Concourse
Separation of duties #6064
Replies: 3 comments 2 replies
-
|
Use two Concourse teams ? Ah, you mean from the same pipeline I think. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, for the same pipeline, whoever can trigger the build cannot be part of Application Development team. I find it hard with some teams because whoever is promoting the code is not having concourse knowledge and Application developers have to work with code promoter every time they want to make changes to pipeline code because only a member can make changes to pipeline and trigger the build. It is good to have something like Approval gates in UCD and Harness. I know concourse is CI only tool but it will be helpful to have this or any workaround which makes the Developers and concourse CI admins life easy. |
Beta Was this translation helpful? Give feedback.
-
|
Would something like #6013 be useful here? It looks like currently the best way is via OPA on API calls, but there's some interest in a more powerful and smarter system. |
Beta Was this translation helpful? Give feedback.
-
|
Yes |
Beta Was this translation helpful? Give feedback.
-
|
There is another approach here, depending on your use case. You could set your 'prod' jobs to be triggered only be a specific resource, that only special people can change. For instance, a Git repo, a Pool resource, or a locked-down S3 bucket. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Concourse being the CI tool and have capability to perform the CD, we used it for both. When it comes to audits we have a rule where no one individual can have both development and migration to prod privileges.
Did anyone find a way to accomplish this? Open to any ideas.
Beta Was this translation helpful? Give feedback.
All reactions