Using a YAML-based Azure DevOps Pipeline, how do you require approval to deploy an app service (web app) to an environment such as Production in a way that can't be circumvented by modification of the YAML?
I know that under Pipelines/Environments you can create an environment and set up approvals and checks. Then you can have a stage in the YAML pipeline which is associated with that environment. My concern is that the YAML pipeline could be altered to no longer be associated with that environment (for example change it to the DEV environment which doesn't require approval), but still reference the Production Azure resource (WebAppName property), thereby circumventing the approval. The other thing that limits access seems to be the service connection, but it seems like you need give the pipeline permission to use the service connection, and that doesn't really serve as part of the ongoing approval process per deployment.
- stage: PROD
displayName: PROD
jobs:
- job: Release_Prod
displayName: Release to PROD
pool:
vmImage: 'Windows-2019'
- deployment:
displayName: 'PROD Deployment'
environment: 'Web App - PROD'
strategy:
runOnce:
deploy:
steps:
- task: DownloadBuildArtifacts@1
inputs:
buildType: 'current'
downloadType: 'single'
artifactName: 'drop'
downloadPath: '$(System.ArtifactsDirectory)'
- task: AzureRmWebAppDeployment@4
inputs:
ConnectionType: 'AzureRM'
azureSubscription: 'Production'
appType: 'webApp'
WebAppName: 'my-production-web-app'
package: '$(System.ArtifactsDirectory)/**/*.zip'
I figured out how to do it. You don't use environments at all. Instead, you set up the approval on the service connection itself.