Concepts

Manual approvals are useful when you want a human to review and approve changes before they proceed to the next stage within a pipeline. This is often necessary for production deployments where changes need to be verified for compliance, quality, or other concerns.

How Manual Approvals Work in AWS CodePipeline

Manual approvals are integrated as an action type within a stage. You configure a manual approval action to notify an individual or a team when approval is needed. Typically, the notification is sent via Amazon Simple Notification Service (Amazon SNS), which can be used to send an email or trigger other events.

Example

Assuming you already have CodePipeline set up, here’s how you could add a manual approval step in your pipeline (Note: the following is not code but a description of the steps):

  1. Add a new stage in your pipeline after the build or test stage that you want human approval.
  2. Within this stage, add an action of the type “Approval”.
  3. Configure the action to send a notification to an SNS topic.
  4. Subscribe your team’s email addresses to the SNS topic.

Once you push a change, it will trigger the pipeline, and when it reaches the manual approval stage, an approval notification will be sent. Your team can review the changes, and once satisfied, they can approve directly within the AWS Management Console, enabling the pipeline to proceed to the next stage.

Automated Approvals

Automated approvals, in contrast, are used to automatically approve actions based on certain conditions or rules without human intervention. AWS CodePipeline can be configured to use AWS Lambda functions to perform actions which can be treated as automated approval mechanisms.

How Automated Approvals Work in AWS CodePipeline

To implement an automated approval, you define a Lambda function that performs some checks or validations. If the validations pass, the Lambda function returns a successful response to the pipeline, allowing the process to continue. If the validations fail, the function returns a failure response, and the pipeline stops.

Example

To add an automated approval using Lambda, follow these steps:

  1. Write a Lambda function that performs the desired checks (e.g., validating a security scan on the built artifact).
  2. Create a new action in your pipeline stage and set the action provider to AWS Lambda.
  3. Configure the action to use the Lambda function you created.

When the pipeline triggers this stage, it will execute the Lambda function and proceed based on the success or failure response from the Lambda function execution.

Comparison of Manual and Automated Approvals

Feature Manual Approval Automated Approval
Intervention Requires human decision No human intervention
Speed Slower, depends on manual review timing Fast, as it’s executed automatically
Consistency Subject to human error or variance Consistent and repeatable
Notifications Typically via SNS, email, or third-party integrations Could be part of the Lambda function or separate
Use Case Examples Production deployments, critical infrastructure changes Code quality checks, security scans

When setting up CI/CD workflows in AWS CodePipeline, it’s essential to choose the right mix of manual and automated approvals based on your organizational practices and requirements. For instance, while automated approvals can dramatically speed up the process of deploying non-critical updates, manual approvals are vital for ensuring that only the right changes make it to production environments especially when compliance and auditing are of paramount importance.

Answer the Questions in Comment Section

True or False: AWS CodePipeline requires manual approval actions to be the last action in a stage.

  • True
  • False

Answer: False

Explanation: Manual approval actions do not need to be the last action in a pipeline stage. They can be placed before other actions to control the workflow of the pipeline.

Which AWS service is integrated with AWS CodePipeline for automated approvals through code reviews?

  • AWS CodeBuild
  • AWS CodeDeploy
  • AWS CodeCommit
  • AWS CodeStar

Answer: AWS CodeCommit

Explanation: AWS CodeCommit can be integrated with AWS CodePipeline to trigger automated approval processes through pull request reviews and code changes.

True or False: Automated approvals in AWS CodePipeline can be configured to trigger based on the successful completion of test cases.

  • True
  • False

Answer: True

Explanation: Automated approvals can be set up to trigger after the successful completion of tests executed by AWS CodeBuild or any other integrated testing tools.

Which of the following is not necessary to configure manual approval in AWS CodePipeline?

  • SNS Topic ARN
  • Approval action configuration in the pipeline
  • IAM user with necessary permissions
  • Security group

Answer: Security group

Explanation: Security groups are not required for the configuration of manual approval in AWS CodePipeline. An SNS topic, an approval action configured in the pipeline, and an IAM user with the necessary permissions are needed to set up manual approvals.

Multi-select: Which of the following actions can CodePipeline perform after receiving approval in a manual approval step?

  • Proceed to the next stage
  • Retry the previous failed stage
  • Send a notification via Amazon SNS
  • Stop the pipeline execution

Answer: Proceed to the next stage, Send a notification via Amazon SNS

Explanation: After receiving manual approval, CodePipeline can proceed with the next stage and can also send notifications via Amazon SNS. It does not automatically retry a failed stage, and the pipeline does not stop unless explicitly configured to do so.

True or False: In AWS CodePipeline, approval actions can be added directly via the AWS Console without the need for any AWS CLI commands or API calls.

  • True
  • False

Answer: True

Explanation: Approval actions can indeed be added to a pipeline using the AWS Management Console, which provides a user-friendly interface for managing pipelines without using AWS CLI commands or API calls.

Single Select: What is the maximum duration that an approval action can wait for a response before failing in AWS CodePipeline?

  • 1 week
  • 24 hours
  • 7 days
  • 10 days

Answer: 7 days

Explanation: The maximum amount of time a manual approval action can wait for a response in AWS CodePipeline is 7 days. If no response is received within this time, the action fails.

True or False: AWS CodePipeline can invoke AWS Lambda functions for custom automated approval checks.

  • True
  • False

Answer: True

Explanation: AWS CodePipeline can indeed invoke AWS Lambda functions, allowing for custom automated approval logic to be executed as part of the pipeline’s process.

Multi-select: Which of the following entity/entities can provide manual approvals in AWS CodePipeline?

  • An IAM role
  • An AWS resource
  • A registered AWS user
  • A configured Amazon SNS topic subscriber

Answer: A registered AWS user, A configured Amazon SNS topic subscriber

Explanation: Manual approvals in AWS CodePipeline can be provided by a registered AWS user or through an approval request received by a subscriber of a configured SNS topic. IAM roles and AWS resources cannot manually approve the pipeline actions.

Single Select: Which AWS CodePipeline feature can automatically roll back changes if the pipeline’s deployment fails?

  • Manual approval action
  • Automatic Approval
  • AWS CodeDeploy
  • AWS CodeBuild

Answer: AWS CodeDeploy

Explanation: AWS CodeDeploy has automatic rollback capabilities in case deployments fail. Manual approvals or AWS CodeBuild do not provide rollback features just by themselves.

True or False: You can use Amazon CloudWatch events to start an AWS Lambda function as a result of a stage transition in AWS CodePipeline for additional processing or validation.

  • True
  • False

Answer: True

Explanation: Amazon CloudWatch events can be used to detect stage transitions in AWS CodePipeline and trigger AWS Lambda functions for additional custom processing or validation steps.

True or False: AWS CodePipeline does not require an artifact store to pass artifacts between stages.

  • True
  • False

Answer: False

Explanation: AWS CodePipeline requires an artifact store like Amazon S3 to store and pass artifacts between pipeline stages.

0 0 votes
Article Rating
Subscribe
Notify of
guest
24 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Lillie Rodriguez
6 months ago

Great post on manual and automated approvals in CodePipeline! Really helpful for the AWS Certified Developer exam.

Jesus Washington
8 months ago

Can someone explain how manual approvals differ from automated ones in terms of security?

Isobel Evans
8 months ago

Thanks for this informative blog post!

Herculana Barbosa
7 months ago

How do you manage permissions for manual approvals? Any best practices?

Taylor Lewis
8 months ago

The section on automated approvals using Lambda was super helpful.

Flavio Rosado
8 months ago

Is it possible to mix manual and automated approvals in a single CodePipeline?

Laurine Bernard
6 months ago

Appreciate the post, very insightful.

Stozhar Vivcharik
7 months ago

How scalable are automated approvals compared to manual ones?

24
0
Would love your thoughts, please comment.x
()
x