linux amazon-web-services permissions aws-code-deploy

AWS Linux CodeDeploy Permission Issues (w. Bitbucket, Tomcat, Shell Script)

I'm trying to deploy files using CodeDeploy to my AWS Beanstalk server with Tomcat installed. Everything is well configured except for an exception which occurs when appspec.yml calls my .sh script and mvn install command is executed. I've tried all combinations of permissions I've imagined (as well as every StackOverflow answer I've found), but nothing has worked.

Cannot create resource output directory: /opt/codedeploy-agent/deployment-root/f953d455-9712-454b-84b0-2533cf87f79a/d-3UFCDLD0D/deployment-archive/target/classes

I also expected the files section of appspec.yml to get executed before the .sh script gets executed. It should have been working like this:

appspec.yml moves all files to webapps folder
build.sh gets executed
mvn runs and creates the .war file
build.sh does some cleaning up

appspec.yml (I've tried multiple other)

version: 0.0
os: linux
files:
   - source: /
     destination: /var/lib/tomcat8/webapps
permissions:
   - object: /opt/codedeploy-agent/deployment-root
     pattern: "**"
     owner: ec2-user
     group: root
     mode: 755
     type:
       - directory
   - object: /var/lib/tomcat8/webapps
     pattern: "**"
     owner: ec2-user
     group: root
     mode: 755
     type:
       - directory
hooks:
   BeforeInstall:
    - location: scripts/build.sh
      runas: ec2-user

build.sh

export LANG=en_US.UTF-8

SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
echo "Script path: $SCRIPTPATH"

PROJECT_SOURCE_DIR=$SCRIPTPATH/../
cd $PROJECT_SOURCE_DIR

mvn clean install

cd $PROJECT_SOURCE_DIR/target
ls -a

for file in *.war; do
    mv $file /usr/share/tomcat8/webapps/ROOT.war
done;

rm -rf $PROJECT_SOURCE_DIR/target
rm -rf $SCRIPTPATH

It's obvious from the exception that maven tries to create a folder target without having the permissions. So the questions are why on the first place it's trying to execute it in this folder and then how to gain proper access.

Solution

The way to solve the problem is to add command to change to proper directory before run "mvn clean install" instead of PROJECT_SOURCE_DIR.
Install is the lifecycle event that AWS CodeDeploy agent copies the revision files from the temporary location to the final destination folder. This event is reserved for the AWS CodeDeploy agent and cannot be used to run scripts. The related doc is here: http://docs.aws.amazon.com/codedeploy/latest/userguide/app-spec-ref.html
The directory that you are getting error is actually under the deployment archive directory as showing here: https://github.com/aws/aws-codedeploy-agent/blob/master/lib/instance_agent/plugins/codedeploy/hook_executor.rb#L174
The reason you got the error is because the build.sh script is running at the current directory which needs root privilege and scripts/build.sh only has ex2-user privilege, which caused the permission issue.