Testing Professor
Testing ProfessorMulti-Cloud Guidebook · AWS
All scenarios

End-to-End QA Scenario

Serverless Release with GitHub Actions, SAM, and CloudWatch Synthetics

GitHub Actions builds a SAM app, deploys with CodeDeploy linear-canary on Lambda aliases, and uses CloudWatch Synthetics canaries as the live QA probe that triggers auto-rollback.

Architecture

GitHub Actions
   ├─ OIDC → AWS
   ├─ sam build && sam deploy --no-confirm-changeset
   │     └─ CFN creates/updates Lambda + alias + API Gateway stage
   ├─ CodeDeploy AppSpec: LambdaLinear10PercentEvery2Minutes
   │     ├─ shifts alias weight in steps
   │     └─ runs PreTraffic + PostTraffic Lambda hooks (smoke + contract tests)
   ├─ CloudWatch Synthetics canary (every 1 min)
   │     ├─ hits prod URL with happy-path script
   │     └─ alarm on 2 consecutive failures
   └─ alarm ─► CodeDeploy auto-rollback ─► GitHub Actions job marked failed
X-Ray traces correlate canary failures with the new Lambda version

Workflow steps

  1. 1

    Pipeline scaffolding

    Workflow installs SAM CLI, runs `sam validate`, then `sam build --use-container` for reproducible Lambda artifacts.

  2. 2

    Keyless deploy

    OIDC role allows `cloudformation:*` on the SAM stack and `lambda:UpdateAlias`. `sam deploy` runs with `--no-confirm-changeset --resolve-s3`.

  3. 3

    Linear canary

    Lambda function's CodeDeploy hook is `LambdaLinear10PercentEvery2Minutes`; AppSpec wires `BeforeAllowTraffic` (contract tests via Pact) and `AfterAllowTraffic` (smoke API calls) hook Lambdas.

  4. 4

    Live probe

    CloudWatch Synthetics canary written in Playwright-for-Synthetics hits the production endpoint every minute, logging screenshots to S3 on failure.

  5. 5

    Auto-rollback wiring

    Canary's `SuccessPercent < 90` alarm is listed in the CodeDeploy DeploymentGroup; a breach during the 10-min shift window rolls the alias back automatically.

  6. 6

    Post-deploy gate

    Workflow polls `aws deploy get-deployment` until `Succeeded`; if rolled back, the job exits non-zero and opens a GitHub Issue with the X-Ray trace ID of the first failing canary run.

  7. 7

    Observability

    X-Ray service map shows the new version alongside the old; latency/error breakdown per version pinpoints which code path regressed.

Key takeaways

  • Synthetics + CodeDeploy = real prod traffic decides the release, not a green CI run.
  • PreTraffic/PostTraffic hooks let you fail the deploy from inside Lambda — no external orchestrator needed.
  • X-Ray version tagging makes 'which release broke it?' a 30-second answer.