Drop-in replacement for the manual approval step that CodePipeline provides.
- Auto-approves if no changes have been identified
- Generates temporary URL to approval web site that doesn't require AWS Console login (great for approving from mobile)
- Summarizes changes to multiple stacks on a single page
- Presents
diff
between current and new template - All macros and transforms will be resolved at this stage
- Highlights changes in parameter values
- Displays full CloudFormation ChangeSet information
- Presents
- Approvals can require multiple approvers
Step 1: Implement ChangeSets in Pipeline
The approval step relies on the ChangeSet to compile and render the approval page. Make sure that your CodePipeline already creates CloudFormation ChangeSets for each stack deployment.
Show Example Pipeline Stage
Full example with explanations can be found here.
- Name: ProdStage
Actions:
- Name: CreateChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
InputArtifacts:
- Name: TemplateSource
Configuration:
ActionMode: CHANGE_SET_REPLACE
RoleArn: !GetAtt [CFNRole, Arn]
StackName: !Ref ProdStackName
ChangeSetName: !Ref ChangeSetName
TemplateConfiguration: !Sub "TemplateSource::${ProdStackConfig}"
TemplatePath: !Sub "TemplateSource::${TemplateFileName}"
RunOrder: '1'
- Name: ApproveChangeSet
ActionTypeId:
Category: Approval
Owner: AWS
Provider: Manual
Version: '1'
Configuration:
NotificationArn: !Ref CodePipelineSNSTopic
CustomData: !Sub 'A new change set was created for the ${ProdStackName} stack. Do you want to implement the changes?'
RunOrder: '2'
- Name: ExecuteChangeSet
ActionTypeId:
Category: Deploy
Owner: AWS
Provider: CloudFormation
Version: '1'
Configuration:
ActionMode: CHANGE_SET_EXECUTE
ChangeSetName: !Ref ChangeSetName
RoleArn: !GetAtt [CFNRole, Arn]
StackName: !Ref ProdStackName
RunOrder: '3'
Step 2: Create SNS Topic
Skip this step if you already have a topic.
# replace AWS_REGION and AWS_ACCOUNT_ID accordingly
aws sns create-topic --name approval-notifications
# Subscribe with an email address
aws sns subscribe --topic-arn arn:aws:sns:$AWS_REGION:$AWS_ACCOUNT_ID:approval-notifications --protocol email --endpoint-url [email protected]
Step 3: Launch Stack
Via Console
or via CLI
aws cloudformation create-stack --template-url https://s3.amazonaws.com/pipeline-approval-us-east-1/release/v1.0.0/lambda.template.yml --capabilities CAPABILITY_IAM --stack-name approval-lambda
The Lambda function deployed by this stack can be shared by any number of pipelines in the same region.
If you prefer to build and host the CloudFormation template and Lambda code bundle yourself, head over to pipeline-approval-lambda and fork away.
Step 4: Add Permissions to Pipeline Role
This policy statement is required to provde the necessary permissions to the pipeline to call the approval lambda function.
- Effect: Allow
Action:
- lambda:ListFunctions
- lambda:InvokeFunction
Resource: '*'
Step 5: Replace Manual Approval Step with Lambda
UserParameters
needs to be string so we wrap it in a !Sub
to be able to reference parameters. It accepts a Stacks
parameter which is a list of CloudFormation stacks that will be checked for changes. The TopicArn
parameter is required. The URL to the approval page is publised to this topic.
- Name: ApproveChangeSet
ActionTypeId:
Category: Invoke
Owner: AWS
Version: 1
Provider: Lambda
Configuration:
FunctionName: !ImportValue approval-lambda:FunctionArn
UserParameters: !Sub |
Stacks:
- ${ProdStackName}
TopicArn: arn:aws:sns:${AWS::Region}:${AWS::AccountId}:approval-notifications
RunOrder: 2