1. Team-Based Access Control for DevOps Pipelines


    When building DevOps pipelines, it's crucial to manage access to resources securely. Team-Based Access Control (TBAC) allows you to define what team members can see and do within your DevOps pipeline, helping you manage permissions more effectively.

    In the following Pulumi program, we will use the azuredevops provider to demonstrate how to set up TBAC for Azure DevOps pipelines. Specifically, we will define an Azure DevOps build definition and set permissions on it based on a team's requirements.

    First, we start by importing the required libraries and then creating an Azure DevOps team and project. Next, we'll create a build definition, which represents the automated process that runs to build our code. Finally, we will set specific permissions for the team on that build definition, thereby applying TBAC.

    In this example, the BuildDefinitionPermissions resource is used to tie specific permissions to the build definition for a given team, and the TeamAdministrators resource is used to grant administrative permissions to the team for managing the pipeline.

    Here's a Pulumi Python program that sets up a simple TBAC system for an Azure DevOps pipeline:

    import pulumi import pulumi_azuredevops as azuredevops # Create an Azure DevOps Project project = azuredevops.Project("example-project", description="An example Azure DevOps Project") # Create a team to manage the Build Definition Permissions team = azuredevops.Team("example-team", description="My example Team", project_id=project.id) # Create an Azure DevOps Build Definition (Pipeline) build_definition = azuredevops.BuildDefinition("example-build-definition", project_id=project.id, name="example-build", # ... other required properties to define the build process) # Configure Build Definition Permissions for the Team build_permissions = azuredevops.BuildDefinitionPermissions("example-build-permissions", project_id=project.id, build_definition_id=build_definition.id, principal=team.id, permissions={ "ViewBuilds": "Allow", "EditBuildDefinition": "Allow", "DeleteBuilds": "Deny", # ...other permissions as needed }) # Optionally, setup team administrators for the project team_admins = azuredevops.TeamAdministrators("example-team-admins", team_id=team.id, project_id=project.id, administrators=["user@example.com"]) # Specify team administrators by email or user ID # Export the ID of the build definition pulumi.export('build_definition_id', build_definition.id)

    In the above program:

    • The Project resource is creating a new Azure DevOps project to house our pipelines and other resources.
    • The Team resource creates a new team within this project.
    • The BuildDefinition resource defines an automated process (pipeline) to build our code.
    • The BuildDefinitionPermissions resource is where we apply TBAC by giving specific permissions to the team for this build definition.
    • The TeamAdministrators resource specifies who the administrators for the team will be.

    Through build_permissions, you control what team members can do, like viewing builds, editing the build definition, or deleting builds, each of which can be set to Allow, Deny, or NotSet (inherit).

    This setup provides a structure for applying team-based permissions to control access to the build pipeline, ensuring that only the appropriate members can perform certain actions.