Best practice to restrict deployment to test?

The organisation I work for is using TeamCity Enterprise 7.1.3 (build 24266).
We have the following build types:
Builds - builds the code, runs unit tests, adds to NuGet where appropriate, creates artifacts where appropriate
Acceptance tests - run acceptance tests on development or integration environments
Deployments - deploys using the artifacts previously created

What I want to achieve

  • I want to have a build chain taking me through deployment to various environments in turn (dev, integration, test at present, adding production later)
  • I want to use the same artifact when deploying to each environment
  • I want developers to be able to deploy to development and integration but not test and production
  • I want developers to be able to administer all projects except deployment to test and production


What I have done so far

  • Created the deploy to test project as a separate project
  • Created build chains for deployment which currently go build > deploy dev > acceptance test dev > deploy integration > acceptance test integration > deploy test (but with deploy test missing its properties so it won't work)
  • Removed sysadmin permission from developers and granted project admin on all projects except deploy to test
  • Created a new agent pool and assigned it to the deploy to test project (and removing the default pool) - planning to add agents to it later with permissions on the test environment


What I can't work out

  • Whenever a new project is created (several every week) the permissions need to be added to the developer roles. This is extra work I'd rather avoid. Could I be handling permissions better. Something along the lines of "GRANT ALL", "DENY deploy to test", which I can't find how to do in TeamCity
  • How can I stop developers adding the deploy to test agent pool with the elevated permissions to their projects? Should I even be using agent pools for this?


It seems to me that a separate instance of TeamCity won't work with regard to artifact sharing and using build chains. However, using the same instance of TeamCity is proving problematic with regards to permissions.

1 comment
Comment actions Permalink

Andy,

The approach you describe seems appropriate for the task.

> Whenever a new project is created (several every week) the permissions need to be added to the developer roles. This is extra work I'd rather avoid. Could I be handling permissions better. Something along the lines of "GRANT ALL", "DENY deploy to test", which I can't find how to do in TeamCity

There are no deny permisisons so far ( http://youtrack.jetbrains.com/issue/TW-5227 ). You can add all the developers into a single group and add the necesasry permissions only to that group on new project creation. In TeamCity 8.0 that can be a bit easier with the nested projects and roles propagatino to sub-projects.

> How can I stop developers adding the deploy to test agent pool with the elevated permissions to their projects? Should I even be using agent pools for this?



You should probably remove corresponding permissions from develoeprs. Without agent magager role project administrators should still be able to manage pools which only affect "their" projects.
0

Please sign in to leave a comment.