6
votes

My team uses TeamCity for continuous integration. It will build, test and deploy web applications via Web Deploy to dev and qa web servers. The tricky part is deploying to a production web server - our policy dictates that developers cannot deploy to production, only a system administrator can.

Our current approach is to have TeamCity build a web deployment package, which the administrator can download and install on the production web server. However, we'd like to allow them to simply click "Run" on a build configuration, but we're not sure how to secure that button.

We could create a TeamCity project that only administrators have access to, but we also have to address Web Deploy security. The Web Deploy service needs to be authenticated with a local admin account on the production server. We don't want developers having access to the username/password in a build script, nor do we want every build agent running as this account since developers could create a build that uses it to deploy to production.

I've haven't had much luck finding resources on TeamCity security/deployment best practices, but I can't imagine we're the only company in this situation. How do others manage automated deployment security?

1
Had better luck on serverfault - serverfault.com/questions/323047/…jrummell
You can then close this question from here.Arpit

1 Answers

1
votes

First of all auto deployment on live server is not a good idea. Deployments should be automated till staging. If you still want to do it, ez, short and secure way is to use Ant script. Write a short script to use SSH or sftp and deployment is done. You can create two profiles for your project and add an extra step in "Build steps" for Pro deployment by admin.