GitLab CI/CD Integration for Automated AWS EC2 Deployment

Published by TechMarmot Editorail Staff on | Category GitLab CI

The transition from manual server updates to a fully automated Continuous Integration and Continuous Deployment (CI/CD) pipeline represents a fundamental shift in software engineering maturity. In the context of deploying applications—specifically Node.js environments—to Amazon Elastic Compute Cloud (EC2), the synergy between GitLab CI/CD and AWS infrastructure allows organizations to move from a "risky event" deployment model to a "routine process" model. This architectural approach eliminates the variability introduced by human intervention during the deployment phase, ensuring that every change pushed to a version control system is tested, built, and deployed in a consistent, repeatable manner.

At its core, the GitLab CI/CD ecosystem relies on two primary pillars: the .gitlab-ci.yml configuration file and the GitLab Runner. The configuration file serves as the blueprint, defining the various stages of the pipeline, the environment in which jobs run, and the specific scripts required to move code from a repository to a live server. The GitLab Runner is the agent that executes these instructions. When these components are integrated with AWS EC2, developers can achieve a state where code pushes to specific branches (such as staging or production) automatically trigger a series of events—dependency installation, SSH authentication, and process restarts—resulting in a live application update without the need for manual terminal access.

The Architecture of GitLab CI/CD Pipelines

A GitLab CI/CD pipeline is not a single action but a sequence of orchestrated jobs. For an enterprise-grade deployment to AWS EC2, the pipeline is designed to act as a bridge between the developer's local environment and the cloud infrastructure.

The primary components include:

  • The .gitlab-ci.yml file: This is a YAML-formatted file located in the project root that describes the pipeline's jobs. It dictates what happens at each stage, from the initial build to the final deployment.
  • The GitLab Runner: This is the application that actually executes the jobs defined in the YAML file. While shared runners are available, enterprises often deploy their own runners on Amazon EC2 to gain better control over the environment and performance.
  • AWS EC2: The target infrastructure where the application resides. It provides the compute power and networking capabilities required to host the application.

The impact of this architecture is a massive reduction in deployment failures. Statistical data indicates that automated pipelines can reduce deployment failures by 40% to 60%. This is primarily because the process is codified; if a deployment fails, it fails in a predictable way that can be debugged through logs rather than guessing which manual command a developer forgot to run.

Automating GitLab Runner Deployment via Infrastructure-as-Code

Setting up a GitLab Runner manually is a time-consuming and error-prone process. It involves provisioning a virtual machine, installing the runner binary, registering the runner with the GitLab instance, and configuring the environment to support specific workloads. For organizations managing hundreds of pipelines across diverse environments, this manual approach is unsustainable.

The solution is the implementation of Infrastructure-as-Code (IaC). By utilizing IaC scripts, the entire GitLab Runner architecture can be deployed quickly and consistently. This approach offers several critical advantages:

  • Repeatability: Every runner is deployed using the exact same configuration, eliminating the "it works on my machine" or "it works on runner A but not runner B" problem.
  • Change Management: Because the infrastructure is defined as code, all changes to the runner's configuration are tracked via version control, providing a clear audit trail.
  • Guardrail Enforcement: Security and operational best practices can be baked directly into the code, ensuring that no runner is deployed without proper security groups or resource limits.
  • Cost Optimization: Integrating autoscaling into the IaC deployment allows enterprises to terminate resources when they are not in use, significantly reducing AWS monthly expenditures.

Authenticating GitLab with AWS Infrastructure

To enable a GitLab pipeline to interact with AWS services, a secure authentication mechanism must be established. Without proper authentication, the pipeline cannot provision resources, upload artifacts to S3, or execute commands on an EC2 instance.

The primary method of authentication involves the use of Identity and Access Management (IAM) users. The process is as follows:

  1. Access the AWS account and navigate to the IAM console.
  2. Create a dedicated IAM user with the minimum necessary permissions (Principle of Least Privilege).
  3. Generate a new access key for this user, which provides an Access Key ID and a Secret Access Key.

Once these credentials are generated, they must be stored securely. GitLab provides a mechanism for this through CI/CD variables. Navigating to Settings > CI/CD in the GitLab project allows the administrator to define the following variables:

  • AWS_ACCESS_KEY_ID: The unique identifier for the IAM user.
  • AWS_SECRET_ACCESS_KEY: The secret key used to sign requests.
  • AWS_DEFAULT_REGION: The specific AWS region (e.g., us-east-1) where the services are hosted.

It is critical to note that these variables are protected by default. A more secure alternative for advanced users is the use of ID tokens and OpenID Connect (OIDC), which removes the need to store long-lived credentials in GitLab variables, although this requires a more complex configuration than the standard IAM approach.

Deployment Workflow for Node.js Applications on EC2

Deploying a Node.js application involves a specific sequence of events designed to ensure that the application remains available while the new code is being introduced.

The high-level flow of the deployment is structured as follows:

  • Developer Push: A developer pushes code to a designated branch, such as prd for production.
  • Pipeline Trigger: GitLab detects the push and initiates the pipeline based on the .gitlab-ci.yml instructions.
  • Dependency Installation: The pipeline environment installs necessary Node.js packages to ensure the build is valid.
  • SSH Connection: The pipeline establishes a secure shell connection to the AWS EC2 instance.
  • Remote Execution: The pipeline executes a series of commands on the server, which include pulling the latest code from the repository and installing production dependencies.
  • Process Management: The application is restarted using PM2.

The role of PM2 in this ecosystem is vital. PM2 is a production process manager for Node.js that ensures the application stays running and supports automatic restarts if the application crashes. This prevents downtime during the transition from the old version of the code to the new version.

The technical specifications for the deployment environment are:

Component Specification
Backend Node.js
Version Control GitLab
CI/CD Tool GitLab Pipeline
Server OS Ubuntu (AWS EC2)
Process Manager PM2
Authentication SSH Key-based login
Web Server Nginx (routes HTTP traffic to Node.js)

Technical Implementation of the .gitlab-ci.yml File

The .gitlab-ci.yml file is the engine of the deployment. For a Node.js application deploying to EC2, the file must define the stages, the image to be used, and the scripts for deployment.

A typical production deployment configuration looks like this:

```yaml
stages:
- production

deploytoec2:
stage: production
image: alpine:latest
only:
- prd
beforescript:
- apk add --no-cache openssh
- mkdir -p ~/.ssh
- cp "$SSHPRIVATEKEY" ~/.ssh/idrsa
- chmod 600 ~/.ssh/idrsa
- ssh-keyscan -H "$SSHHOST" >> ~/.ssh/knownhosts
script:
- |
ssh "$SSHUSER@$SSHHOST" << 'EOF'
set -e
echo "---------- Checking Directory ---------------"
cd "$PATHDIR"
echo "---------------- Load NVM ----------------"
export NVMDIR="$HOME/.nvm"
[ -s "$NVMDIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
EOF
```

In this configuration, the before_script section is used to set up the SSH environment. It installs the OpenSSH client on the lightweight Alpine Linux image, creates the .ssh directory, and configures the private key and known hosts to allow a passwordless, secure connection to the AWS EC2 instance. The script section then uses a "here document" (<< 'EOF') to send a series of commands directly to the remote server.

Secure Key Management and SSH Configuration

Security is the most critical aspect of deploying to a public cloud like AWS. Using passwords for SSH is insecure and incompatible with automation. Therefore, key-based authentication is mandatory.

The process for securing SSH access involves:

  • Local Key Generation: Use the command ssh-keygen -t rsa -b 409 la to create a strong 4096-bit RSA key pair.
  • Public Key Distribution: The public key is added to the ~/.ssh/authorized_keys file on the Ubuntu EC2 instance.
  • Private Key Storage: The private key is stored as a protected variable in GitLab (SSH_PRIVATE_KEY).

To further harden the EC2 instance, several security measures should be implemented:

  • Restrict Security Groups: Configure the AWS Security Group to allow only the required ports (e.g., 22 for SSH, 80/443 for HTTP/S).
  • Disable Root Login: Ensure that the root user cannot log in via SSH, forcing the use of a limited-privilege user.
  • Firewall Activation: Enable the Uncomplicated Firewall (UFW) on the Ubuntu server to block all unauthorized traffic.
  • Environment Variables: Sensitive API keys and database credentials should never be hardcoded; they should be managed as environment variables on the EC2 instance.

Advanced Deployment via AWS CloudFormation and S3

For more complex deployments that require the provisioning of new infrastructure rather than just updating code on an existing server, GitLab provides templates for AWS CloudFormation.

This workflow involves using JSON files to describe the desired state of the AWS infrastructure. The process is integrated into the pipeline as follows:

  1. JSON Configuration: Create JSON files for the S3 push and EC2 deployment. For example, a JSON object for S3 might include:
    json { "applicationName": "string", "source": "string", "s3Location": "s3://your/bucket/project_built_file" }
  2. Variable Mapping: In the .gitlab-ci.yml file, define variables that point to these JSON files:
    yaml variables: CI_AWS_CF_CREATE_STACK_FILE: 'aws/cf_create_stack.json' CI_AWS_S3_PUSH_FILE: 'aws/s3_push.json' CI_AWS_EC2_DEPLOYMENT_FILE: 'aws/create_deployment.json' CI_AWS_CF_STACK_NAME: 'YourStackName'
  3. Template Inclusion: Use the GitLab AWS template to handle the logic:
    yaml include: <ul> <li>template: AWS/CF-Provision-and-Deploy-EC2.gitlab-ci.yml<br />

When the pipeline runs, GitLab uses these templates to create an AWS CloudFormation stack, upload the build artifacts to an S3 bucket, and deploy those artifacts to the EC2 instance. This represents a higher level of automation where the infrastructure itself is ephemeral and can be recreated from scratch.

Operational Impact and Performance Metrics

The implementation of CI/CD for AWS EC2 is not merely a technical preference but a business necessity for scalable applications. The shift from manual to automated deployment has measurable impacts on engineering productivity and software quality.

Companies that have adopted CI/CD pipelines report deploying software up to 30 times faster than those relying on manual processes. This acceleration is due to the removal of manual checklists, the elimination of human error during the "copy-paste" phase of deployment, and the ability to deploy smaller, more frequent updates.

Furthermore, the use of separate branches for different environments (dev, staging, production) protects the production environment from unstable code. By requiring code to pass through a staging pipeline before hitting the production branch, organizations ensure that only verified, stable builds are released to end-users.

Conclusion

The integration of GitLab CI/CD with AWS EC2 transforms the deployment process from a high-risk manual operation into a streamlined, automated utility. By leveraging Infrastructure-as-Code for Runner deployment, employing strict SSH key-based authentication, and utilizing process managers like PM2, developers can ensure that their Node.js applications are delivered with maximum reliability and minimum downtime. The transition to this model allows developers to refocus their efforts on coding and feature development rather than the minutiae of server administration. As cloud environments grow in complexity, the adoption of these automated patterns—supported by robust IAM policies and CloudFormation templates—becomes the only viable path for maintaining scalability and security in modern software delivery.

Sources

  1. Deploy and Manage Gitlab Runners on Amazon EC2
  2. nodejs application with cicd gitlab pipeline on aws ec2
  3. Deploy to AWS from GitLab CI/CD

Related Posts