Approvals to deploy pipelines - Azure Pipelines (2023)

Azure DevOps-Dienste

The pipeline consists of stages. The pipeline author can control whether a phase should run by definingConditionson stage. Another way to control if and when the phase will start is through.Permissions and controls.

Pipelines rely on resources such as environments, service connections, agent pools, variable groups, and secure files. Exams enableresource ownerto control if and when a pipeline stage can consume a resource. As the owner of a resource, you can define checks that must be met before the consumption phase of that resource begins. For example amanual approval checkto oneSurroundingswill ensure deployment to this environment only after the named user(s) have reviewed the implemented changes.

A phase can consist of many jobs and each job can consume more resources. Before a phase can begin execution, all checks for all resources used in that phase must be passed. Azure Pipelines pauses pipeline execution before each stage and waits for all pending checks to complete. Tests are re-scored based on the repeat interval specified for each test. If all checks fail, untilpausestated, this phase is not executed. If one of the checks definitely fails (eg you refuse approval for one of the resources), this phase is not triggered.

Permissions and other checks are not defined in the yaml file. Users who modify the pipeline's YAML file cannot modify the checks that are performed before the stage starts. Resource administrators manage checks from the Azure Pipelines web interface.

Approvals

Approval checks allow you to manually control when a phase should run. This check is typically used to control deployments to production environments.

1. In your Azure DevOps project, navigate to the resource (eg environment) that needs to be protected.

2. Navigate toPermissions and controlsfor resource.

3. ChooseTo create, provide approvers and an optional message and selectTo createagain to finish adding the manual approval check.

You can add multiple approvers to an environment. These approvers can be individual users or groups of users. If a group is specified as an approver, only one of the users in that group needs to approve for the run to proceed.

Using advanced options, you can configure the minimum number of approvers to complete an approval. A group is considered a single approver.

You can also prevent the user who requested (started or created) the run from completing the approval. This option is often used to separate roles between users.

When you start a pipeline, the execution of that run stops before it reaches the phase that uses the environment. Users configured as approvers must review and approve or reject the deployment. If multiple runs are running at the same time, you must approve or reject each run individually. If all requested permits are not completed within the deadlinepauseIf the stage specified for approval and all other checks pass, the stage is marked as skipped.

branch control

You can use branch control checking to ensure that all resources associated with the pipeline are created fromallowedbranches and that the branches have protection included. This check helps control the readiness of releases and the quality of deployments. If multiple resources are associated with a pipeline, the source of all resources is checked. If you have connected another pipeline, the branch of the particular outlet is checked for protection.

To define branch control validation:

1. In your Azure DevOps project, navigate to the resource (eg environment) that needs to be protected.

2. Navigate toPermissions and controlsfor resource.

3. Choosebranch controlCheck and specify a comma-separated list of allowed branches. You can choose to have branch protection turned on. You can also define the scan behavior when the protection status for one of the branches is unknown.

   See Also

   Common problems with two-step verification for a business or school accountBuild big data pipelines with Azure Data Lake and Azure Data Factory | Azure Blog | Microsoft AzureAnalysis | Why are red states hiring much faster than blue states?

At runtime, the check validates the branches for all related resources in the runtime against the whitelist. If any of the branches do not meet the criteria, the check fails and the phase is marked as failed.

Working hours

If you want all deployments in your environment to happen only within a certain time frame, an uptime check is an ideal solution. When you start the pipeline, the stage using the resource waits for the runtime to start. If several movements are performed simultaneously, each of them will be checked independently. At the beginning of working hours, the check is considered successful for all executions.

If the execution of the phase has not started at the end of the working hours (delayed by another check), the approval of the working hours is automatically canceled and a reassessment is scheduled for the next day. The check fails if phase execution does not start withinpauseThe period specified for the check expires and the phase is marked as failed.

Call an Azure function

Azure Functions is a serverless computing platform offered by Azure. Azure Functions allow you to run small pieces of code (called "functions") without worrying about the application's infrastructure. Due to its high flexibility, Azure functions offer an excellent opportunity to create your own checks. They encapsulate the logic of the Azure check-in function, so that each execution is triggered on an HTTP request, has a short execution time, and returns a response. When defining a check, you can analyze the response body to determine whether the check succeeded. The evaluation can be repeated regularly with the "Time between evaluations" setting in the management options.find out more

Checks fail if the phase has not started execution within the specified time periodpausePeriod. SeeAzure Function Application Taskfor more details.

Learn more about the recommended way to use Invoke Azure Function checks.

Call the REST API

With the Invoke REST API Checker, you can integrate any of your existing services. Periodically call the REST API and continue if a successful response is returned.find out more

The evaluation can be periodically repeated withtime between examinationsSetup in management options. Checks fail if the phase has not started execution within the specified time periodpausePeriod. SeeCall the REST API taskfor more details.

Learn more about the recommended way to use Invoke REST API checks.

Query for Azure Monitor alerts

Azure Monitor provides visualization, querying, routing, alerting, autoscaling, and automation for data from Azure infrastructure and each individual Azure resource. Alerts are a standard way to detect infrastructure or application health issues and take corrective action. Deployment canaries and incremental rollouts are common deployment strategies used to reduce the risk of regression for critical applications. After being set to a level (user group), the application is observed for some time. The state of the application after deployment is used to decide whether or not to upgrade to the next level.

By querying Azure Monitor alerts, you can observe Azure Monitor and ensure that no alerts are triggered in your application after deployment. The check is successful if no alarm rules are activated at the time of evaluation.find out more

The evaluation is then repeatedtime between examinationsSetup in management options. Checks fail if the phase has not started execution within the specified timepausePeriod.

Template required

You can force pipelines to use a specific YAML template with required template validation. When this check is set, the pipeline will fail if it does not pass the reference template.

To define the required template approval:

1. Go to in your Azure DevOps projectservice portyou want to limit.

2. OpenPermissions and controlsin the menu next to itedit.

3. imAdd your first checkselect the menuTemplate required.

4. Enter details on how to get the required template file.

   • Repository-type: The location of your repository (GitHub, Azure, or Bitbucket).
   • Storage: The name of your repository that contains your template.
   • Ref: The branch or label of the required template.
   • Path to the required template: the name of your template.

You can have multiple required templates for the same service connection. This example requires a templaterequired.yml.

Rate the artifact

You can use custom rules to evaluate the artifacts to be deployed in the environment.

Complete the following steps to define a custom rule evaluation for artifacts.

1. In your Azure DevOps Services project, navigate to the environment that needs to be protected. learn more aboutcreate an environment.

2. Navigate toPermissions and controlsFor the environment.

3. ChooseRate the artifact.

4. Paste the rule definition and clickSave on computer.See moreon writing policy definitions.

When you start a pipeline, the execution of that run stops before it reaches the stage that uses the environment. The specified rule is evaluated against the available metadata of the image. The check succeeds if the policy succeeds, otherwise it fails. If the check fails, the phase is marked as failed.

Ekskluzivna brava

Phases:- Phase: A LockBehavior: Sequential Jobs: - Job: Job Steps: - Script: Hey!

lockBehavior: runLateststages:- stage: A jobs: - job: job steps: - script: Hey!

TheEkskluzivna bravaThe check allows only one pipeline run to continue. All stages in all executions of this pipeline that use the resource are paused. When the lock usage phase is finished, another phase can continue to use the resource. Also, only one phase can be continued. All other stages that tried to take the lock will be aborted.

ServiceNow change management

These exams requireServiceNow Change Management extensioninstall from the market

Theservicenow change managementThe audit enables the integration of ServiceNow's change management processes into pipelines. Adding a review enables the automatic creation of a new change request in ServiceNow at the start of a phase. The pipeline waits for the change process to complete before starting the phase. More details are availableHere.

More permits and exams

A phase can consist of many jobs and each job can consume more resources. Before a phase can begin execution, all checks for all resources used in that phase must be passed. Azure Pipelines pauses pipeline execution before each stage and waits for all pending checks to complete.

One final negative decision results in denial of pipeline access and stage cancellation. Decisions on all approvals and checks except Invoke Azure Function/REST API iEkskluzivna bravaare final.

Checks are performed when using the Invoke Azure Function/REST APIrecommended wayYour access decisions are also final.

Ako navedetetime between examinationsIf the Invoke Azure Function/REST API check is non-zero, the check decision is not final. This scenario is worth investigating.

Let's look at an example. Imagine that your YAML pipeline has a stage that uses a service connection. Two checks are configured for this service connection:

1. Asynchronous check calledExternal consent granted, confirms itexternal approval is givenand is configured in the recommended way.
2. Synchronous check calledImportant reason for delivery, confirms itThe reason for the award is validand for which you set themtime between examinationsup to 7 minutes.

A possible test procedure is shown in the following diagram.

In this version:

• both checks,External consent grantedIImportant reason for delivery, are called simultaneously.Important reason for deliveryit doesn't work right away, but that's whyExternal consent grantedstill pending, will try again.
• In the 7th minute,Important reason for deliveryit tries again and this time it is successful.
• In the 15th minute,External consent grantedcalls back Azure Pipelines with a successful decision. Now both checks pass, allowing the pipeline to continue staging.

Let's look at another example involving two synchronous checks. Assume that your YAML pipeline has a stage that uses a service connection. Two checks are configured for this service connection:

1. Synchronous check calledSynchronization check 1, for which you have settime between examinationsup to 5 minutes.
2. Synchronous check calledSynchronization check 2, for which you have settime between examinationsup to 7 minutes.

A possible test procedure is shown in the following diagram.

In this version:

• both checks,Synchronization check 1ISynchronization check 2, are called simultaneously.Synchronization check 1passes, but tries again becauseSynchronization check 2it fails.
• In the 5th minute,Synchronization check 1it tries again but fails and therefore tries again.
• In the 7th minute,Synchronization check 2it is tried again and is successful. The decision to pass is valid for 7 minutes. IfSynchronization check 1does not pass in this time interval,Synchronization check 2will try again.
• In the 10th minute,Synchronization check 1it tries again but fails and therefore tries again.
• In the 14th minute,Synchronization check 2it is tried again and is successful. The decision to pass is valid for 7 minutes. IfSynchronization check 1does not pass in this time interval,Synchronization check 2will try again.
• In the 15th minute,Synchronization check 1it is tried again and is successful. Now both checks pass, allowing the pipeline to continue staging.

Let's look at an example involving approval and synchronous verification. Imagine you have configured synchronous verification and authorization for a service connection with atime between examinationsof 5 minutes. Regardless of the decision, your verification will take place every 5 minutes until approved.

Questions

The defined checks are not running. What happened?

Exam grading begins as soon as the level requirements are met. You should verify that the stage has started running after adding checks for the resource and that the resource is being consumed in the stage.

How can I use checks to plan a leg?

You can use the runtime checker to control when the phase execution starts. You can achieve the same behavior aspredefined schedule on stageu Designer-Releases.

How can I get pre-approvals for a future stage?

This scenario can be activated

1. Checking the working hours allows scheduling the work of all phases of resource provision within the time frame
2. If approvals are configured for the same resource, the phase waits for approvals before starting.
3. You can configure both checks for a resource. The stage would await permits and opening hours. It will start in the next scheduled window after the licensing is completed.

Can I wait for the submitted artifact to complete the security check?

To wait for the security scan of the placed artifact to complete, you must use an external scanning service such as AquaScan. The specified artifact should be transferred to a location accessible to the scanning service and identified using prior to starting the scanpredefined variablesWith the Invoke REST API check, you can add a check that listens to an API in the security service and passes an artifact ID as input.

How can I use output variables from previous stages in the exam?

By default, only predefined variables are available for checks. You can use a linked variable group to access other variables. The output variable from the previous stage can be written to the variable group and retrieved in the check.