Skip to content

Bug: Issue with Azure DevOps Approval Configuration #310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
1 task done
oZakari opened this issue Feb 27, 2025 · 2 comments
Open
1 task done

Bug: Issue with Azure DevOps Approval Configuration #310

oZakari opened this issue Feb 27, 2025 · 2 comments
Assignees
Labels
Area: Bootstrap Modules 👢 Issues / PR's related to the Accelerator bootstrap modules Needs: Author Feedback 👂 Needs the author to provide feedback Type: Bug 🪲 Something isn't working

Comments

@oZakari
Copy link
Contributor

oZakari commented Feb 27, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Infrastructure as Code Type? (Required)

bicep

PowerShell Module Version (Optional)

4.2.3

Bootstrap Module Version (Optional)

4.2.0

Starter Module? (Required)

bicep - complete

Starter Module Version (Optional)

0.21.0

Input arguments of the ALZ-PowerShell-Module (Optional)

Feedback from field CSA "Used the Accelerator with Bicep and DevOps. We had four users added to the apply_approvers array. These users seem to have been added to a group alz-mgmt-approvers. However, that group has custom permissions, which do not include permissions to the apply Service Connection, which is where the approval is created.

So the users in that group can't perform the approval, they just don't see the Approve button for the service connection.

I am just typing this while working with a customer so I may be missing something obvious instead."

Debug Output/Panic Output (Optional)

Expected Behaviour (Required)

Approvals required to the "apply/deploy" environment

Actual Behaviour (Required)

Approvers required at the service connection level.

Steps to Reproduce (Optional)

No response

Important Factoids (Optional)

No response

References (Optional)

No response

@oZakari oZakari added Needs: Triage 🔍 Needs triaging by the team Type: Bug 🪲 Something isn't working Area: Bootstrap Modules 👢 Issues / PR's related to the Accelerator bootstrap modules labels Feb 27, 2025
@oZakari oZakari self-assigned this Feb 27, 2025
@jaredfholgate
Copy link
Member

jaredfholgate commented Feb 27, 2025

I disagree strongly with the reasoning behind using approvals associated to the environments.

Happy to explain the reasoning, but it essentially comes down to the environment not being a robust mapping to the identity. The service connection is a wrapper for the identity and therefore you are approving the use of that identity. The environment is defined in YAML and someone malicious could potentially just remove it or replace it, thereby bypassing approval. With GitHub it is part of the OIDC subject, so more robust there, but not for Azure DevOps.

I haven't come across a perms issue for this yet, so keen to understand the exact issue. I think we can add the necessary permission easily enough.

We can also update to add pre-existing group(s) as an alternative solution.

@oZakari
Copy link
Contributor Author

oZakari commented Mar 3, 2025

I disagree strongly with the reasoning behind using approvals associated to the environments.

Happy to explain the reasoning, but it essentially comes down to the environment not being a robust mapping to the identity. The service connection is a wrapper for the identity and therefore you are approving the use of that identity. The environment is defined in YAML and someone malicious could potentially just remove it or replace it, thereby bypassing approval. With GitHub it is part of the OIDC subject, so more robust there, but not for Azure DevOps.

I haven't come across a perms issue for this yet, so keen to understand the exact issue. I think we can add the necessary permission easily enough.

We can also update to add pre-existing group(s) as an alternative solution.

Thanks for the additional insight on that! That makes sense to me in terms of being able to potentially remove the environment although probably not as concerning in an internal repository but still valid. I'll take a look at the permissions aspect and see if I can replicate.

@jaredfholgate jaredfholgate added Needs: Author Feedback 👂 Needs the author to provide feedback and removed Needs: Triage 🔍 Needs triaging by the team labels May 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Bootstrap Modules 👢 Issues / PR's related to the Accelerator bootstrap modules Needs: Author Feedback 👂 Needs the author to provide feedback Type: Bug 🪲 Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants