How to add Approval gates in ADO Yaml Pipeline?
Why Approval gate is required?
The approval gate in the YAML pipeline is to protect the pipeline from accidentally running or prevent malicious intent of the Authorized user from running the pipeline. It will make the pipeline more robust.
For example, let’s say you have an ADO pipeline that removes the unallocated resources from the subscription but management wants the data, and your capacity management team pulls the report on the last Monday of every month. Here comes the situation, your team member accidentally runs the pipeline before the capacity team pulls out the report.
In this situation, you might have considered that pipeline execution approval should have come to you first and for this, we need approval gates.
You can get more details about approval gates and checks from the below link
How to create an approval gate?
Adding an approval gate in the ADO Yaml pipeline is not as straightforward like the release pipeline that we will discuss in this article.
To create an approval gate in YAML based pipeline follow the below steps.
- Create an Environment in Azure DevOps if doesn’t exist. We are actually adding approvers in the environment and adding that environment before all tasks so the pipeline will ask for approval during execution and then proceed further.
- Add Deployment in the YAML pipeline to add the created environment.
Adding Approval gate in YAML pipeline
Let’s add the approval gate in YAML pipelne.
1. Create the environment.
To create an environment in Azure DevOps, click on Pipelines -> Environments -> Create Environment
Provide the Name of the environment
On the right side three dots, click on Approval and Checks
Select “Approvals“.
Once you click on Approvals, provide the Approvers Name and other setting as per your requirement. You can add multiple approver names.
If you are planning to add different approvals at every stage then you need to create relevant number of environments.
2. Add Environment details in YAML pipeline
The purpose of the Approval gate is to check for approvals at the stage level that means you can add approval for each stage. In the below example, approval is added for Stage1 with the environment name “Approval_Env” that we created.
stages:
- stage: Stage1
displayName: Test Approval Gate
jobs:
- deployment: ApprovalGate
displayName: Add approval gate
environment: Approval_Env
strategy:
runOnce:
deploy:
steps:Now if you run the pipeline after adding the above part in your YAML code, it will ask for the approval as shown below.
Click on the Approve button and add comment (Optioanl) to grant user access to the environment and ultimately the pipeline. User can also reject if the pipeline is not intended to run by the executors.
Once user will approve, the pipeline will execute next tasks.
Full code for the above pipeline.
trigger:
- None
pool:
vmImage: ubuntu-latest
stages:
- stage: Stage1
displayName: Test Approval Gate
jobs:
- deployment: ApprovalGate
displayName: Add approval gate
environment: Approval_Env
strategy:
runOnce:
deploy:
steps:
- task: PowerShell@2
inputs:
targetType: 'inline'
script: |
# Write your PowerShell commands here.
Write-Host "Approval gate is passed"Please note: If you are adding the approval gate using environment then in the same stage it is not possible to browse through the files. For example, if your script calls another file in the repo then providing path of that file won’t recognize because Environment overwrites the VM Image pool.
So add the different stage for Approval environment than the regular tasks.
Conclusion
- Add approval gates in the ADO pipeline to protect from running an unintended channel.
- With approval gates, if you schedule the pipeline, it will ask for approval every time. Try not to add approval in the scheduled pipeline.
- If approval is required for each stage then you need to create that number of environments.
- Try to add approval environment in the first stage, making it separate from the different regular tasks.
