ch1\u003eWelcome to Stack Simplify - App Version - V3 \u003c/h1\u003e\n# Git Commands\ngit status\ngit commit -am \"V3\"\ngit push\n```\n- Verify Build Stage - CodeBuild Logs\n- Verify Deploy Stage - CodeBuild Logs\n- Verify CodePipeline - eks-devops\n- Test by accessing the static html page\n```t\n# Access Application\nhttp://myapp1.stacksimplify.com/app1/index.html\n```\n\n## Step-09: Test-2: END TO END FLOW (Build and Deploy Stages)\n- Commit the changes to local git repository and push to GitHub Repository\n- Monitor the codePipeline Build and Deploy projects\n- Test by accessing the static html page\n```sh\n# Update app1/index.html\n \u003ch1\u003eWelcome to Stack Simplify - App Version - V4 \u003c/h1\u003e\n# Git Commands\ngit status\ngit commit -am \"V4\"\ngit push\n```\n- Verify Build Stage - CodeBuild Logs\n- Verify Deploy Stage - CodeBuild Logs\n- Verify CodePipeline - eks-devops\n- Test by accessing the static html page\n```t\n# Access Application\nhttp://myapp1.stacksimplify.com/app1/index.html\n```\n\n## Step-10: APPROVAL STAGE: Add Manual Approval Stage\n### Step-10-01: Create SNS Topic\n- Go to Amazon SNS -\u003e Create Topic\n- Type: Standard\n- Name: eks-devops-topic1\n- Display Name: eks-devops-topic1\n- REST ALL LEAVE TO DEFAULTS and \n- Click on **Create topic**\n### Step-10-02: Create SNS Subscription\n- Go to Amazon SNS -\u003e eks-devops-topic1 \n- Click on **Create Subscription**\n- Topic ARN: Auto-populated (ARN of Topic: eks-devops-topic1 )\n- Protocol: Email\n- Endpoint: stacksimplify@gmail.com\n- Click on **Create subscription**\n- Go to email id and click on **Confirm Subscription**\n### Step-10-03: APPROVAL STAGE: Add new state in CodePipeline\n#### EDIT CodePipeline\n- EDIT CodePipeline\n- Go to Services -\u003e CodePipeline -\u003e eks-devops -\u003e EDIT\n#### ADD Stage\n- **Stage Name:** DeploymentApproval\n- Click on **Add Stage** \n- Click on **Add Action group**\n#### Edit Action\n- Action Name: DeploymentApproval\n- Action Provider: Manual Approval\n- SNS Topic ARN: arn:aws:sns:us-east-1:180789647333:eks-devops-topic1 \n- REST ALL LEAVE TO DEFAULTS\n- Click on **DONE**\n- Click on **SAVE** to save pipeline\n### Step-10-04: Give SNS Full access to AWS CodePipeline Role\n- Go to AWS CodePipeline -\u003e eks-devops -\u003e Settings -\u003e Service role ARN\n- In IAM for ROLE: **AWSCodePipelineServiceRole-us-east-1-eks-devops-pipeline-551**\n- Attach Permissions: **AmazonSNSFullAccess**\n\n\n## Step-11: Test-3: END TO END FLOW (Build, Approval and Deploy Stages)\n- Commit the changes to local git repository and push to GitHub Repository\n```sh\n# Update app1/index.html\n \u003ch1\u003eWelcome to Stack Simplify - App Version - V5 \u003c/h1\u003e\n# Git Commands\ngit status\ngit commit -am \"V5\"\ngit push\n```\n- Monitor the codePipeline BUILD project logs\n- Verify email and Approve the Deployment request after **BUILD STAGE** to move to next step which is **DEPLOY STAGE**\n- Monitor the codePipeline DEPLOY project logs\n- Verify CodePipeline - eks-devops\n- Test by accessing the static html page\n```t\n# Access Application\nhttp://myapp1.stacksimplify.com/app1/index.html\n```\n\nHere’s a clean and simple way to add that to your `readme.md` as **Step-12**:\n\n---\n\n## Step-12: Why does every alternate build fail in the Build Phase?\n- This happens because the Docker base image (`nginx:latest`) is being pulled from Docker Hub, which has rate limits for anonymous users. The first build fails due to hitting this limit (`429 Too Many Requests`), but the second one might pass if the image gets cached.\n\n### βœ… Fix: Use Amazon ECR Public image instead of Docker Hub\n- Update your `Dockerfile` like this:\n\n```Dockerfile\n#FROM nginx\nFROM public.ecr.aws/nginx/nginx:latest\nCOPY app1 /usr/share/nginx/html/app1\n```\n- This uses AWS's public registry, which has no rate limits in CodeBuild.\n\n## Step-13: Clean-Up\n- Delete All kubernetes Objects in EKS Cluster\n```sh\n# Delete all Kubernetes Resources created as part of this demo\nkubectl delete -f kube-manifests/\n```\n- Delete Pipeline\n- Delete CodeBuild Project\n- Make GitHub Repository public for students to access it\n- Delete Roles and Policies created\n- Delete SNS Subscription\n- Delete SNS Topic\n- Delete AWS Elastic Container Registry (ECR)\n\n## Additional References\n- https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html\n- **STS Assume Role:** https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html\n- https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstacksimplify%2Faws-eks-devops","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstacksimplify%2Faws-eks-devops","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstacksimplify%2Faws-eks-devops/lists"}