Permissions in the CI/CD Pipeline
How do I control who can do what in the CI/CD pipeline? For example, suppose I want to allow some developers to deploy any infrastructure they want in the `dev` account, but in the `stage` account, I want to enforce peer approval of a PR, and in the `prod` account, I want only a select group of people to be able to approve and merge the PR. Does this require breaking each of the accounts into separate Github repositories, so that each repository can have its own Github workflow and CircleCI (in our case) configuration? Do you have examples of this in action? --- <ins datetime="2022-07-06T19:51:55Z"> <p><a href="https://support.gruntwork.io/hc/requests/108931">Tracked in ticket #108931</a></p> </ins>
In general, it is very hard to restrict the CI/CD flow when someone has write access to a repository. While the various VCS systems have some form of branch protection feature, these features are generally fairly limited in what you can limit. In most cases, if you have advanced use cases with ACLs and CI/CD, it is best to break apart the code for each of the environment subsets into separate repos so that you only grant write access to the users that are allowed to freely deploy. Note that depending on the VCS system, you may be able to craft a branch protection rule that allows implementation of the flow you would like. For example, on GitHub, you can implement branch protection with `CODEOWNERS` such that you must have a PR to merge into `main`, and every PR requires an approval from a `CODEOWNER`. Then, you can implement code owner rules such that `prod` and `stage` have a different set of users who can approve the code to deploy. Be aware that even this has limitation, as you can't dynamically adjust the number of reviews that are required. So you wouldn't be able to specify that changes to the `dev` folder are allowed to be merged without approval.