Deployments in an enterprise environment have to be audited meaning that deployments to production environment have to be approved in advance and envidence of the approval has to be recorded.
I am looking for a solution how to ensure that every deployment is audited within Visual Studio Team Services without distorting the functionality and flexibility of the tool.
Ideal solution lets dedicated project team members define release or build templates with the necessary tasks and settings. However, before a build or a release template can be executed a verification runs. The verification can check for approves, defined target environments and several other signs which can help decide whether the deployment is pre-approved or has to be rejected.
VSTS's security scheme for build and release templates has some flexibility but they do not provide enough control. Actually since deployment tasks are available for build templates release management approval feature does not give any assurance that deployment is approved in advance since it could be executed from a simple build plan.
One approach would be if a service hook could be made synchronous. Event would be fired before every build and release and in the event payload all details would be provided. Analyzes would be executed on the payload and depending on the result either it would let the build or release go or stop. However, service hooks are asynchronous therefore cannot be used for this purpose.
Other although less flexible option would be if I could install tasks on agents which are executed every time and can validate the build or the deployment before they are executed. This does not seem to be possible either since tasks have to be defined by the team and therefore not reliable.
Any suggestion about how to implement a control which basically can analyze and if necessary block a deployment or build would be appreciated.
It seems you want to check after the deployment is finished.
Actually there has post-deployment approvers you can specify to audit after the environments have been deployed.
Or you can get the information (approvers, environments etc) by adding a Powershell task in the end of last environment.
For the powershell you can do below things:
1. Get the detail information for current release by REST API:
2. Search for the information you need:
Get pre-deployment approver(s) by searching the keyword
preDeployApprovals. Get environments information, you can find details in"environments": [].3. If you want to failed the deployment once the condition you set is not meet, you can compare approver/enviroment info with the value you set, if not equal, then finish with
exit 1.