Skip to main content
Continuous Integration
CHAPTER 12

CI for Cloud Applications

Updated: May 15, 2026
30 min read

# CHAPTER 12

CI for Cloud Applications

1. Introduction

Continuous Integration ensures your code compiles and passes tests. But what happens next? A zip file sitting on a GitHub runner doesn't serve customers. We must bridge the gap into Continuous Deployment (CD). Today, "deployment" usually means pushing code to a major cloud provider: Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). In this chapter, we will learn how to configure a CI pipeline to securely authenticate with a Cloud API, package an application, and automatically deploy it to a live cloud environment without requiring a human to log into a server.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Understand the transition from Continuous Integration (CI) to Continuous Deployment (CD).
  • Authenticate a CI pipeline with AWS using IAM credentials.
  • Utilize cloud-specific Actions (e.g., aws-actions) to execute deployments.
  • Understand the concept of "Serverless" deployments via CI.
  • Architect an automated workflow to deploy a static website to cloud storage.

3. Beginner-Friendly Explanation

Imagine a publishing company.
  • The CI Phase (The Printing Press): An author writes a book. The CI pipeline checks the spelling, formats the pages, and prints 1,000 physical books. But right now, the books are just sitting in a warehouse.
  • The Cloud Deployment Phase (The Delivery Trucks): You need to get the books to the bookstores. You hire delivery trucks. In DevOps, the delivery truck is a cloud API script (like AWS CLI). It picks up the finished books (the Artifacts) and drives them straight to the store shelves (the AWS Cloud Servers) so customers can buy them.

4. Authenticating with Cloud Providers

To push code to AWS, the GitHub Runner needs to prove it has permission. It needs an AWS Access Key and Secret Key. Crucial Rule: You must create an IAM User in AWS that has the *absolute minimum* permissions required to deploy the code. If you are deploying a website to an S3 Bucket, the IAM user should ONLY have permission to write to that specific bucket.

5. Deploying a Static Application to AWS S3

Let's look at the most common, foundational cloud deployment: pushing a compiled React or Angular application (which is just HTML, CSS, and JS) to an AWS S3 Bucket for web hosting.
yaml
1234567891011121314151617181920212223242526272829303132 
name: Deploy React App to AWS S3

on:
  push:
    branches: [ "main" ]

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # 1. CI PHASE: Build the application
      - name: Install dependencies and build
        run: |
          npm install
          npm run build
      # (The compiled files are now sitting in the 'build/' folder)

      # 2. AUTHENTICATION PHASE: Prove who we are to AWS
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      # 3. DEPLOYMENT PHASE: Upload the files
      - name: Sync files to S3 bucket
        run: |
          # Use the AWS CLI (pre-installed on the runner) to copy the folder!
          aws s3 sync build/ s3://my-production-website-bucket --delete

6. Mini Project: Serverless Cloud Deployment

Deploying to S3 is easy because there is no "server" to restart. But what if we have a backend PHP or Node.js application? We can deploy it to AWS Elastic Beanstalk, a Platform-as-a-Service that manages the servers for us.

Step-by-Step Architecture Concept: Instead of copying files, we package the code into a .zip artifact, upload it to AWS, and tell AWS: "Here is the new code, please restart the servers."

yaml
123456789101112131415 
      # ... (Assuming CI Build and AWS Authentication steps are above) ...

      - name: Generate Deployment Package
        run: zip -r deploy.zip . -x "*.git*"
        
      - name: Upload to Elastic Beanstalk
        uses: einaregilsson/beanstalk-deploy@v21
        with:
          aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          application_name: my-backend-api
          environment_name: production-env
          version_label: "v-${{ github.sha }}" # Use the Git commit hash as the version!
          region: us-east-1
          deployment_package: deploy.zip

*When this step runs, AWS automatically takes the zip file, replaces the old code on all running servers, and restarts the web services with zero downtime.*

7. Real-World Scenarios

A marketing team needed to update the homepage banner of their website daily. Previously, they had to submit a ticket to the IT department. An IT admin would manually log into the AWS console, upload the new image, and click "Save." This took hours. The DevOps engineer automated it. The marketing team now simply replaces the image file in the GitHub repository and clicks "Merge." The GitHub Actions pipeline detects the change, authenticates to AWS, and runs aws s3 sync. The live website is updated in 15 seconds without any IT intervention, proving that CI/CD empowers non-technical teams to move at lightning speed.

8. Best Practices

  • The --delete Flag: In the S3 sync command above, we used the --delete flag. This is a critical best practice for static deployments. If a developer deletes an old image file (logo-old.png) from the Git repository, the --delete flag tells AWS to also delete that file from the live cloud server. Without it, your cloud server will slowly fill up with years of obsolete, abandoned files.

9. Security Recommendations

  • OpenID Connect (OIDC): Using long-lived AWS Access Keys (like we did above) is becoming outdated because keys can be leaked. The modern, enterprise-grade standard is OIDC. You configure AWS to "trust" your specific GitHub repository. When the pipeline runs, GitHub asks AWS for a temporary, 1-hour password. AWS verifies the request came from your repo and grants it. There are no permanent secrets to leak!

10. Troubleshooting Tips

  • Cloud Provider Timeouts: Deploying to complex cloud services (like Elastic Beanstalk or ECS) can take 5-10 minutes as the cloud provider spins up new servers. Sometimes, the GitHub Action will time out and report a Failure because it got tired of waiting, even if the deployment actually succeeded in the cloud. Check your specific Action's documentation to increase the wait-timeout variable.

11. Exercises

  1. 1. What is the fundamental difference between the "Continuous Integration" phase and the "Cloud Deployment" phase of the pipeline in Chapter 12?
  1. 2. Why is the --delete flag critical when synchronizing a built application to an AWS S3 bucket?

12. FAQs

Q: Can I deploy to a traditional server (like an EC2 instance or DigitalOcean droplet) instead of S3 or Beanstalk? A: Yes. You can use an Action like appleboy/ssh-action to have the GitHub Runner literally SSH into your traditional server, pull the latest code from Git, and run systemctl restart nginx.

13. Interview Questions

  • Q: Describe the automated deployment workflow for pushing a compiled static application (e.g., React) to an AWS S3 bucket via GitHub Actions. How do you securely manage the IAM authentication credentials required for this transaction?
  • Q: Explain the enterprise security advantages of utilizing OpenID Connect (OIDC) over long-lived IAM Access Keys when authenticating a SaaS CI/CD pipeline to a Cloud Provider.

14. Summary

In Chapter 12, we crossed the boundary from Continuous Integration into Continuous Deployment. We learned that compiling a zip file is only half the battle; the true value of DevOps is delivering that artifact to the end-user automatically. By leveraging cloud-specific Actions and the AWS CLI, we transformed our CI runner into a delivery vehicle. We securely injected IAM credentials and orchestrated deployments to both Serverless storage (S3) and managed computing platforms (Elastic Beanstalk). Our code now flows seamlessly from a developer's laptop, through the rigorous testing gateway, and directly into the live production cloud in minutes.

15. Next Chapter Recommendation

We are deploying code to the cloud automatically. But what if we accidentally introduced a vulnerable dependency into our code? We need the pipeline to stop us. Proceed to Chapter 13: CI/CD Security Best Practices.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Notifications and Monitoring
Next Chapter CI/CD Security Best Practices

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5