Require approval for deployments to protected Puppet environments

If your organization's business processes require manual review and approval before deploying Puppet code to certain environments, you can create an approval group consisting of users with the authority to review proposed deployments and manually approve or decline them.

Before you begin:
  • Make sure you have super user permissions. You can't create approval groups if you don't have super user permissions.
  • If it is not already configured, Configure SMTP for your Continuous Delivery installation.
  • Identify the users you want to designate as authorized approvers.
  • Identify the Puppet environments that need to require manual approval for code deployments.

Environments that require manual approval for deployments are known as protected environments. The authorized approvers (who belong to an approval group) review all proposed deployments to the protected environments, and they manually approve or decline each deployment. Deployments to protected environments don't proceed until an approver makes a decision.

You can create multiple approval groups if you want different users to authorize deployments to different environments.

  1. Create an approval group:
    1. In the Continuous Delivery web UI, go to Settings.
    2. Switch to the Groups tab and click Create new group.
    3. Enter a group name (such as Approvers) and description, then click Save.
      If you're creating multiple approval groups, you might want more specific names, such as Production Approvers.
    4. In each permissions category, select the permissions you want to assign to the approval group, then click Save and add users.
      At minimum, the approval group must have the List permission for Control repos so they can view and approve/deny deployments.
    5. On the Add users page, select the individuals you want to review deployments to protected environments. You can search for users by user name or email address.
    6. Repeat these steps if you want to create more approval groups.
  2. Specify which Puppet environments require manual approval for deployments:
    1. In the Continuous Delivery web UI, go to Settings > Puppet Enterprise.
    2. Locate the Protected environments section for the relevant PE integration.
    3. Click Add protected environment.
    4. Select the Puppet environment for which you want to require manual approval for deployments.
    5. Select the approval group you want to review deployments to this environment.
    6. Click Add Protected Environment.
    7. Repeat these steps to designate additional protected environments, then click Done.

After creating approval groups and designating protected environments, each time a deployment to a protected environment is triggered (either manually or through a pipeline), the members of the environment's designated approval group get an email and a message in the Message center alerting them that a deployment requires manual review.

One member of the approval group must review the deployment's Details page, click Provide approval decision, and choose whether to approve or decline the deployment. If approved, the deployment process proceeds. If declined, the process terminates. A record of the decision is added to the deployment's Details page.