IaC Bazaar
Get started
AWSStatic-verified

CodeDeploy CI/CD (EC2 / ECS / Lambda)

CodeDeploy application, deployment groups, and the platform-correct service role for automated EC2/ECS/Lambda rollouts with auto-rollback on failure.

terraformAWS#aws
aws-codedeployterraform v1.7

Verification

Static-verified

Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan clean (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

aws-codedeploy

An AWS CodeDeploy application with deployment groups for CI/CD rollouts to EC2/on-premises (Server), ECS, or Lambda — plus the correctly-scoped service role, created automatically. CodeDeploy itself is free for EC2/Lambda/ECS deployments.

Status: static-validated, live-test pending. Validated with tofu validate

  • tflint + checkov (STATIC_OK). A live test was attempted against a real account: the IAM service role applies correctly, but CreateApplication returned SubscriptionRequiredException because that sandbox account is not activated for CodeDeploy — an account/billing state, not a module defect. Ready to live-test on any CodeDeploy-enabled account via tests/live.tfvars.

Design & secure defaults

  • Platform-correct service role. The module attaches the right AWS-managed policy for the chosen compute_platform (AWSCodeDeployRole for Server, AWSCodeDeployRoleForECS for ECS, AWSCodeDeployRoleForLambda for Lambda) — the usual cause of "deployment failed" misconfigurations. Bring your own role with create_service_role = false + service_role_arn.
  • Automatic rollback on failure is on by default for every deployment group (auto_rollback_configuration with DEPLOYMENT_FAILURE).
  • Sensible deployment config per platform (OneAtATime / ECSAllAtOnce / LambdaAllAtOnce) unless you override deployment_config_name.
  • Preconditions enforce platform invariants (ECS requires ecs_service; a BYO role requires service_role_arn).

Usage

module "codedeploy" {
  source = "github.com/ITfreak/iacbazaar//artifacts/terraform/aws-codedeploy"

  name             = "web-app"
  compute_platform = "Server"

  deployment_groups = {
    production = {
      ec2_tag_filters = [{ key = "App", value = "web" }]
    }
  }
}

ECS blue/green example:

module "codedeploy" {
  source           = "github.com/ITfreak/iacbazaar//artifacts/terraform/aws-codedeploy"
  name             = "orders"
  compute_platform = "ECS"

  deployment_groups = {
    prod = {
      deployment_type = "BLUE_GREEN"
      ecs_service     = { cluster_name = "orders", service_name = "orders-api" }
    }
  }
}

See examples/basic for a complete configuration.

Key inputs

VariableDescriptionDefault
nameApplication name + resource prefixrequired
compute_platformServer / ECS / LambdaServer
create_service_role / service_role_arnCreate the service role, or supply onetrue / null
deployment_groupsMap of deployment groups (targeting, style, rollback, alarms, triggers){}
tagsTags for all resources{}

Each deployment group supports: deployment_config_name, auto_rollback(+events), ec2_tag_filters / autoscaling_groups (Server), ecs_service (ECS), deployment_type (IN_PLACE/BLUE_GREEN), deployment_option, alarms, and an SNS trigger.

Outputs

application_name, application_id, compute_platform, service_role_arn, service_role_name, deployment_group_names, deployment_group_ids (map).

Provider

hashicorp/aws >= 6.0, < 7.0. Requires Terraform/OpenTofu >= 1.6.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.