Ask questionsAbility to detect user who initiated build
I am part of a team that maintains a suite of software used for deployment and CI/CD internally within my company. We maintain a set of hosted services that run the actual deployments, as well as a client application used to interact with those services. This client application can be run locally or run within the context of a Concourse pipeline for automation of these deployments. We are currently in the middle of a push to increase the visibility and auditability of deployments made using our tooling.
With the current stateless design of Concourse and the intentional limiting of information, I lack two very distinct capabilities that are limiting my team's ability to effectively use Concourse:
Of the two, the first one is the more critical for our use case. Our Concourse server is integrated with our corporate SSO system, but the user information is not exposed to the pipelines, so our build process cannot detect who initiated a particular build (or which pipeline initiated it, or if it was automatically triggered). This seriously limits our ability to audit deployments and builds, and do any sort of forensics if we encounter issues with a build down the line (especially since the pipeline-specific and build-specific information appears to be completely deleted if the pipeline itself is deleted). We can collect this information if the deployment is triggered using a local run of the client binary, but not if it is triggered via Concourse.
Exposing the user information to the build process, perhaps through environment variables or some sort of local metadata service we could
curl to. Implementing a solution to 1) will most likely effectively solve 2) at the same time.
Unlikely I'd have the bandwidth to do so.
Answer questions chrised
+1 from myself and my team also, we'd really like this for SOC 2 Compliance; otherwise we're probably going to have to resort to deploying something like RunDeck alongside our Concourse deployment, which would suck.