AWS Serverless: Add Manual Approval to a SAM CI/CD Pipeline for Lambda and API Gateway

In my previous article, I explained how to create a CICD pipeline to build and deploy a simple lambda function integrated with API Gateway using AWS SAM and GitHub.

Then in the part 2 of the article, I also explained how to replace broad permissions such as full access to services like S3, CloudFormation, Lambda and API Gateway with a custom fine grained IAM policy that only grants the permission required by this pipeline per the principle of least privilege that means grant only the specific permissions required.

Please make sure you've reviewed these articles on this CI/CD topic (link below). I won’t repeat that content here, but understanding it is essential for following along with the manual approval stage setup in this article.

Link to the Part 1 Article

Link to the Part 2 Article

In this article, I will focus on adding a manual approval stage to the pipeline so that while code will be built by the pipeline based on the git repo code push, it will not be deployed until manual approval action is completed. Approvers will be notified via email using SNS service and once they provide approval, then pipeline will move to the deploy stage.

Adding this manual approval step in the pipeline ensures better governance and provides a chance for the reviews before the changes are deployed automatically in the environment.

Let's look at the architecture diagram!

Using a manual approval stage for CICD pipelines offers several advantages for enterprises. It provides important control and visibility before code changes are promoted to higher environments.

Some of the benefits are listed below:

By having a manual approval stage, you can introduce a pause that let developers, testers, technical managers or product/business to review and approve the changes before they go live.

Manual approval ensures that unintended code changes not get promoted automatically causing unexpected functions for the software or broken software.

Most enterprises require compliance requirements to document the software changes and approval process. A manual stage ensures that this audit trail is maintained and compliance reqs are met.

Manual approval stage encourage improved team collaboration as other teams SMEs like QA, product or other business unit can review and then approve the changes.

Adding a manual approval stage align well with the ITIL or other structured change management processes where approvals and documentations are required prior to the change implementation.

If you don't already have a SNS topic, create a standard SNS topic. This topic will be used to send email notification.

Once you have the SNS topic, let's add an email subscription to this. This email then will receive notification from the manual approval stage.

Once subscribed successfully, you should receive an email notification confirming the subscription.

 Review Manual Approval Stage

Below is an example of adding a manual approval stage and action so that code updates are not automatically promoted when code pipeline is triggered.

You will need to add a stage and then click on Action Group and add an Action as below.

Provide the SNS topic ARN configured in the previous steps. Email subscribed to this arn will receive the notification.

You will notice that a manual approval stage has been added.

Let’s make a change to the Lambda function and commit the updated code to the Git repository.

Once the changes are pushed, this will automatically trigger the AWS Code Pipeline.

After the pipeline starts, we’ll review the build and deployment stages to confirm the updated function is successfully redeployed.

You can see that the pipeline automatically triggered the Source stage and then pause due to the manual approval stage and action.

This Manual Approval stage requires approval before proceeding to the Build stage.

Check email for the email notification triggered by code pipeline due to the Manual Approval stage.

You can click on Approval or Reject via email or you can directly invoke the approval screen from the approval stage.

From the view below, you can approve the stage.

Once you approve this stage, the code pipeline will proceed.

Since pipeline is progressing, you should see that all stages are completed.

Since the pipeline has successfully completed, the updated Lambda function and API have been deployed. Let's validate again using Postman.

You should now see the updated message returned by the Lambda function through the API endpoint, confirming that the changes were successfully deployed.

You can also review the S3 bucket where AWS Code Pipeline stores the build artifacts generated during the pipeline execution.

The Lambda function is integrated with CloudWatch, and a dedicated log group is automatically created.

You can view the logs by navigating to the function’s log group in the CloudWatch Logs section of the AWS Console.

Once you’ve completed this exercise, make sure to delete all the resources created to avoid unnecessary charges that could impact your overall cloud cost and budget.

In particular, remember to delete the following:

In this article, I explained how to enhance a Lambda CI/CD pipeline built with AWS SAM and GitHub by adding a manual approval stage with email notifications, ensuring controlled and monitored deployments.

Adding a manual approval step with email notifications enhances security and governance in your CI/CD pipeline by ensuring critical deployments receive explicit review before execution.

I hope you found this article both helpful and informative!

Thank you for reading!

Watch the video here:

𝒢𝒾𝓇𝒾𝓈𝒽 ℬ𝒽𝒶𝓉𝒾𝒶

𝘈𝘞𝘚 𝘊𝘦𝘳𝘵𝘪𝘧𝘪𝘦𝘥 𝘚𝘰𝘭𝘶𝘵𝘪𝘰𝘯 𝘈𝘳𝘤𝘩𝘪𝘵𝘦𝘤𝘵 & 𝘋𝘦𝘷𝘦𝘭𝘰𝘱𝘦𝘳 𝘈𝘴𝘴𝘰𝘤𝘪𝘢𝘵𝘦

𝘊𝘭𝘰𝘶𝘥 𝘛𝘦𝘤𝘩𝘯𝘰𝘭𝘰𝘨𝘺 𝘌𝘯𝘵𝘩𝘶𝘴𝘪𝘢𝘴𝘵