How to receive notifications of AWS AppConfig deployment events

AWS AppConfig, a capability of AWS System Manager, allows you to quickly and confidently deploy new features using feature flags, or update your software behavior using operational flags, in a safer and validated way. Feature flags help teams move faster by decoupling a deployment of code from the release of a feature. Code can be pushed to production, but hidden behind a feature flag; once the team is ready to release the feature, the flag can be turned on, and the feature can be released to 10% of users, then 20%, and so on. If something goes wrong with the feature, a feature flag operates as a kill switch that can instantly roll back the feature.

In July 2022, AWS announced AWS AppConfig Extensions, a feature which allows users to extend AWS AppConfig’s core functionality by executing additional logic at various points throughout your configuration data’s lifecycle. In this post, I’ll explain how you can use the deployment events notification extension(s) to receive notifications from AWS AppConfig when critical configuration deployment events occur (e.g. a deployment starts, a deployment ends, or a deployment rolls back).

You can leverage AWS AppConfig deployment notifications in a variety of ways. For example, you can set up Amazon Simple Notification Service (SNS), Amazon Simple Queue Service (SQS), or Amazon EventBridge to receive deployment notifications when feature flags are updated. You can also set up a Slack (or other) webhook to send notifications about critical configuration deployments to your operations channel. Let’s dive in.

Configuring the AppConfig deployment events to Amazon SQS extension

This section outlines the steps required to configure AWS AppConfig to send notifications to an Amazon Simple Queue Service (Amazon SQS) queue when critical configuration deployment events occur.

Allow AWS AppConfig to send notifications to your SQS queue

1. Open the Amazon SQS console.
2. Identify (or create) a target queue to receive deployment notifications from AWS AppConfig.
3. Choose the target queue.
4. On the Access policy tab, in the Access policy (Permissions) section, click the Edit button.
5. Add a statement that grants AWS AppConfig permission to send messages to the target queue.

Here’s an example queue policy statement:

{
  “Sid”: “appconfig_notifications”,
  “Effect”: “Allow”,
  “Principal”: {
    “Service”: “appconfig.amazonaws.com”
  },
  “Action”: “SQS:SendMessage”,
  “Resource”: “arn:aws:sqs:us-east-1:111122223333:NotificationQueue”
}

Figure 1. Creating an SQS Queue in the AWS Management Console

Associate the AppConfig deployment events to Amazon SQS extension with your Configuration Profile

1. Open the AWS AppConfig console.
2. On the Extensions tab, select the AppConfig deployment events to Amazon SQS extension, then choose Add to resource.
3. In the Resource type dropdown, choose Configuration Profile.
4. In the Application dropdown, choose the desired Application.
5. In the Configuration Profile dropdown, choose the desired Configuration Profile.
6. Enter the ARN of the target queue as the value of the queueArn parameter.
7. Choose Create association to resource.

Your Configuration Profile is now configured to send deployment notifications to your target queue. The following steps show you how you can test out the newly configured deployment notifications.

Figure 2. AWS AppConfig console adding notifications via SQS

(Optional) Trigger a deployment notification by starting a deployment

1. Open the AWS AppConfig console.
2. On the Applications tab, choose the Application from Step 2.
3. On the Configuration Profiles and Feature Flags tab, choose the Configuration Profile from Step 2.
4. Choose Start deployment.
5. Fill out the Deployment details section, then choose Start deployment.

(Optional) Step 4: Receive the deployment notification(s)

1. Once the deployment from Step 3 completes, open the Amazon SQS console.
2. Choose the target queue from Step 1.
3. Choose Send and receive messages.
4. In the Receive messages section, choose Poll for messages.
5. In the Messages section, choose the notification message(s).

Here’s an example notification body:

{
  “InvocationId”: “1a2b3c4”,
  “Parameters”: {
    “queueArn”: “arn:aws:sqs:us-east-1:111122223333:NotificationQueue”
  },
  “Type”: “OnDeploymentComplete”,
  “Application”: {
    “Id”: “1a2b3c4”
  },
  “Environment”: {
    “Id”:”1a2b3c4”
  },
  “ConfigurationProfile”: {
    “Id”: “1a2b3c4”,
    “Name”: “MyProfile”
  },
  “DeploymentNumber”: 1,
  “ConfigurationVersion”: “1”
}

If your deployment had a duration of zero, then you should only expect to see the deployment completion notification (i.e. type equals OnDeploymentComplete, like in the example above). Otherwise, you should expect to see a deployment started notification (i.e. type equals OnDeploymentStart) when the deployment starts followed by the deployment complete notification when the deployment completes. In either case, you are now notified when critical deployment events occur!

Sending deployment notifications to other target services

In addition to Amazon SQS, AWS AppConfig also supports sending deployment notifications to Amazon Simple Notification Service (Amazon SNS) and Amazon EventBridge out of the box via the AppConfig deployment events to Amazon SNS extension and the AppConfig deployment events to Amazon EventBridge extension, respectively. This section highlights the key differences between configuring the Amazon SQS extension and configuring the Amazon SNS and EventBridge extensions.

AppConfig deployment events to Amazon SNS extension

Similar to the AppConfig deployment events to Amazon SQS extension, in order for the AppConfig deployment events to Amazon SNS extension to work, you must add a statement to your target SNS topic’s access policy that allows AWS AppConfig to publish messages to that topic.

Here’s an example topic policy statement:

{
  “Sid”: “appconfig_notifications”,
  “Effect”: “Allow”,
  “Principal”: {
    “Service”: “appconfig.amazonaws.com”
  },
  “Action”: “SNS:Publish”,
  “Resource”: “arn:aws:sns:us-east-1:111122223333:NotificationTopic”
}

Here’s an example deployment completion notification message:

{
  “InvocationId”: “1a2b3c4”,
  “Parameters”: {
    “queueArn”: “arn:aws:sns:us-east-1:111122223333:NotificationTopic”
  },
  “Type”: “OnDeploymentComplete”,
  “Application”: {
    “Id”: “1a2b3c4”
  },
  “Environment”: {
    “Id”:”1a2b3c4”
  },
  “ConfigurationProfile”: {
    “Id”: “1a2b3c4”,
    “Name”: “MyProfile”
  },
  “DeploymentNumber”: 1,
  “ConfigurationVersion”: “1”
}

AppConfig deployment events to Amazon EventBridge extension

Unlike the Amazon SQS and Amazon SNS, you do not need to modify any resource policies to allow AWS AppConfig to send notifications to EventBridge. You will, however, need to create a rule to send the incoming AWS AppConfig notifications to a target.

Note that AWS AppConfig always sends notifications to the default event bus, and there is no way to configure notifications to be sent to a different bus.

To create a rule to send AppConfig notifications to a target

1. Open the EventBridge console.
2. In the navigation pane, under Events, choose Rules.
3. Choose Create rule.
4. Give the rule a name, then choose Next.
5. Define the event pattern (see example below), then choose Next.
6. Configure your target(s), configure any additional rule settings, then choose Create rule.

Here’s an example event pattern that matches critical deployment event notifications:

{
  “source”: [ “aws.appconfig” ],
  “detail-type”: [
    “On Deployment Start”,
    “On Deployment Complete”,
    “On Deployment Rollback”
  ]
}

Figure 3. Amazon EventBridge Event Pattern in the EventBridge console

Here’s an example deployment completion notification event:

{
  “version”: “0”,
  “id”: “00000000-1111-2222-3333-444444444444”,
  “detail-type”: “On Deployment Complete”,
  “source”: “aws.appconfig”,
  “account”: “111122223333”,
  “time”: “1970-01-01T00:00:00Z”,
  “region”: “us-east-1”,
  “resources”: [
    “arn:aws:appconfig:us-east-1:111122223333:extensionassociation/1a2b3c4”
  ],
  “detail”: {
    “InvocationId”: “1a2b3c4”,
    “Parameters”: {},
    “Type”: “OnDeploymentComplete”,
    “Application”: {
      “Id”: “1a2b3c4”
    },
    “Environment”: {
      “Id”: “1a2b3c4”
    },
    “ConfigurationProfile”: {
      “Id”: “1a2b3c4”,
      “Name”: “MyProfile”
    },
    “DeploymentNumber”: 1,
    “ConfigurationVersion”: “1”
  }
}

Cleanup

This section explains how to stop AWS AppConfig from sending deployment notifications, which is accomplished by deleting the association between the deployment notification extension and your Configuration Profile.

To disassociate the notification extension from your configuration profile

1. Open the AWS AppConfig console.
2. On the Extensions tab, choose the configured notification extension.
3. In the Associated resources tab, select your Configuration Profile.
4. Choose Remove association.
5. In the popup, choose Delete.

AWS AppConfig will no longer send deployment notifications related to your Configuration Profile.

Conclusion

In this blog post, we explored various deployment notification extensions (Amazon SQS, Amazon SNS, and EventBridge) and how to set them up. With these notifications and webhooks, you can create custom workflows for your team; for example, you can have the notification alert a Slack channel when a deployment completes.

Additional reading:

• Getting started with AWS AppConfig
• Working with the AWS AppConfig deployment events to Amazon SQS extension
• Working with the AWS AppConfig deployment events to Amazon SNS extension
• Working with the AWS AppConfig deployment events to Amazon EventBridge extension

How do I use webhooks to publish Amazon SNS messages to Amazon Chime, Slack, or Microsoft Teams?

About the authors: