u/Emmanuel_Isenah

I have a web server I want to deploy to a single EC2 instance and I've been going back and forth on the best way to ship updates. Out the top of my head, here are the options I've landed on:

1. CodePipeline → CodeBuild → CodeDeploy — Push-based. CodeDeploy runs lifecycle hooks on the instance, pulls artifacts, and restarts services. Most "AWS-native" option and supports rollbacks out of the box. My main gripe is that managing the lifecycle scripts feels fragile if not done carefully, especially for in-place deployments.
2. GitHub Actions → ECR → Watchtower on EC2 — Pull-based. CI builds and pushes the image to ECR, Watchtower polls for new tags and recreates containers. Appeals to me because there's very little infra to maintain. Falls apart though when you need to sync environment variables from Secrets Manager or Parameter Store, and I'm not sure how well it handles concurrent updates.
3. SSM Run Command (or plain SSH) — CI assumes an IAM role, fires a command at the instance to pull the latest image and restart the container. Simple and push-based, but I feel I can do better.
4. GitOps with Flux/Argo — I'm not deep on Kubernetes but the model is appealing: Git is the source of truth, the cluster reconciles toward it continuously.

I'm deliberately excluding using ECS. The DX with it is great ngl, but the cost isn't. An ALB alone runs about $19/month before you've even touched other services itself.

I'm curious what people are actually running in prod. Is there an option I've missed? And how are you handling secret injection in whichever approach you use?