Team-Based Access Control for DevOps Pipelines

Question

Pulumi · Accepted Answer

When building DevOps pipelines, it's crucial to manage access to resources securely. Team-Based Access Control (TBAC) allows you to define what team members can see and do within your DevOps pipeline, helping you manage permissions more effectively.

In the following Pulumi program, we will use the `azuredevops` provider to demonstrate how to set up TBAC for Azure DevOps pipelines. Specifically, we will define an Azure DevOps build definition and set permissions on it based on a team's requirements.

First, we start by importing the required libraries and then creating an Azure DevOps team and project. Next, we'll create a build definition, which represents the automated process that runs to build our code. Finally, we will set specific permissions for the team on that build definition, thereby applying TBAC.

In this example, the `BuildDefinitionPermissions` resource is used to tie specific permissions to the build definition for a given team, and the `TeamAdministrators` resource is used to grant administrative permissions to the team for managing the pipeline.

Here's a Pulumi Python program that sets up a simple TBAC system for an Azure DevOps pipeline:

```python
import pulumi
import pulumi_azuredevops as azuredevops

# Create an Azure DevOps Project
project = azuredevops.Project("example-project",
    description="An example Azure DevOps Project")

# Create a team to manage the Build Definition Permissions
team = azuredevops.Team("example-team",
    description="My example Team",
    project_id=project.id)

# Create an Azure DevOps Build Definition (Pipeline)
build_definition = azuredevops.BuildDefinition("example-build-definition",
    project_id=project.id,
    name="example-build",
    # ... other required properties to define the build process)

# Configure Build Definition Permissions for the Team
build_permissions = azuredevops.BuildDefinitionPermissions("example-build-permissions",
    project_id=project.id,
    build_definition_id=build_definition.id,
    principal=team.id,
    permissions={
        "ViewBuilds": "Allow",
        "EditBuildDefinition": "Allow",
        "DeleteBuilds": "Deny",
        # ...other permissions as needed
    })

# Optionally, setup team administrators for the project
team_admins = azuredevops.TeamAdministrators("example-team-admins",
    team_id=team.id,
    project_id=project.id,
    administrators=["user@example.com"])  # Specify team administrators by email or user ID

# Export the ID of the build definition
pulumi.export('build_definition_id', build_definition.id)
```

In the above program:

- The `Project` resource is creating a new Azure DevOps project to house our pipelines and other resources.
- The `Team` resource creates a new team within this project.
- The `BuildDefinition` resource defines an automated process (pipeline) to build our code.
- The `BuildDefinitionPermissions` resource is where we apply TBAC by giving specific permissions to the team for this build definition.
- The `TeamAdministrators` resource specifies who the administrators for the team will be.

Through `build_permissions`, you control what team members can do, like viewing builds, editing the build definition, or deleting builds, each of which can be set to `Allow`, `Deny`, or `NotSet` (inherit).

This setup provides a structure for applying team-based permissions to control access to the build pipeline, ensuring that only the appropriate members can perform certain actions.