If an AWS CodeCommit Branch Falls in the Woods (deprecated), Will Anyone Hear It?
Effective July 25, 2024, AWS CodeCommit is no longer available to new customers. If you are just getting started in AWS or a new AWS project, you cannot use CodeCommit (although the AWS docs still show it as an option).
Time to Move it Along
This is a good time to develop a plan for migrating your repositories to another Git provider, such as GitHub or GitLab. I recommend GitHub for small teams and organizations because it is a cloud service and the industry standard, and GitLab for enterprise clients that want to self-host their Git repository systems.
AWS provides a “howto” blog on the process for migrating a repository from CodeCommit to another platform.
Existing customers can continue to use CodeCommit as usual, and AWS has voiced commitment to the security, availability, and performance for existing AWS CodeCommit customers. The problem with this approach is that it will fragment GitOps workflows, with prior projects using CodeCommit and former projects using GitHub.
Get Security Right, From the Start
In addition to the code migration, you also need to integrate the new platform with your existing processes and configure it properly. This includes setting up CI/CD pipelines and ensuring proper repository security (DevSecOps).
Here is a short list of configurations to review when securing your repository:
- Repository Visibility (private/public)
- Branch Protections
- Allowing some (not all) user groups to merge/deploy to production - Git action logging and alerting (on abnormal activity).
- This includes developer actions (push/pull/merge) as well as DevOps actions (build count and failure alert) - End User (developer) authentication and authorization
- Static code analysis:
- Scanning for vulnerabilities and deprecated dependencies in the codebase - DevOps Pipelines will need to be reintegrated and secured
- Build process authentication and authorizations
- Access to build process artifacts
- SSH Keys to servers (if you deploy to servers)
- Container Image Repo Tokens (if you deploy to containers)
I recently gave a talk at Educause that has a lot of content on securing DevOps ecosystems. This talk drew from my experience securing mission-critical DevOps workloads for IT organizations.
Stay tuned here for an upcoming in-depth guide on Git Repository Security.
A Long Time Coming for CodeCommit
We saw this coming though, right? CodeCommit has been lacking new features and integrations with other AWS services for some time.
For example, at Re:Invent 2023 we saw the release of Git Sync, a new feature of AWS CloudFormation that enabled management of CloudFormation stacks via source control (GitOps). However, this new feature did not support AWS CodeCommit, only GitHub, GitLab, and BitBucket.
AWS CodeCommit has always been the git repository hosting solution with the least impressive developer experience. The tangible benefit to using CodeCommit was for AWS IaC and AWS DevOps (CodeBuild) processes because it integrated nicely with other AWS Services, such as IAM, S3, ECR, and AWS Secrets Manager.
Don’t Check the Docs
A large portion of the official AWS Documentation references examples via CodeCommit. For example, Control Tower uses CodeCommit.
Dishonorable Mention
Several other [rarely used] AWS services were also deprecated in the same tweet:
- Cloud9
- S3 Select
- CloudSearch
- SimpleDB
- Forecast
- Data Pipeline