AWS tightens up DevOps chops with CodeArtifact managed software repo tool, but it's bare-bones for now

Limited to Java, JavaScript and Python

Reg comments Got Tips?

Amazon Web Services has targeted devs with its new CodeArtifact service, a managed software repository that works for both private and open-source packages from upstream locations.

Package repositories are an integral part of today's development process. Developers who need a library in their project use a package manager to retrieve the code from a repository such as npmjs (JavaScript), Maven Central (Java) or PyPi (Python Package Index). The advantage is that it enables easy access to the latest version of a huge number of open-source libraries, though the downside is that large amounts of code get imported, and being sure that it is free of bugs or vulnerabilities is challenging.

CodeArtifact lets organisations create private repositories, with greater control over both the content and the availability of software packages. CodeArtifact supports three package types: npm, Maven and pip. A single repository can contain packages of a mixture of types. Devs can also set up connections to upstream repositories, in effect merging the CodeArtifact repository with another.

The list of supported upstream repositories is short: npmjs, PyPi, Maven Central, Google Android, Gradle plugins, and CommonsWare Android. A snag with connecting an upstream repository is that you cannot control what is upstream, though it does appear to be possible to override a specific package.

Stackery, which offers a serverless platform built on AWS, said that "a defect in one of the open-source packages for connection pooling and management caused our application to have intermittent database connection failures. AWS CodeArtifact, as a transparent proxy to the upstream npmjs.org, enabled us to patch the package locally and upload it to our CodeArtifact repository."

There is integration with other AWS DevOps tools CodeBuild and CodePipeline so, for example, you can trigger a CodePipeline build when a package is updated.

The CodeArtifact service unifies a repository for private packages and access to upstream public repositories

The CodeArtifact service unifies a repository for private packages and access to upstream public repositories

Another snag is that CodeArtifact does not expose all the features of upstream repositories so that if you connect to npmjs, for example, you cannot use hook notifications or the audit comment for security audits. With PyPi, you have to use the legacy API and not XML-RPC or JSON APIs.

There's also the limited repository support. "Please add support for Ruby Gems" is an early developer request. Custom third-party upstream repositories is another. The NuGet package management system and repository used by .NET developers is not yet supported.

The pricing for CodeArtifact is based on usage. There is an "always free" tier with 2GB storage and up to 100,000 requests per month. After that you will pay $0.05 per GB/month for storage and $0.05 per 10,000 requests. You also pay up to $0.09 per GB for data transferred out.

Although limited in its first release, CodeArtifact makes sense for AWS as a small way to improve its DevOps services, which to date have been a relatively weak aspect of the AWS cloud. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020