Azure CI/CD: Govern seamlessly from start to finish.
Hey there, tech enthusiasts! This article serves as a technical guide to implementing a resilient end-to-end cloud governance framework for Azure CI/CD pipelines. It is designed to be vendor-agnostic and aligns seamlessly with enterprise security objectives, considerations, and compliance requirements.
Throughout this discourse, we will employ the Azure Role-Based Access Control (RBAC) model, a familiar concept utilized within the Azure Resource Manager framework.
Decisive Process Deconstruction :-
Microsoft Entra groups that align with business domains and permissions models
In our scenario, the organization name Next Door solutions encompasses various vertical business domains, such as “HR” and “Cloud team,” each operating relatively independently. Within each domain, two privilege levels are established, each corresponding to specific -admins or -devs Microsoft Entra groups.
Deployment environments
Every team will have 2 environments. Production — Admin will have elevated privileges. Non Prod — All developers have elevated privileges
Automation Adaption
It’s imperative for every application to incorporate Azure DevOps, not only for continuous integration (CI) but also for continuous deployment (CD). For instance, changes to the Git repository can automatically initiate deployments.
Cloud Journey re-imaging
The organization initially adopted an isolated project model to expedite the cloud journey. However, Keeping Enterprise efficiency we should be considering ways to dismantle silos and foster collaborative efforts.
3. Git Branch Distribution :-
4. Architecture :-
Workflow —
Microsoft Entra ID Group :-
领英推荐
Azure DevOps is linked with Microsoft Entra ID for unified identity management. Developers use one Microsoft Entra account for both platforms. Access is controlled through group memberships, enabling easy removal of access by revoking group memberships.
Dedicated Environment is having a separate subscription.
Azure Resource Manager Role Assignments :-
While our Microsoft Entra group names suggest roles, access controls are activated only upon configuring role assignments, assigning specific roles to Microsoft Entra principals for defined scopes.
Note — However, in production you should create a custom role that prevents a service principal from removing any “management Locks”that you’ve placed on your resources. This helps protect resources from accidental damage, such as database deletion.
Security Group Assignments in Azure DevOps :-
It’s recommended to use the built in Securiry groups so in this scenario we have used Project Admin for Admins access in to Prod Subscription & Contributors for Devs.
Service Connections in Azure DevOps :-
In Azure DevOps, a Service Connection acts as a versatile container for credentials. It stores the service principal client ID and secret. Project Administrators regulate access to this secure resource, often for scenarios like human-approved deployments. This architecture enforces two key protections on service connections:
Admins manage pipeline permissions to restrict credential access.
Admins implement branch control checks, ensuring only production branch pipelines can use the prod-connection.
Git Repo Considerations :-
It is critical to setup PR reviewer & Branch policies to work hand in hand with the branch control set in for our Service connections.
5. Best Practices to be Followed :-
For Pipelines — Set up the Pipeline Permissions & Branch Control Checks.
For Branch — Set up the Branch policies & PR minimum reviewer as 2.
Reference for more information :- End-to-end governance from DevOps to Azure - Cloud Adoption Framework | Microsoft Learn
#json snippet to create a custom role [Sample]
{
"Name": "Headless Owner",
"Description": "Can manage infrastructure.",
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete"
],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
]
}
SAFe Agile Product Owner | Senior Business Analyst| Infosys | Financial Crime Compliance - AML, Fraud, Reg Reporting (Actimize) | Ex-Accenture | Ex-HCL | Hyderabad
11 个月Good one!