Continuous delivery pipelines help teams deploy faster, safer, and with more confidence. But sometimes, you need more fine-grained control—for example, restricting deployments to approved time windows or blocking production pushes if certain quality checks fail.
🛠 What Are Stage-Level Conditions?
Stage-level conditions allow you to control when a pipeline stage starts or finishes based on rules you define.
You can use them to:
- Stop deployments outside business hours
- Fail a stage if security scans detect vulnerabilities
- Roll back if CloudWatch alarms trigger
- Enforce governance policies before production
You can add these conditions via the AWS Console, API, CLI, CloudFormation, or SDK.
📌 Example Pipeline
We’ll use a 4-stage ECS deployment pipeline:
- Source – Code from GitHub (via CodeConnections)
- Build – Builds a Docker image (via buildspec.yaml) and pushes to Amazon ECR
- DeployToStage – Deploys to a staging environment
- DeployToProduction – Deploys to production
We added stage-level conditions to improve quality and security.
🧩 Scenario 1: Block on Critical Vulnerabilities
Goal: Stop the pipeline if Amazon ECR image scan detects critical CVEs.
Solution:
- Add an OnSuccess exit condition to the build stage
- Use the LambdaInvoke rule to check scan results
- Fail the pipeline if any critical vulnerabilities are found
This ensures no vulnerable images make it to staging or production.
🧩 Scenario 2: Roll Back on CloudWatch Alarms
Goal: Roll back if post-deployment error rates exceed 3%.
Solution:
- Add an OnSuccess exit condition to DeployToStage
- Use a CloudWatch alarm to detect high error rates
- Trigger rollback automatically if the alarm goes to ALARM state
This protects users from buggy deployments that only show issues under real traffic.
🧩 Scenario 3: Enforce Deployment Windows
Goal: Only allow production deployments Monday–Thursday during work hours.
Solution:
- Add an Entry condition to DeployToProduction
- Use the DeploymentWindow rule with a cron expression
- Fail the condition if outside the approved window
This ensures production releases happen when the right people are available to monitor.
✅ Why This Matters
With stage-level conditions, you can:
- Reduce manual oversight in production releases
- Automate governance and compliance rules
- Minimize risk while keeping CI/CD fast
- Standardize release safety checks across pipelines
🚀 Final Thoughts
Stage-level conditions in AWS CodePipeline let you bring “shift-left” thinking into your deployments—catching issues early, enforcing rules automatically, and delivering safely.
Next steps:
- Check the AWS CodePipeline documentation for full condition types
- Try adding conditions to one of your existing pipelines
- Combine with rollback strategies for even more resilience