Azure devops service connection and central pipeline

Question

I have a requirement of giving multiple teams access to a shared resource in azure. I therefore want to limit how people can publish changes to the shared resource.

The idea is to limit the use of a service connection to a specific pipeline, as per this documentation . However if the pipeline is stored in their own repo the developer could change it. This would not give me enough control. I therefore found that it was possible using a template from a central repo . Using a shared repo, would then allow me to have a service connection solely for the template?

So how I imagine doing the above is I need to grant project X a service connection for my BuildTemplates Repo. But this is basically just access to the repo and to be able to use the shared templates. Then in BuildTemplates repo I can have a service connection for my template A.

Now the developer in project X - creates her deployments and configurations for her pipeline with her own service connection scoped for her resources. Then she inherits a template from BuildTemplates Repo and passes relevant parameters for the template A.

She cannot alter the template pipeline A and only the template pipeline A can publish to the shared resource, because of the scoped service connection. I can therefore create relevant guards for the shared azure resource in the template pipeline A - so I restrict how developer X can publish to my shared azure resource.

• does this make sense and is it viable?
• The pipeline part in A cannot be edited by developer in X?
• The service connection in A will not propagate out so developer in X can use it in an inappropriate way?

Update

The above solution does not seem to be viable since the pipeline template is executed in the source branch scope.

Proposed Solution

The benefits I see with the above suggestion doe not seem possible, because of the issues. However one can utilise pipeline triggers, as a viable solution. This however results in a new issue. When a pipeline is triggered by Developer Y in Y's repository and it succeeds. Then a trigger is made in MAIN repository and the pipeline in MAIN fails eg, because the artifacts from Y introduced an Issue. How does developer Y get notified about the issues in MAIN pipeline?

Answer 1

Here is my solution, in same Azure organization, we can create a Azure Project, then create a repo to save common pipeline template. All the repos in other Azure project can access this pipeline template.

UserProject/UserRepo/azure-pipelines.yml

trigger:
  branches:
    include:
    - master
  paths:
    exclude:
    - nuget.config
    - README.md
    - azure-pipelines.yml
    - .gitignore

resources:
  repositories:
  - repository: devops-tools
    type: git
    name: PipelineTemplateProject/CommonPipeline
    ref: 'refs/heads/master'

jobs:
- template: template-pipeline.yml@devops-tools

PipelineTemplateProject/CommonPipeline/template-pipeline.yml

Since the inline script of pipeline has 5000 characters limitation, you can put your script(not only powershell, but also other languages) in PipelineTemplateProject/CommonPipeline/scripts/test.ps1

# Common Pipeline Template
jobs:
 - job: Test_Job
   pool:
     name: AgentPoolName
   steps:
   - script: |
       echo "$(Build.RequestedForEmail)"
       echo "$(Build.RequestedFor)"
       git config user.email "$(Build.RequestedForEmail)"
       git config user.name "$(Build.RequestedFor)"
       git config --global http.sslbackend schannel
       echo '------------------------------------'
       git clone -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" -b $(ToolsRepoBranch) --single-branch --depth=1 "https://PipelineTemplateProject/_git/CommonPipeline" DevOps_Tools
       echo '------------------------------------'
     displayName: 'Clone DevOps_Tools'

   - task: PowerShell@2
     displayName: 'Pipeline Debug'
     inputs:
       targetType: 'inline'
       script: 'Get-ChildItem -Path Env:\ | Format-List'
     condition: always()

   - task: PowerShell@2
     displayName: 'Run Powershell Scripts'
     inputs:
       targetType: filePath
       filePath: 'DevOps_Tools/scripts/test.ps1'
       arguments: "$(System.AccessToken)"

Notes: Organization Setting - Settings - Disable Limit job authorization scope to current project for release pipelines

Organization Setting - Settings - Limit job authorization scope to current project for non-release pipelines

Check some option in project setting as well.

So the normal user only access their own repo, cannot access DevOps project, and DevOps owner can edit template pipeline only.

For the notification issue, I use an Email extention "rvo.SendEmailTask.send-email-build-task.SendEmail@1"