# Set up CodePipeline
<a name="agent-sops-deployment-pipeline"></a>

This SOP creates a CI/CD pipeline using AWS CodePipeline. The pipeline automatically builds, tests, and deploys your application when changes are pushed to a source repository branch.

For prerequisites and security information, see [AWS Deployment SOPs](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment.html).

## Requirements
<a name="pipeline-requirements"></a>

Your application must already be configured as a CDK application with existing infrastructure code. This SOP works best after deploying with [Frontend applications](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-frontend.html) or [Supabase applications](https://docs.aws.amazon.com/aws-mcp/latest/userguide/agent-sops-deployment-supabase.html).

**Important**  
This SOP requires you to manually approve an AWS CodeConnections resource in your web browser. You need permissions to install and configure the connection in your repository or organization.

## Example prompt
<a name="pipeline-example-prompt"></a>

To set up a pipeline, prompt your coding agent with the following: `Set up a pipeline for my application`.

## Steps your coding agent takes
<a name="pipeline-steps"></a>

Your coding agent commits changes after each significant step to the `deploy-to-aws` branch.

1. Scans the project to detect existing CDK infrastructure, stacks, and application configuration

1. Identifies available quality checks (linting, unit tests) and verifies they pass locally

1. Presents a detection summary and asks you to confirm the configuration

1. Creates an AWS CodeConnections resource to connect AWS to your source repository

1. Creates production secrets in [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html), if your application uses Lambda functions

1. Generates CDK infrastructure code for the pipeline

1. Deploys the pipeline stack through [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html)

1. Prompts you to authorize the connection in the AWS console

1. Verifies the pipeline triggers and runs successfully

1. Records pipeline configuration and deployment details in your repository

## Manual steps
<a name="pipeline-manual-steps"></a>

During Step 8, you must complete authorization in the AWS console:

1. Open the [AWS CodeConnections console](https://console.aws.amazon.com/codesuite/settings/connections)

1. Find the pending connection for your application

1. Choose **Update pending connection**

1. Authorize and install the connector for your repository

## How it works
<a name="pipeline-how-it-works"></a>

Your coding agent verifies your application has existing CDK infrastructure code. The agent then generates a pipeline stack using the CDK Pipelines module (`aws-cdk-lib/pipelines`). The pipeline is self-mutating. When you push changes to pipeline infrastructure code, the pipeline automatically updates itself.

The pipeline uses AWS CodeConnections to authenticate with your source repository. When changes are pushed to the configured branch, the pipeline executes the following stages:

1. *Source* — Pulls source code from your repository through the CodeConnections resource

1. *Build (Synth)* — Installs dependencies, runs quality checks, builds the application, and synthesizes CloudFormation templates using CDK

1. *Update pipeline* — Self-mutation stage that updates the pipeline if its own infrastructure code changed

1. *Assets* — Publishes file and Docker image assets required by the stacks

1. *Deploy* — Deploys your application stacks to a production environment

The pipeline initially triggers on the `deploy-to-aws` branch. You can reconfigure the pipeline to trigger on `main` or another branch. To reconfigure, update the `branchName` context variable in the CDK configuration.

Quality checks are included only if they pass locally during setup. End-to-end tests are not included in the pipeline. The pipeline uses Secretlint to scan for exposed secrets in your codebase during each build. As part of the [AWS Shared Responsibility Model](https://docs.aws.amazon.com/aws-mcp/latest/userguide/data-protection.html), you should rotate exposed secrets immediately.

If your application includes Lambda functions, the SOP creates a separate production secret in AWS Secrets Manager (`{AppName}/prod/secrets`) and deploys both Lambda and frontend stacks through the pipeline.

The SOP prompts your coding agent to apply security best practices. Always review the generated pipeline configuration before deploying.

## Troubleshooting
<a name="pipeline-troubleshooting"></a>

For troubleshooting issues, you can contact [AWS Support](https://console.aws.amazon.com/support/home/) or post your question on [re:Post](https://repost.aws/) and tag it to the AWS MCP Server (Preview) to ask the community.