Ensuring Oversight: Implementing CodeCommit Approval Rules with CodePipeline

Continuous integration and continuous delivery (CI/CD) pipelines streamline deployments, but sometimes additional human oversight is necessary. This article explores using AWS CodeCommit approval rules in conjunction with AWS CodePipeline to introduce a manual approval stage before deploying code changes. Additionally, we'll leverage AWS Identity and Access Management (IAM) to control who can approve deployments.

1. Enforcing Guardrails: Approval Rules in CodeCommit

• Navigate to the AWS CodeCommit console and select the repository containing your code.
• In the navigation pane, click "Pull Requests."
• Choose an existing pull request or create a new one to demonstrate the approval rule setup.

Creating the Approval Rule:

• Within the pull request details page, locate the "Approvals" section.
• Click "Create approval rule."
• Provide a descriptive name for the rule (e.g., "Pre-deployment Approval").
• Choose the number of users who must approve the pull request for it to merge (e.g., 2 for a two-person review process).
• Optionally, you can define an approval pool to restrict who can approve the pull request. This could include specific users or IAM user groups.

Understanding Approval Rules:

Once created, the approval rule will be applied to all future pull requests in that repository. Only after the required number of users from the defined pool approve the pull request can the code be merged into the main branch.

2. Integrating Approval Rules with CodePipeline

• Navigate to the AWS CodePipeline console and select the pipeline you want to modify.
• Click the pipeline name to access its details.

Introducing the Approval Stage:

• Locate the stage where your deployment process begins (usually the stage after the source stage).
• Click the "Actions" tab within that stage.
• Click "Add action" and choose "Manual approval" as the action type.
• Provide a descriptive name for the approval stage (e.g., "Pre-Deployment Review").
• Click "Next" to configure the approval details.

Connecting to CodeCommit:

• In the "Approval source" section, choose "CodeCommit pull request."
• Select the CodeCommit repository containing your code (the same one where you created the approval rule).
• Optionally, you can filter pull requests based on specific branches or patterns.

Permissions and Notifications:

CodePipeline will automatically notify the users specified in the CodeCommit approval rule when a pull request is ready for review.

Using IAM for Granular Control:

To ensure only authorized users can approve deployments via the CodePipeline manual approval stage, configure IAM policies.

• Create an IAM user group specifically for deployment approvals (e.g., "deployment-approvers").
• Attach an IAM policy to this group granting permissions to approve CodePipeline actions. The specific permissions will depend on your pipeline configuration, but generally, they will involve allowing the codepipeline:PutApprovalResult action.
• Add the desired users to the "deployment-approvers" IAM user group.

By implementing this structure, only users within the designated group will be able to approve deployments through the CodePipeline manual approval stage.

3. The Approval Workflow: Ensuring Controlled Deployments

With the approval rule and CodePipeline configuration in place, the following workflow emerges:

1. A developer creates a pull request in the CodeCommit repository.
2. The approval rule triggers notifications to the designated users in the CodeCommit approval pool.
3. The reviewers assess the changes and approve/reject the pull request through the CodeCommit console.
4. If all required approvals are granted, the pull request merges, and the code changes are reflected in the main branch.
5. CodePipeline detects the change in the main branch and triggers the pipeline execution.
6. The pipeline reaches the manual approval stage, waiting for user input.
7. Authorized users with permissions in the IAM user group can approve or reject the deployment through the CodePipeline console.
8. Based on the user's decision (approve or reject), the pipeline either continues with deployment or halts the process.

This approach ensures that deployments undergo a manual review process before proceeding, potentially preventing the introduction of critical bugs or unexpected changes to production environments.

Conclusion:

By integrating CodeCommit approval rules with CodePipeline, you establish a controlled deployment environment without sacrificing automation benefits. This two-step process promotes code quality and reduces the risk of deploying untested or unapproved code changes.