Release management: How to secure?

0
votes

I am new to VSTS. I am deploying Azure services using PowerShell using VSTS Release management. Now, On dev environment, everything goes well. I want to deploy to Clients Production Subscription. Client won't allow access to Production subscription to the dev team. In that Case, I have Cloned Dev environment pipeline and named it to Prod. I am using the config file for each environment. The client doesn't want to check-in Config file of Prod environment. My Question is How to populate Config file in Prod pipeline? First I thought of to copy Config file directly in Drop Folder ( in VSTS agent VM) but if Developer also has access to a private agent then the config is still in Developers' hand. We can't use multiple agents somehow. Is there any specific way or VSTS security where we set some access permission? Is there any location where we can put the file and use it in VSTS?

If somebody doesn't understand question Please ask me I will explain in detail.

3
azure-devopsazure-pipelines-release-pipeline
What's the detail type of the Azure services you are trying to deploy (such as web app etc)? And can you use Azure App Service Deploy task instead? What's the config file and can you show the configuration of your release definition? And finially, is it ok for you to store the file in a separate git repo, so that you can access the file from any release environments?Marina Liu
I am deploying Web app, storage, database, Stream analytics, Data Factory etc. I am deploying using Powershell and creating config just to supply required values to PowerShell script like storage name, resource group name etc. My concern is about how I can restrict developers from executing Release of ProductionRohi_Dev_1.0
Is there any way of securing drop folder? I am currently creating 2 agents in same VM. But If developer logs into that VM they should not able to access drop folder of an agent which they don't have access. Can I do something like this?Rohi_Dev_1.0
You can manage the production environment into a separate release ddefinition and set premissions for this separate release definion. Is it a solution for your to deal with the situation?Marina Liu

3 Answers

1
votes

We have a similar situation where Developers are not allowed to access prod. To solve the problem, we've created a Dev and Prod project. Developers setup the production project initially, but are denied access entirely now using Azure DevOps security groups. Only our Ops group has access to prod, including the repo that the config files are stored in.

To get things from Dev to Prod, we have a third project for our build engineering team that has scripts to promote artifacts from Dev to Prod. This team is neither Dev nor Ops and the promotion pipelines that we use to promote artifacts require approvals.

0
votes

Looks like all you need is to create a new git repo and add the file that you would like to use. After that, just add the git repo in any release where you want to use it by adding a new artifact, selecting the git option under "Source type", and selecting the name of your repo in the "Source (repository)" dropdown.

0
votes

You can use Secure files to manage the config file.