We have an Azure Function and an Azure DevOps Pipeline, the pipeline builds and published the code of the function's repo automatically. We want to escape discrepancies caused by, potentially, people manually publishing a version of the code, from within their Visual Studio, that is not in source control.
How can we ensure that?
Is there a way to disable manual publishing and only allow the Azure DevOps Pipeline to publish code to the function?
I am referring to a person using the "Publish" option in Visual Studio. Is there a way to forbid the Azure function from accepting such a publish?
To stop manual changes to the build, yaml files and pipeline would be to restric access to the build section of the pipeline for all the users.
This way no one will be able to change the pipeline but the admin user will still have access to the pipeline.
To set the permission we have to go to manage security which is under the pipeline tag.
Then we can select the permission for the users.
Here each tag represents a permission. Since we want to stop manual deployment we would set Edit build pipeline and Edit quality pipeline to deny.
These permissions can be set for individuals as well as security group.
Reference:
permissions in devops.
Related
Background:
Our team has removed sensitive information from code and configuration files, instead placing values in Azure KeyVault with Azure DevOps variables collections associated. This effectively prevents users from seeing variables in code, and values in the variables collection, but it does not limit values being written to build/release logs.
Question:
What options are available for (1) excluding access to build/release logs and (2) restricting pipeline editing?
Correction: Values are written to the logs, but values coming from Key Vault are masked as *** values. This resolves our problem, but the overarching question remains.
I am afraid that there is no such method could only exclude the access to build and release Logs.
Based on your requirements, you could try to restrict the following permission.
For Build Pipeline, you could limit the View builds and Edit build pipeline.
Then the user will have no access to see the Builds and Edit the Pipeline.
For Release Pipeline, you could limit the View releases and Edit release pipeline.
is there any way, I can make below tasks mandatory so that a user cannot disable it under Build Pipeline(CI) in Azure DevOps
If you are the owner of the organization, you can manage it through the settings.
Navigate to Your Project -> Pipeline -> Manage Security and probably you need to restrict the user from editing the pipeline
There are various policies available which you can play around.
You can develop a Pipeline decorator extension and then install it to your organization. Pipeline decorators let you add steps to the beginning and end of every pipeline job.
To view more details, you can see "Use a decorator to inject steps into a pipeline".
Normally, only the Organization Owner or Project Collection Administrators can add or delete the extensions on the organization. So, other users are not able to remove the decorators from the pipelines.
I'm using Azure DevOps pipelines and for 'builds' I can define 'Hosted Ubuntu' agent (in my pipelines.yml file). But for 'releases' there's no way to edit yaml just the UI. The agent pool drop down list shows 'Default (no agents)'. I assume my problem is probably related to project permissions but haven't figured out what controls the visibility. On another account I see all the hosted agent options available.
For the possible security permissions issue
Check that you are part of the group(s) assigned as User to the security of the app pool in question.
If this security operates like other Allow, Deny, NotSet permissions, then your occupation in a group that has less than User permission will revoke that permission, but I haven't seen any documentation about this.
For the use of YAML in release pipelines
Yaml usage in the formal release pipeline hub is not supported. If you want to use yaml for your CD release, you're going to need to enable the new multi-stage pipelines experience.
This allows you to create stages in your .yml file that relate to deployment functions in addition to the classic build functions.
I believe this removes your release tracking from the release hub and integrates it directly into the build hub.
This is still a new concept for Azure DevOps, as is the documentation and writing about it. I found this article to be helpful.
Because this new feature seems to be centered around AKS (or other Kubernetes services) and Docker, I'm not sure if this will help you by allowing you to specify the host in yaml, but you mentioned "release" and "yaml" in the same sentence, so I thought I would address that.
I am using VSTS and a private build agent and I want to make sure that I am not opening my organization to attack. The build and deployment pipeline allow Powershell scripts to execute on premise. To protect against hackers I have done the following
Limited the access of the service account that runs the VSTS Build agent
Limited who can invoke a Build or deployment
Avoided executing scripts as part of the build that are in git
We have linked our internal Active directory to VSTS, which means we have a single sign on from within our organization.
My question is what else can I do to secure my Build and release pipelines? Are there tools or scripts that can be used to monitor the build scripts and there use?
You can set permissions with two aspects to make your build/release and the private agent secure:
Set permissions for build/release definitions
Click … button for build/release definitions -> Security -> set detail permissions for groups or users -> Save changes.
Set permissions for agent
You can also set different roles for groups and users for Agent queues and Agent pools.
More details, you can refer the document Set build and release permissions.
What I want to accomplish:
I want to deploy an Azure Cloud Service via Release Management. I managed to get this working by following the steps outlined in this post. In the post the Azure publishsettings file is added to the project and used in Release Management to deploy the Azure package to a Cloud Service. So far so good.
What is the issue:
The Azure publishsettings file will also contain information about the production environment. I don't want that information to be available to all the developers and therefor I would like to have a more secure alternative.
What did I try:
I created a custom action which takes 3 arguments: subscription id, subscription name and certificate key. This way the Azure information stays in Release Management and can be passed to a script. This didn't work because the action is not shown in the Release Template Toolbox.
What is my question:
What is the best way to pass Azure credentials to a deployment script via Release Management on a secure manner?
We have a solution for Build today that will work for RM in the future.
Publish Settings file is an important one with which anybody can get access to certain activities. And once how ever the way you pass on the publish settings file, it can be misused (if tried).
So along with the publish settings file, you need to add a bit of process to the deployment like -
Inactive or remove the management certificate which will in turn invalidate the given publish settings and anyone should request for a new set of publish settings file before they actually start any release procedures.
Even though it adds a rough edge to your smooth flow of deployment process, as it is a live or production system, it is always better to tight the process and make it idiot proof.