DEV Community: Navapon

Amazon Q x GitHub Actions: Enhancing Your CI/CD Pipeline with Generative AI

Navapon — Mon, 26 Jan 2026 18:01:56 +0000

Introduction

Modern CI/CD pipelines face a major bottleneck—slow manual code reviews, delayed security feedback, and the dreaded cost of context switching.

Let’s be honest: as humans, we have limits. As a reviewer, you have to mentally juggle code quality, style guidelines, security implications, and readability. And that’s on top of your actual job: solving complex real-world problems, managing new projects, and surviving endless team meetings.

Imagine having an intelligent automation layer that acts as the "first line of defense." A smart assistant that reviews the code before you do, catching the low-hanging fruit so you can focus on the logic.

Enter Amazon Q Developer ( via GitHub Apps). It is an AI assistant that lives directly within your development environment, from your IDE to your GitHub Pull Requests.

In this post, I’ll explain how integrating Amazon Q with GitHub Actions can streamline development, automate mundane tasks, and significantly enhance security (DevSecOps) and software quality.

Getting Started: Installation

Setting this up is surprisingly simple. We don't need complex YAML configurations yet; we just need the GitHub App.

Install the App: Go to the Amazon Q Developer GitHub Marketplace page and click install.
Verify Installation: Once authorized, that’s it! Everything is set. To make sure it was installed successfully, check your repository settings; you should see the app listed like this:

Note: The GitHub App requires permission to access your repository. You can choose to apply it to "All repositories" or select specific ones. It needs Read/Write access to function correctly.

Core Capabilities in the Pipeline

There are two main "Agents" that Amazon Q brings to your GitHub workflow. Let's look at them:

1. Amazon Q Agent for Software Development (From Issue to PR)

This agent can actually take a GitHub Issue description and write the code for you. While this blog focuses on the review aspect, this feature is incredibly powerful for scaffolding or boilerplate tasks.
I do not use these features often, mostly if I would like to do this stuff will do it at my cli by using claude code or kiro-cli.

If you are interested, you can learn more here: Amazon Q Developer User Guide

2. Amazon Q Agent for Code Review (Automated PR Scanning)

This is where the magic happens for the pipeline. When you open a Pull Request (PR), Amazon Q automatically scans your changes and performs a review based on several criteria.

Here are the key features:

Security Scanning (DevSecOps)

It detects vulnerabilities (CVEs), hardcoded secrets, and anti-patterns. This is crucial for a "Shift Left" strategy—catching security flaws before they ever reach a staging environment.

Code Quality & Refactoring

I once spent 20 minutes staring at a "bug" only to realize I had misspelled a variable name that my tired eyes missed. We've all been there. Amazon Q catches these simple typos and redundant logic instantly. It explains why the code is bad and how to improve it. This helps the PR creator self-review and fix issues before asking a human teammate to step in.

Interactive Review

If you need a fresh look after making fixes, you don't have to wait. You can interact with the bot using comments like /q review to request specific feedback or trigger a full re-scan.

Pro Tip: You can also apply the commit suggested by Amazon Q directly from the GitHub Console or your IDE with a single click.

Customize your own System Project Prompts

Tailor Amazon Q to your team's needs! Define custom coding standards in simple Markdown files in the project-root/.amazonq/rules directory. Amazon Q automatically follows your guidelines, ensuring consistent code quality across your entire project. Learn more

The DevSecOps Advantage

Shift Left Security: We catch vulnerabilities during the PR phase, long before deployment.
The 24/7 Reviewer: AI doesn't get "tired." It enforces consistent coding standards across every PR, whether it's 2 PM or 2 AM.
Efficiency at Scale: In my observation, this tool filters out about 30-40% of trivial comments (syntax, style, simple bugs). This frees up senior engineers to focus purely on high-level architecture and business logic, rather than acting as a glorified spell-checker.

Limitations & Best Practices

Human in the Loop: Always remember that AI is an assistant, not a replacement (yet). Suggestions must still be reviewed by a human. Additionally, Unit/Integration tests and other dynamic/static tools in your CI pipeline remain mandatory.
Context Limits: Be aware that very large files or massive PRs might hit context limits. I faced this often earlier in 2025, but since November 2025, I've noticed significant improvements and haven't hit the limit recently.

If you are facing limitations or need troubleshooting, you can check the official guide here.

Conclusion

Amazon Q isn't just a chatbot; it's an active participant in your workflow. It feels like having a Full Stack Senior Engineer sitting right next to you (or inside your pipeline), providing instant feedback.

I believe this type of automation will soon become the industry standard. With multiple AI agents aware of different pillars—Security, Quality, Performance, Cost, etc.—we can ensure our code is production-ready faster than ever.

You guys can simply install the Amazon Q GitHub App today and let your first AI code review happen automatically.

I’d love to hear from you: How are you using AI tools to help your pipeline automation? Let me know in the comments!

Why Your AWS GuardDuty Data Isn't Showing Up in Microsoft Sentinel (And How to Fix It)

Navapon — Fri, 16 Jan 2026 05:13:30 +0000

The silent killer: KMS encryption blocking your SIEM integration with zero error logs

If you're integrating AWS GuardDuty with Microsoft Sentinel and your findings are mysteriously disappearing into the void, you're not alone. I spent hours debugging this issue, only to discover it was a KMS encryption permission problem — with absolutely no error logs to point me in the right direction.

Here's what happened and how I resolved the issue.

TL;DR

Problem: GuardDuty findings not appearing in Microsoft Sentinel, no error logs.

Cause: GuardDuty exports are KMS-encrypted, and Sentinel's IAM role lacks kms:Decrypt permission.

Solution: Add kms:Decrypt permission for your KMS key(s) to your Sentinel OIDC role.

The Setup

I was setting up Microsoft Sentinel to ingest AWS GuardDuty findings for centralized security monitoring. The architecture looked like this:

Everything seemed configured correctly:

GuardDuty export to S3 was enabled
S3 bucket permissions were set
S3 Event notification sends a message to SQS
Sentinel data connector was configured
SQS permissions were set allow s3 event publish the message
The SQS metric Number Of Messages Received show message was consumed
OIDC role for Sentinel had SQS consume permissions

But no data or table appeared in Sentinel. None. Zero. Zilch.

The Frustrating Part: No Errors

Here's what made this particularly painful to debug — there were no error logs anywhere.

I checked:

AzureDiagnostics table in Log Analytics — nothing
Sentinel data connector health — showed "connected"
SQS — Sentinel was consume the message fine
Request help from AWS Support confirm the message was consume specific role

Operation=ReceiveMessage
LPRemoteIpAddress=XX.XX.XXX.XX
AwsUserPrincipal=AROAXXXXXXXXXXXX:MicrosoftSentinel_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
MessageIds=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
AWSQueryStatusCode=200
RequestId=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
VisibilityTimeout=300
Queue.names=sentinel-soc-guardduty
ReceiveWaitTime=3000
RequesterUserARN=arn:aws:sts::XXXXXXXXXXXX:assumed-role/OIDC_aws-sentinel-oidc-role-guardduty/MicrosoftSentinel_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
AwsUserArn=arn:aws:sts::XXXXXXXXXXXX:assumed-role/OIDC_aws-sentinel-oidc-role-guardduty/MicrosoftSentinel_XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
AwsAccessKeyId=ASIAXXXXXXXXXXXX
EndTime=Wed, 14 Jan 2026 10:28:43 UTC

The data was just silently disappearing. It's like Sentinel was reading the message, shrugging, and moving on without telling anyone.

The Root Cause: KMS Encryption

After way too much troubleshooting, I finally figured it out.

When you configure GuardDuty to export findings to S3, you can (and should) enable encryption. AWS lets you use a KMS key for this:

The problem? The GuardDuty finding files are encrypted with KMS, and Sentinel couldn't decrypt them.

Here's what was happening:

GuardDuty writes findings to S3, encrypted with KMS
S3 Event Notification sends a message to SQS
The message in SQS was encrypted with KMS
Sentinel's OIDC role consumes the message from SQS (this works fine)
Sentinel tries to read the file contents — but they're encrypted
Sentinel can't call kms:Decrypt because it doesn't have permission
Sentinel silently fails and moves on
No error is logged anywhere

The fact that there's no error logging for this scenario is... frustrating, to say the least.

The Fix

The solution is simple once you know the problem: add kms:Decrypt permission to your Sentinel OIDC role.

Add this statement to your Sentinel IAM role's policy:

{
    "Action": [
        "kms:Decrypt"
    ],
    "Resource": [
        "arn:aws:kms:YOUR-REGION:YOUR-ACCOUNT-ID:key/YOUR-KMS-KEY-ID"
    ],
    "Effect": "Allow"
}

For example, my configuration needed:

{
    "Action": [
        "kms:Decrypt"
    ],
    "Resource": [
        "arn:aws:kms:ap-southeast-1:12345678:key/12345678",
    ],
    "Effect": "Allow"
}

Step-by-Step

Find your KMS key ARN — Go to GuardDuty → Settings → Findings export options. The KMS key ARN is displayed there.
Find your Sentinel OIDC role — This is the role you created when setting up the AWS data connector in Sentinel. Mine was named OIDC_aws-sentinel-oidc-role-guardduty.
Update the IAM policy — Go to IAM → Roles → Your Sentinel role → Edit the attached policy → Add the kms:Decrypt permission for your KMS key(s).
Test the integration — Generate a sample finding in GuardDuty and wait 5-10 minutes. Check Sentinel with this KQL query:

AWSGuardDuty
| limit 10

Things to Remember

KMS key must be in the same region as your S3 bucket. AWS enforces this, so it shouldn't be an issue if your export is already working.

You might have multiple KMS keys. If you've changed keys or have different configurations, make sure all relevant keys are included in the policy.

The error won't show up in AzureDiagnostics. I wish I could tell you to look for a specific error, but there isn't one. If your GuardDuty data isn't appearing and everything else looks correct, check KMS permissions.

Related:

How to make AWS Infrastructure As Click to Code with AmazonQ

Navapon — Tue, 10 Dec 2024 15:37:59 +0000

We can't be denied due to some use cases, like the poc phase or exploring how it works and what I could configure. After we understand and make things work, we would like to manage it as code properly for readability, trackability, and maintainability.

This blog post will show you what AWS Services are supported to help you click and export from Console to Code.

There are 2 Services I would like to talk about

Console-to-Code

The Console-To-Code, powered by Amazon Q Developer, Thas has announcement that as of October 10, 2024, it is generally available for EC2, VPC, and RDS.

Let's see how it works.

Get start

First, you need to go to the AWS Console. In this case, I will give an example of Using the RDS service.

Open the RDS Console. Click on the right-top corner, and Click Start Recording

I will proceed to create an AuroraSQL Serverless instance. Let's see what the result of that

The console-to-code is recording my actual actions. The result turns into the aws-cli command. Also, cloud formation and AWSCDK are powered by AmazonQ. But there is no Terraform. :( No problem; we will convert that thing to Terraform. Let's see how it is doing. Below is the cli command I got from there.

aws rds create-db-cluster --engine "aurora-postgresql" --engine-version "15.4" --engine-lifecycle-support "open-source-rds-extended-support-disabled" --engine-mode "provisioned" --db-cluster-identifier "database-1" --vpc-security-group-ids "sg-xxxxxxxxx" --port "5432" --db-cluster-parameter-group-name "default.aurora-postgresql15" --database-name "rds_aurora_console_to_code" --master-username "postgres" --preferred-backup-window 'null' --preferred-maintenance-window 'null' --backup-retention-period "7" --kms-key-id 'null' --db-subnet-group-name "default-vpc-xxxxxxxxxxx" --availability-zones 'null' --enable-cloudwatch-logs-exports "postgresql" --pre-signed-url "" --backtrack-window 'null' --scaling-configuration 'null' --domain 'null' --domain-iam-role-name 'null' --allocated-storage 'null' --iops 'null' --option-group-name 'null' --storage-throughput 'null' --storage-type "aurora" --db-cluster-instance-class 'null' --network-type 'null' --serverless-v2-scaling-configuration '{"MinCapacity":0.5,"MaxCapacity":1}' --performance-insights-kmskey-id 'null' --performance-insights-retention-period "465" --monitoring-interval "0" --database-insights-mode "advanced"

Sadly but understandable, we could not use the result generated by AmazonQ yet to make it work. What I have done is the following

remove all keys with a null value
added missing parameters --enable-performance-insight
added missing parameters --manage-master-user-password

Here is the worked version that has been modified

aws rds create-db-cluster \
  --engine "aurora-postgresql" \
  --engine-version "15.4" \
  --engine-lifecycle-support "open-source-rds-extended-support-disabled" \
  --engine-mode "provisioned" \
  --db-cluster-identifier "rds-aurora-console-to-code" \
  --vpc-security-group-ids "sg-xxxxxxxx" \
  --port "5432" \
  --db-cluster-parameter-group-name "default.aurora-postgresql15" \
  --database-name "rds_aurora_console_to_code" \
  --master-username "postgres" \
  --manage-master-user-password \
  --backup-retention-period "7" \
  --db-subnet-group-name "default-vpc-xxxxxxxx" \
  --enable-cloudwatch-logs-exports "postgresql" \
  --pre-signed-url "" \
  --storage-type "aurora" \
  --serverless-v2-scaling-configuration '{"MinCapacity":0.5,"MaxCapacity":1}' \
  --enable-performance-insights \
  --performance-insights-retention-period "465" \
  --monitoring-interval "0" \
  --database-insights-mode "advanced"

Let's make it work with Terraform. I copied the above command asking my AmazonQ.

The Q responded with very long instructions and told me what I had to do; for a demo, I just needed to make it quick, so I prompted AmazonQ

Please create what you told me via bash scripts below what I got

#!/bin/bash
# setup_aurora.sh

# Create directory for the project
mkdir -p aurora_terraform
cd aurora_terraform

# Create main.tf
cat > main.tf << 'EOF'
provider "aws" {
  region  = var.aws_region
  version = "5.80"
}

resource "aws_rds_cluster" "aurora_cluster" {
  cluster_identifier        = var.cluster_identifier
  engine                   = "aurora-postgresql"
  engine_version           = "15.4"
  engine_mode              = "provisioned"
  database_name            = var.database_name
  master_username          = var.master_username
  manage_master_user_password = true

  vpc_security_group_ids   = [var.security_group_id]
  db_subnet_group_name     = var.db_subnet_group_name
  port                     = var.port

  db_cluster_parameter_group_name = var.db_cluster_parameter_group_name
  backup_retention_period  = var.backup_retention_period

  storage_type = "aurora"

  serverlessv2_scaling_configuration {
    min_capacity = 0.5
    max_capacity = 1.0
  }

  enable_cloudwatch_logs_exports = ["postgresql"]

  enable_performance_insights = true
  performance_insights_retention_period = 465

  monitoring_interval = 0
}

resource "aws_rds_cluster_instance" "aurora_instance" {
  cluster_identifier        = aws_rds_cluster.aurora_cluster.id
  instance_class           = "db.serverless"
  engine                   = aws_rds_cluster.aurora_cluster.engine
  engine_version           = aws_rds_cluster.aurora_cluster.engine_version
  performance_insights_enabled = true
}
EOF

# Create variables.tf
cat > variables.tf << 'EOF'
variable "aws_region" {
  description = "AWS region"
  type        = string
  default     = "us-west-2"
}

variable "cluster_identifier" {
  description = "The identifier for the RDS cluster"
  type        = string
  default     = "rds-aurora-console-to-code"
}

variable "database_name" {
  description = "The name of the database to create"
  type        = string
  default     = "rds_aurora_console_to_code"
}

variable "master_username" {
  description = "Username for the master DB user"
  type        = string
  default     = "postgres"
}

variable "security_group_id" {
  description = "VPC Security Group ID"
  type        = string
  default     = "sg-09dfbfb45a551f09a"
}

variable "db_subnet_group_name" {
  description = "Name of DB subnet group"
  type        = string
  default     = "default-vpc-08b0f21ff827d6b88"
}

variable "port" {
  description = "The port on which the DB accepts connections"
  type        = number
  default     = 5432
}

variable "db_cluster_parameter_group_name" {
  description = "Name of the DB cluster parameter group"
  type        = string
  default     = "default.aurora-postgresql15"
}

variable "backup_retention_period" {
  description = "The days to retain backups for"
  type        = number
  default     = 7
}
EOF

# Create outputs.tf
cat > outputs.tf << 'EOF'
output "cluster_endpoint" {
  description = "The cluster endpoint"
  value       = aws_rds_cluster.aurora_cluster.endpoint
}

output "cluster_reader_endpoint" {
  description = "The cluster reader endpoint"
  value       = aws_rds_cluster.aurora_cluster.reader_endpoint
}

output "cluster_identifier" {
  description = "The RDS cluster identifier"
  value       = aws_rds_cluster.aurora_cluster.cluster_identifier
}

output "database_name" {
  description = "The database name"
  value       = aws_rds_cluster.aurora_cluster.database_name
}

output "port" {
  description = "The database port"
  value       = aws_rds_cluster.aurora_cluster.port
}

output "master_username" {
  description = "The master username for the database"
  value       = aws_rds_cluster.aurora_cluster.master_username
}
EOF

# Create terraform.tfvars (optional - for custom values)
cat > terraform.tfvars << 'EOF'
aws_region = "us-west-2"
cluster_identifier = "rds-aurora-console-to-code"
database_name = "rds_aurora_console_to_code"
master_username = "postgres"
security_group_id = "sg-09dfbfb45a551f09a"
db_subnet_group_name = "default-vpc-08b0f21ff827d6b88"
port = 5432
db_cluster_parameter_group_name = "default.aurora-postgresql15"
backup_retention_period = 7
EOF

# Make the script executable
chmod +x setup_aurora.sh

# Initialize and apply Terraform (uncomment these lines if you want automatic execution)
# terraform init
# terraform plan
# terraform apply -auto-approve

echo "Terraform configuration files have been created successfully!"
echo "To deploy the infrastructure:"
echo "1. Review and modify terraform.tfvars if needed"
echo "2. Run: terraform init"
echo "3. Run: terraform plan"
echo "4. Run: terraform apply"

I have followed the created scripts and run them, and the result that I got and have to fix is

wrong regions
missing provider version
some parameters do not exist in terraform checked at document or using VSCODE Terraform Plugins will show the error on line

After that fixed things, run terraform init, terraform plan, terraform apply it working !!

We have three instances with three different approaches to operate with it. I will talk about the other service later. I don't need to blog for too long.

All resources that are generated are available here

Things to Know and Consider
Here are a few things you should consider while using AWS Console-to-Code:

Anyone can use AWS Console-to-Code to generate AWS CLI commands for their infrastructure workflows. The code generation feature for AWS CDK and CloudFormation formats has a free quota of 25 generations per month, after which you will need an Amazon Q Developer subscription.

You should test and verify the generated IaC code code before deployment.

At GA, AWS Console-to-Code only records actions in Amazon EC2, Amazon VPC, and Amazon RDS consoles. The Recorded actions table in AWS Console-to-Code only displays actions taken during the current session within the specific browser tab. It does not retain actions from previous sessions or other tabs. Note that refreshing the browser tab will result in losing all recorded actions.

Conclusion

As you can see, the embedded service of console-to-code helps us quickly get an idea and convert it to code for what you are good at. Even if it does not copy and paste 100%, there is much stuff that can help us reduce time and crafting based on the result generated to ensure it is ready for production grade and can work with your organization. Unfortunately, this thing is relatively new and only supports a few services. Let's see what AWS will implement in the future.

Reference

AWS BlogPost

Crafting a Custom SAM Template for Your AWS Lambda Function, Resource, and Operations

Navapon — Tue, 10 Dec 2024 10:49:11 +0000

Nowadays, Serverless is widely adopted. The AWS Lambda Helps your organization focus on just the Code that needs to be done for business purposes.

Boost up development speed and do not need to handle infrastructure and operations.

On the first days of the development process, we might do it via console, write your code, and trigger; oh, that's working, and my job is done.

But as time passed, the System got more and more complex to many resources, and there are many stuff to be concerned about like code quality, Deployment Operation, Security, and Dependency of your code. There is a variety of tools that help you develop and deploy lambda to AWS, like serverless framework and terraform

Today, I would like to introduce and recommend AWS SAM to help you customize your organization lambda and resources standard embedded with CICD. These valuable tools help you standardize.

AWS SAM

AWS SAM is the native tools that help manage and handle serverless components and resources with predefined template powered by Cloudformation and cookiecutter that allow you to quickstart project with templates base on different use-case Before going to craft with custom template on your own I will show you how to get start working with aws predefined template first

Pre-requisites before getting start

brew install aws-sam-cli
sam init

After using the init command, the prompt will respond by pressing 1. All templates will be displayed. You can select a suitable one by following the prompt instructions.

Crafting Custom SAM Template

I would not like to explain how Sam works, just focusing on creating a custom template and working with sam-cli. Feel free to learn more about SAM here

Alright, let's get started.

Template Structure

The Template structure itself looks like the one below.

├── LICENSE
├── README.md
├── cookiecutter.json
├── template1
|  ├── cookiecutter.json
|  ├── hooks
|  |  ├── post_gen_project.py
|  |  └── pre_gen_project.py
|  └── {{cookiecutter.project_slug}}
|     ├── src
|     └── template-local.yaml
└── template2
   ├── cookiecutter.json
   ├── hooks
   |  ├── post_gen_project.py
   |  └── pre_gen_project.py
   └── {{cookiecutter.project_slug}}
      ├── src
      └── template-local.yaml

directory: 8 file: 11

cookiecutter.json at the top level will prompt the user to choose a template with the following configuration.

{
  "template": [
    "Lambda Stand Alone (./template1)",
    "Lambda with Scheduler (./template2"
  ]
}

The cookiecuuter.json at the second level will configure the prompt the user needs to follow and enter the appropriate value based on what you need to input.

Example

{
  "project_name": "Your Git Repository Name",
  "project_slug": "{{ cookiecutter.project_name.lower().replace(' ', '_').replace('_','-') }}",
  "run_time": [
    "nodejs22.x",
    "python3.13",
    "java21",
    "go1.x"
  ],
  "project": [
    "project1",
    "project2",
    "project3"
  ],
  "project_description": "Tell more about Project Description",
  "ownership_team": [
    "teamA",
    "teamB",
    "teamC"
  ],
  "squad": [
    "squadA",
    "squadB",
    "squadC"
  ],
  "ownership_name": "",
  "github_user": "",
  "__prompts__": {
    "project_name": "Type your Github Repository Project Name.",
    "project_slug": "Auto converting name convention to be is that ok ?",
    "run_time": "Lambda Runtime Language.",
    "project": "This Lambda is part of which project.",
    "project_description": "What is the primary purpose of this service.",
    "ownership_team": "Select Projects Belong to which team.",
    "ownership_name": "Your Name Please.",
    "squad": "This project belongs to which Squad.",
    "github_user": "Your GitHub username see at github.com/yourprofilename"
  }
}

The above variables can be accessed by using {{ cookiecutter.variables_name }} like {{ cookiecutter.project_slug }} for get dynamic inputs from user to the templates

Template example

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  Lambda {{ cookiecutter.project_slug }} Sandbox/SIT Environment stack belong to {{ cookiecutter.ownership_team }} Team own by {{ cookiecutter.ownership_name }}

Parameters:
  FunctionName:
    Type: String
    Default: "{{ cookiecutter.project_slug}}"
    Description: FunctionName inject params name conventions {repository-name}-{env} from workflows
  FunctionDescription:
    Type: String
    Default: >
      {{ cookiecutter.project_description }}
      This service created by team {{ cookiecutter.ownership_team }} [{{ cookiecutter.ownership_name }}]
    Description: Function Description Show at lambda
  Project:
    Type: String
    Default: "{{ cookiecutter.project }}"
  Team:
    Type: String
    Default: "{{ cookiecutter.ownership_team }}"
  Environment:
    Type: String
    Default: "sandbox"
  OwnershipName:
    Type: String
    Default: "{{ cookiecutter.ownership_name }}"
  DataClassification:
    Type: String
    Default: "confidential"
  Squad:
    Type: String
    Default: "{{ cookiecutter.squad }}"

Globals:
  Function:
    Timeout: 15
    Tracing: Active
  Api:
    TracingEnabled: true

Resources:
  Function:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Ref FunctionName
      Description: !Ref FunctionDescription
      CodeUri: ./src
      Handler: app.lambdaHandler
      PackageType: Zip
      Runtime: "{{ cookiecutter.run_time }}"
      MemorySize: 256
      Timeout: 15
      Architectures:
        - "arm64"
      Role: arn:aws:iam::{{ cookiecutter.aws_account_id }}:role/lambda-role/{{ cookiecutter.project_slug }}-role
      # Also AWS Parameter and Secrets help you handle secrets value example here
      # https://aws.amazon.com/blogs/compute/using-the-aws-parameter-and-secrets-lambda-extension-to-cache-parameters-and-secrets/
      Layers:
        - !Sub "arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension-Arm64:20"
        - !Sub "arn:aws:lambda:${AWS::Region}:044395824272:layer:AWS-Parameters-and-Secrets-Lambda-Extension-Arm64:12"
      Environment:
        Variables:
          ENV_NAME: "ENV_VALUE"
      Tags:
        Name: !Ref FunctionName
        Description: !Ref FunctionDescription
        Project: !Ref Project
        Team: !Ref Team
        Environment: !Ref Environment
        OwnershipName: !Ref OwnershipName
        DataClassification: !Ref DataClassification
        Squad: !Ref Squad
      # VpcConfig:

The above is a SAM template to configure binding value with cookiecutter. You can add more resources like eventbridge-scheduler,api-gateway and more and customize the configuration that matches your purpose of the template

More than that, the cookiescutter template itself is supported by the hooks events. You can code with Python and manage whatever you need via hooks. Look more here

I have create the simple template feel free to look at it here

How to work with your crafted template

It is very easy to access the custom template by following the command.

sam init -l your-folder # Template location (git, mercurial, http(s), zip, path).
sam init -h # for look more option

# Example

sam init -l git@github.com:Navapon/custom-sam-template.git

The results Is below.

Conclusion

Just give you an idea of how to implement a template for serverless in your organization; you can create multiple cases and embed the practice of your organization to the template like pre-commit, cicd, lambda-layer-secret, lambda-layer-powertools and more

I hope this Blog will help you create your custom template to help the team focus on the code and get all the good practices that your organization followed the same standardization.