Team-Based Access Control for DevOps Pipelines
PythonWhen building DevOps pipelines, it's crucial to manage access to resources securely. Team-Based Access Control (TBAC) allows you to define what team members can see and do within your DevOps pipeline, helping you manage permissions more effectively.
In the following Pulumi program, we will use the
azuredevops
provider to demonstrate how to set up TBAC for Azure DevOps pipelines. Specifically, we will define an Azure DevOps build definition and set permissions on it based on a team's requirements.First, we start by importing the required libraries and then creating an Azure DevOps team and project. Next, we'll create a build definition, which represents the automated process that runs to build our code. Finally, we will set specific permissions for the team on that build definition, thereby applying TBAC.
In this example, the
BuildDefinitionPermissions
resource is used to tie specific permissions to the build definition for a given team, and theTeamAdministrators
resource is used to grant administrative permissions to the team for managing the pipeline.Here's a Pulumi Python program that sets up a simple TBAC system for an Azure DevOps pipeline:
import pulumi import pulumi_azuredevops as azuredevops # Create an Azure DevOps Project project = azuredevops.Project("example-project", description="An example Azure DevOps Project") # Create a team to manage the Build Definition Permissions team = azuredevops.Team("example-team", description="My example Team", project_id=project.id) # Create an Azure DevOps Build Definition (Pipeline) build_definition = azuredevops.BuildDefinition("example-build-definition", project_id=project.id, name="example-build", # ... other required properties to define the build process) # Configure Build Definition Permissions for the Team build_permissions = azuredevops.BuildDefinitionPermissions("example-build-permissions", project_id=project.id, build_definition_id=build_definition.id, principal=team.id, permissions={ "ViewBuilds": "Allow", "EditBuildDefinition": "Allow", "DeleteBuilds": "Deny", # ...other permissions as needed }) # Optionally, setup team administrators for the project team_admins = azuredevops.TeamAdministrators("example-team-admins", team_id=team.id, project_id=project.id, administrators=["user@example.com"]) # Specify team administrators by email or user ID # Export the ID of the build definition pulumi.export('build_definition_id', build_definition.id)
In the above program:
- The
Project
resource is creating a new Azure DevOps project to house our pipelines and other resources. - The
Team
resource creates a new team within this project. - The
BuildDefinition
resource defines an automated process (pipeline) to build our code. - The
BuildDefinitionPermissions
resource is where we apply TBAC by giving specific permissions to the team for this build definition. - The
TeamAdministrators
resource specifies who the administrators for the team will be.
Through
build_permissions
, you control what team members can do, like viewing builds, editing the build definition, or deleting builds, each of which can be set toAllow
,Deny
, orNotSet
(inherit).This setup provides a structure for applying team-based permissions to control access to the build pipeline, ensuring that only the appropriate members can perform certain actions.
- The