Serverless CI/CD: Deploying Lambda Functions with SAM CLI and AWS CodeBuild

Introduction

Continuous Integration and Continuous Deployment (CI/CD) are essential paradigms in modern software engineering. In serverless environments, these paradigms must be reimagined to accommodate the ephemerality and stateless nature of functions as a service (FaaS). This paper presents an applied methodology for deploying AWS Lambda functions using SAM CLI and AWS CodeBuild in a secure and automated fashion.

Research Objectives

• Evaluate the efficacy of the SAM CLI in packaging and deploying serverless applications
• Explore infrastructure-as-code as a foundation for CI/CD
• Analyze AWS CodeBuild’s capability to automate serverless deployments securely

Architectural Overview

[ GitHub / CodeCommit ]
   |
[ AWS CodeBuild Project (buildspec.yml) ]
   |
[ SAM CLI: Package + Deploy ]
   |
[ CloudFormation Template ]
   |
[ AWS Lambda + API Gateway + IAM Roles ]

All components are provisioned and updated via infrastructure as code, ensuring auditability and reproducibility.

Prerequisites

• AWS CLI and SAM CLI installed
• GitHub or CodeCommit repository
• IAM roles with appropriate permissions
• A simple Lambda function and template.yaml SAM manifest

Step 1: Define SAM Template

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  HelloFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: hello-world/
      Handler: app.lambda_handler
      Runtime: python3.11
      Events:
        HelloAPI:
          Type: Api
          Properties:
            Path: /hello
            Method: get

This declarative format allows deterministic provisioning via CloudFormation.

Step 2: Create buildspec.yml

This file instructs CodeBuild how to perform the build and deploy actions.

version: 0.2
phases:
  install:
    runtime-versions:
      python: 3.11
    commands:
      - pip install aws-sam-cli
  build:
    commands:
      - sam build
  post_build:
    commands:
      - sam deploy --stack-name lambda-stack --capabilities CAPABILITY_IAM --region us-east-1 --no-confirm-changeset --no-fail-on-empty-changeset
artifacts:
  files:
    - '**/*'

This ensures each deployment is deterministic, logged, and repeatable.

Step 3: Configure AWS CodeBuild

• Create a CodeBuild project
• Connect to your GitHub/CodeCommit repo
• Specify buildspec.yml
• Assign a role with AWSLambdaFullAccess, CloudFormationFullAccess, and AmazonS3FullAccess

Step 4: Automate with Webhooks

Enable GitHub webhooks to trigger CodeBuild automatically on every push to main or any branch of your choice. This makes deployments event-driven, not manual.

Observability and Auditability

• Logs are sent to CloudWatch Logs
• CloudFormation maintains a complete stack history
• IAM roles ensure least-privilege access to resources

Security Considerations

• Avoid embedding secrets in code; use AWS Secrets Manager
• Implement IAM boundaries on the CodeBuild role
• Use parameter overrides during sam deploy to inject secure variables

Limitations and Trade-offs

While SAM and CodeBuild streamline deployments, larger monorepos or multi-region deployments may benefit from CodePipeline or third-party orchestrators like GitHub Actions or Spinnaker. However, the presented method strikes a balance between simplicity and enterprise-readiness.

Conclusion

By combining AWS SAM CLI with CodeBuild, teams can construct robust, serverless CI/CD pipelines that are secure, automated, and scalable. This approach aligns with cloud-native principles and demonstrates how infrastructure-as-code can operationalize Lambda deployments with academic rigor and production-grade reliability.

References

• AWS SAM Documentation
• AWS CodeBuild User Guide
• Serverless CI/CD on AWS

For more academically grounded DevOps practices and research-aligned tutorials, subscribe to awswithatiq.com.