Concepts
Manual approvals are useful when you want a human to review and approve changes before they proceed to the next stage within a pipeline. This is often necessary for production deployments where changes need to be verified for compliance, quality, or other concerns.
How Manual Approvals Work in AWS CodePipeline
Manual approvals are integrated as an action type within a stage. You configure a manual approval action to notify an individual or a team when approval is needed. Typically, the notification is sent via Amazon Simple Notification Service (Amazon SNS), which can be used to send an email or trigger other events.
Example
Assuming you already have CodePipeline set up, here’s how you could add a manual approval step in your pipeline (Note: the following is not code but a description of the steps):
- Add a new stage in your pipeline after the build or test stage that you want human approval.
- Within this stage, add an action of the type “Approval”.
- Configure the action to send a notification to an SNS topic.
- Subscribe your team’s email addresses to the SNS topic.
Once you push a change, it will trigger the pipeline, and when it reaches the manual approval stage, an approval notification will be sent. Your team can review the changes, and once satisfied, they can approve directly within the AWS Management Console, enabling the pipeline to proceed to the next stage.
Automated Approvals
Automated approvals, in contrast, are used to automatically approve actions based on certain conditions or rules without human intervention. AWS CodePipeline can be configured to use AWS Lambda functions to perform actions which can be treated as automated approval mechanisms.
How Automated Approvals Work in AWS CodePipeline
To implement an automated approval, you define a Lambda function that performs some checks or validations. If the validations pass, the Lambda function returns a successful response to the pipeline, allowing the process to continue. If the validations fail, the function returns a failure response, and the pipeline stops.
Example
To add an automated approval using Lambda, follow these steps:
- Write a Lambda function that performs the desired checks (e.g., validating a security scan on the built artifact).
- Create a new action in your pipeline stage and set the action provider to AWS Lambda.
- Configure the action to use the Lambda function you created.
When the pipeline triggers this stage, it will execute the Lambda function and proceed based on the success or failure response from the Lambda function execution.
Comparison of Manual and Automated Approvals
| Feature | Manual Approval | Automated Approval |
| Intervention | Requires human decision | No human intervention |
| Speed | Slower, depends on manual review timing | Fast, as it’s executed automatically |
| Consistency | Subject to human error or variance | Consistent and repeatable |
| Notifications | Typically via SNS, email, or third-party integrations | Could be part of the Lambda function or separate |
| Use Case Examples | Production deployments, critical infrastructure changes | Code quality checks, security scans |
When setting up CI/CD workflows in AWS CodePipeline, it’s essential to choose the right mix of manual and automated approvals based on your organizational practices and requirements. For instance, while automated approvals can dramatically speed up the process of deploying non-critical updates, manual approvals are vital for ensuring that only the right changes make it to production environments especially when compliance and auditing are of paramount importance.
Answer the Questions in Comment Section
True or False: AWS CodePipeline requires manual approval actions to be the last action in a stage.
- True
- False
Answer: False
Explanation: Manual approval actions do not need to be the last action in a pipeline stage. They can be placed before other actions to control the workflow of the pipeline.
Which AWS service is integrated with AWS CodePipeline for automated approvals through code reviews?
- AWS CodeBuild
- AWS CodeDeploy
- AWS CodeCommit
- AWS CodeStar
Answer: AWS CodeCommit
Explanation: AWS CodeCommit can be integrated with AWS CodePipeline to trigger automated approval processes through pull request reviews and code changes.
True or False: Automated approvals in AWS CodePipeline can be configured to trigger based on the successful completion of test cases.
- True
- False
Answer: True
Explanation: Automated approvals can be set up to trigger after the successful completion of tests executed by AWS CodeBuild or any other integrated testing tools.
Which of the following is not necessary to configure manual approval in AWS CodePipeline?
- SNS Topic ARN
- Approval action configuration in the pipeline
- IAM user with necessary permissions
- Security group
Answer: Security group
Explanation: Security groups are not required for the configuration of manual approval in AWS CodePipeline. An SNS topic, an approval action configured in the pipeline, and an IAM user with the necessary permissions are needed to set up manual approvals.
Multi-select: Which of the following actions can CodePipeline perform after receiving approval in a manual approval step?
- Proceed to the next stage
- Retry the previous failed stage
- Send a notification via Amazon SNS
- Stop the pipeline execution
Answer: Proceed to the next stage, Send a notification via Amazon SNS
Explanation: After receiving manual approval, CodePipeline can proceed with the next stage and can also send notifications via Amazon SNS. It does not automatically retry a failed stage, and the pipeline does not stop unless explicitly configured to do so.
True or False: In AWS CodePipeline, approval actions can be added directly via the AWS Console without the need for any AWS CLI commands or API calls.
- True
- False
Answer: True
Explanation: Approval actions can indeed be added to a pipeline using the AWS Management Console, which provides a user-friendly interface for managing pipelines without using AWS CLI commands or API calls.
Single Select: What is the maximum duration that an approval action can wait for a response before failing in AWS CodePipeline?
- 1 week
- 24 hours
- 7 days
- 10 days
Answer: 7 days
Explanation: The maximum amount of time a manual approval action can wait for a response in AWS CodePipeline is 7 days. If no response is received within this time, the action fails.
True or False: AWS CodePipeline can invoke AWS Lambda functions for custom automated approval checks.
- True
- False
Answer: True
Explanation: AWS CodePipeline can indeed invoke AWS Lambda functions, allowing for custom automated approval logic to be executed as part of the pipeline’s process.
Multi-select: Which of the following entity/entities can provide manual approvals in AWS CodePipeline?
- An IAM role
- An AWS resource
- A registered AWS user
- A configured Amazon SNS topic subscriber
Answer: A registered AWS user, A configured Amazon SNS topic subscriber
Explanation: Manual approvals in AWS CodePipeline can be provided by a registered AWS user or through an approval request received by a subscriber of a configured SNS topic. IAM roles and AWS resources cannot manually approve the pipeline actions.
Single Select: Which AWS CodePipeline feature can automatically roll back changes if the pipeline’s deployment fails?
- Manual approval action
- Automatic Approval
- AWS CodeDeploy
- AWS CodeBuild
Answer: AWS CodeDeploy
Explanation: AWS CodeDeploy has automatic rollback capabilities in case deployments fail. Manual approvals or AWS CodeBuild do not provide rollback features just by themselves.
True or False: You can use Amazon CloudWatch events to start an AWS Lambda function as a result of a stage transition in AWS CodePipeline for additional processing or validation.
- True
- False
Answer: True
Explanation: Amazon CloudWatch events can be used to detect stage transitions in AWS CodePipeline and trigger AWS Lambda functions for additional custom processing or validation steps.
True or False: AWS CodePipeline does not require an artifact store to pass artifacts between stages.
- True
- False
Answer: False
Explanation: AWS CodePipeline requires an artifact store like Amazon S3 to store and pass artifacts between pipeline stages.
Great post on manual and automated approvals in CodePipeline! Really helpful for the AWS Certified Developer exam.
Can someone explain how manual approvals differ from automated ones in terms of security?
Thanks for this informative blog post!
How do you manage permissions for manual approvals? Any best practices?
The section on automated approvals using Lambda was super helpful.
Is it possible to mix manual and automated approvals in a single CodePipeline?
Appreciate the post, very insightful.
How scalable are automated approvals compared to manual ones?