How to secure TeamCity deployment via Web Deploy service?

security deployment teamcity

Using the roles and permissions in Teamcity, you can have a project that only your deployment team has access to. It can have an artifact dependency on the main build, and you can even have it used "last pinned build" so developers can control what's even available.

I would install a build agent that is able to deploy to the target system(s), and then use the "compatible builds" feature of that agent in the TeamCity UI to make it only compatible with your production deployment build. (Of course you'll also want to ensure your developers don't have permissions to modify agent configuration.)

This is one downside of Teamcity using Agent compatible configurations options: if you leave your other build agent(s) as compatible with all builds, then the production deployment may be attempted from one of them if free. The only workaround I know of is to set them all to only run "specified builds" and add all other builds to the other agent(s). The pain is if you add a new build, it won't be able to run anywhere until you specifically add it as compatible.

There are another couple ways to restrict the build to only run on specific agents using Agent Requirements in the build configuration.

One is to add a requirement that teamcity.agent.name equals the agent name you want it to run on. (or conversely, Does Not Equal the one you don't want it to run on).

Another is to add a requirement for an environment variable (exists, or with a specific value) and then only set that environment variable on the agent(s) you want to be able to run that build.

Another possible solution is to have two installs of Teamcity, since you effectively have two different sets of users. You obviously can't use an artifact dependency, but you can always get to the latest artifacts of a given build using a url like: * http://teamcity.server/repository/download/bt41/latest.lastSuccessful/setupfile.exe

where:

  • bt41 is the build id in Teamcity (you can find it in the URL when you navigate to any build)
  • latest.lastSuccessful can also be lastest.lastPinned, `latest.lastFinished, or the exact build number
  • setupfile.exe is the file you want to grab from the artifacts output (this can also be a path, if it's not published in the top-level)

For securing the web deploy process, if you are on a domain, you can setup web deploy to accept windows authentication and then have the teamcity build agent run as the domain user who has permission to deploy in IIS. I have things setup this way, and you do not need any kind of passwords in the web deploy script.

Setting up windows authentication for web deploy: http://blogs.iis.net/carlosag/archive/2011/12/13/using-windows-authentication-with-web-deploy-and-wmsvc.aspx

Related

What to do with suddenly unreachable non-logging EC2 instance?
ERROR Fatal error: Illegal or unknown default time zone 'UTC'
How to comment out / uncomment a line in a configuration file with Augeas?
Approaches for Linux server disk encryption
XFS: no space left on device, (but I have 850GB available!)
What limits are there on the number of reverse ssh tunnels?
Using HAProxy, matching root URL only in ACL
limits.conf not being applied.
Concatenating function result with string in powershell
Port 80 being used by Microsoft-HTTPAPI/2.0
Can I configure mailman so that it won't break S/MIME digital signatures?
Iperf from one interface to another on the same computer?