template ci/cd pipeline enforcement

I was wondering if there is a way to disable the template editor in the ui or making it read only even for owners(although that wouldn't fix them having cli/api access) I am basically looking for a way that can enforce template changes through merge request using ci coder service account with gitlab pipelines.
19 Replies
Codercord
Codercord5mo ago
<#1273026731938283590>
Category
Feature request
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Phorcys
Phorcys5mo ago
hey @Spiked_Grape, this isn't possible yet, i guess you could reserve the owner role the service account used for CI please open a feature request via GH Issues
Phorcys
Phorcys5mo ago
GitHub
Issues · coder/coder
Provision remote development environments via Terraform - Issues · coder/coder
Spiked_Grape
Spiked_GrapeOP5mo ago
@Phorcys ok thanks. what about not making templates available to everyone by default. Is there a flag/option for that? If I am testing out a new template, currently I push it via cli then go change the permissions in the ui.
Phorcys
Phorcys5mo ago
well, except not giving them the owner/admin role I don't think so i'm not sure maybe you can do it via the API, I don't know if there's a flag, I will take a look
Atif
Atif5mo ago
Hi @Spiked_Grape there are settings to manage templates accesss See https://coder.com/docs/templates/permissions You can use --private flag from CLI it will work with
coder templates create --private ...
coder templates create --private ...
From coder templates create--help
--private bool
Disable the default behavior of granting template access to the 'everyone' group. The template permissions
must be updated to allow non-admin users to use this template.
--private bool
Disable the default behavior of granting template access to the 'everyone' group. The template permissions
must be updated to allow non-admin users to use this template.
Spiked_Grape
Spiked_GrapeOP5mo ago
@Atif what about the deprecation notice at the top of that page. I thought you have to templates push now and that doesn't show a private or group option
No description
Atif
Atif5mo ago
create was deprecated in favor of merging the functionality in push I am sorry, I missed that deprecation notice. --private should work with push too. Let me know if it doesn't. And we can fix it and if it works we will update docs to reflect the change.
Phorcys
Phorcys4mo ago
hello @Spiked_Grape -- any luck?
Spiked_Grape
Spiked_GrapeOP4mo ago
Hi I was looking at the new docs that use the coderd terraform provider. https://coder.com/docs/templates/change-management Where you can use acl for the permissions etc. but I haven't had a chance to try it out yet. So when you using ci cd to add new versions, I would want to add a new version map to version list inside the existing template resource?
Change management - Coder Docs
Versioning templates with git and CI
From An unknown user
From An unknown user
Phorcys
Phorcys4mo ago
I don't think that would be needed -- looks like it would just grab whatever you have in the template directory and push it if contents have changed!
zounce
zounce4mo ago
Phorcys is correct, the versions list is alike to recording different branches of versions if you make changes to the contents of a version in the list, a new template version will get created when you apply
Spiked_Grape
Spiked_GrapeOP4mo ago
Ok is there a way to apply different acls to the different versions or am I better off just having two completely different templates.
Spiked_Grape
Spiked_GrapeOP4mo ago
Like I am trying to work on gitlab pipeline starting with this example and wanted developers to be able to push a staging version that all users couldn't see and maybe do that in a staging branch etc. https://registry.terraform.io/providers/coder/coderd/latest/docs/resources/template
zounce
zounce4mo ago
Yeah you’ll need two templates for two different ACLs Just keep in mind any ACL/permissions modification requires enterprise
Spiked_Grape
Spiked_GrapeOP4mo ago
Yeah have that
Phorcys
Phorcys3mo ago
hey @Spiked_Grape, can we close this issue?
Spiked_Grape
Spiked_GrapeOP3mo ago
Ok thanks for the help
Codercord
Codercord3mo ago
@Phorcys closed the thread.

Did you find this page helpful?