Drop-in replacement for the manual approval step that CodePipeline provides.


  • Auto-approves if no changes have been identified
  • Generates temporary URL to approval web site that doesn't require AWS Console login (great for approving from mobile)
  • Summarizes changes to multiple stacks on a single page
    • Presents diff between current and new template
    • All macros and transforms will be resolved at this stage
    • Highlights changes in parameter values
    • Displays full CloudFormation ChangeSet information
  • Approvals can require multiple approvers


Step 1: Implement ChangeSets in Pipeline

The approval step relies on the ChangeSet to compile and render the approval page. Make sure that your CodePipeline already creates CloudFormation ChangeSets for each stack deployment.

Show Example Pipeline Stage

Full example with explanations can be found here.

- Name: ProdStage
  - Name: CreateChangeSet
      Category: Deploy
      Owner: AWS
      Provider: CloudFormation
      Version: '1'
      - Name: TemplateSource
      ActionMode: CHANGE_SET_REPLACE
      RoleArn: !GetAtt [CFNRole, Arn]
      StackName: !Ref ProdStackName
      ChangeSetName: !Ref ChangeSetName
      TemplateConfiguration: !Sub "TemplateSource::${ProdStackConfig}"
      TemplatePath: !Sub "TemplateSource::${TemplateFileName}"
    RunOrder: '1'
  - Name: ApproveChangeSet
      Category: Approval
      Owner: AWS
      Provider: Manual
      Version: '1'
      NotificationArn: !Ref CodePipelineSNSTopic
      CustomData: !Sub 'A new change set was created for the ${ProdStackName} stack. Do you want to implement the changes?'
    RunOrder: '2'
  - Name: ExecuteChangeSet
      Category: Deploy
      Owner: AWS
      Provider: CloudFormation
      Version: '1'
      ActionMode: CHANGE_SET_EXECUTE
      ChangeSetName: !Ref ChangeSetName
      RoleArn: !GetAtt [CFNRole, Arn]
      StackName: !Ref ProdStackName
    RunOrder: '3'

Step 2: Create SNS Topic

Skip this step if you already have a topic.

# replace AWS_REGION and AWS_ACCOUNT_ID accordingly
aws sns create-topic --name approval-notifications

# Subscribe with an email address
aws sns subscribe --topic-arn arn:aws:sns:$AWS_REGION:$AWS_ACCOUNT_ID:approval-notifications --protocol email --endpoint-url [email protected]

Step 3: Launch Stack

Via Console

Launch Stack

or via CLI

aws cloudformation create-stack --template-url --capabilities CAPABILITY_IAM --stack-name approval-lambda

The Lambda function deployed by this stack can be shared by any number of pipelines in the same region.

If you prefer to build and host the CloudFormation template and Lambda code bundle yourself, head over to pipeline-approval-lambda and fork away.

Step 4: Add Permissions to Pipeline Role

This policy statement is required to provde the necessary permissions to the pipeline to call the approval lambda function.

- Effect: Allow
    - lambda:ListFunctions
    - lambda:InvokeFunction
  Resource: '*'

Step 5: Replace Manual Approval Step with Lambda

UserParameters needs to be string so we wrap it in a !Sub to be able to reference parameters. It accepts a Stacks parameter which is a list of CloudFormation stacks that will be checked for changes. The TopicArn parameter is required. The URL to the approval page is publised to this topic.

- Name: ApproveChangeSet
    Category: Invoke
    Owner: AWS
    Version: 1
    Provider: Lambda
    FunctionName: !ImportValue approval-lambda:FunctionArn
    UserParameters: !Sub |
        - ${ProdStackName}
      TopicArn: arn:aws:sns:${AWS::Region}:${AWS::AccountId}:approval-notifications
  RunOrder: 2