Open azMantas opened 3 years ago
stweb1963
commented
3 years ago This seems more of an RBAC action by defining and assigning role(s) based on
Microsoft.Resources/templateSpecs/read|write|delete
Microsoft.Resources/templateSpecs/versions/read|write|deleteThere aren't any specific roles defined yet but nothing that can't be handled with a custom role
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
azMantas
commented
3 years ago we want to allow people to create a new versions, and we don't want to stop them from doing that. But we want to be sure that new versions are created, instead of overwriting existing one. Just say so that we have a stable version 1.0 and if someone tries to update the same version will be denied instead of prompt to overwrite
Template Spec version '1' already exists and this action will overwrite existing data for this version. Are you sure you'd like to overwrite existing Template Spec version data for Template Spec 'a' version '1'?my question is: how to disable overwriting existing version?
alex-frankel
commented
3 years ago There is no way to disable it today so that we can allow for hotfixes if needed. That being said, the ask makes sense. We will discuss on our side to see if we could add a property that would disable overwrites. cc @apclouds
stweb1963
commented
3 years ago Understand
We mitigated this risk by only allowing our pipeline to write templateSpecs Everyone else has read except if you've been granted specific RBAC rights
The version is either
azMantas
commented
3 years ago theoretically speaking, we also have a pipeline that creates a new template versions and that just works. But in reality few people have direct access to template specs...
To ensure stability we would like to disable editing feature in templateSpecs. We could provide additional parameter by creating a templaceSpec "-edit $false"