we are using bamboo 6.9.0 build 60909 and we have different projects within the company. Each team is working within its project to create Plans, Stages, Jobs, Deployments Project and Environments.
So my team has its own project and we found out that the most convenient way to store passwords in a central place was to use global variables (on admin level). By this way any of our Plans, Stages, Jobs, Deployment Projects and Environments can use them.
We were aware about the fact that other admins from other project teams could see the defined variables but it was ok at the time.
Now concerns emerge and other project teams advised my team to get rid of our project related global variables rightfully clamming that global variables are actually reserved for cross project variables (like company variables).
Therefor I was wondering if upgrading bamboo to version 7.1 would help... As a matter of fact I found out that bamboo 7.1 supports another "level" of variables: https://confluence.atlassian.com/bamboo/defining-project-variables-1018270685.html
Because it is not clear to me if Deployment Projects and Environments belongs to a Project, I was wondering if project variables are as well accessible in Deployment Projects and Environments?
Deployments can and are normally linked to a build plan. When creating a deployment project, one of the available settings is 'Link to build plan'. This ensures build artefacts are shared from the build to the deployment, but the variable context of the build is also captured and available during the deployment as stated at https://confluence.atlassian.com/bamboo/bamboo-variables-289277087.html#Bamboovariables-Releasesvariables. This includes a snapshot of the project variables as well!
The problem with this is that, as per the documentation, "The snapshots mentioned above do not contain password variables." Which is a requirement in your situation as I understand correctly. In order to solve this, some options come to mind:
- Do not use the words 'Secret' or 'Password' in your variable names, so they are not treated as 'password variables' by Bamboo. This exposes your passwords/secrets and thus might or might not be an option based on the security context.
- During your builds, write your variables to a properties file in a (script) task and subsequently read this file back to ***result*** variables using the 'inject Bamboo variables task' to pass them to the deployment. See: https://confluence.atlassian.com/bamboo/configuring-a-variables-task-687213475.html. However, this is only marginally better in terms of security than the previous option.
- Specify your variables twice, once in the context of the build (plan or project variables) and once in the context of the deployment (environment variable). This might or might not be an option, but requires keeping the variables in sync.
- Use something like the plugin https://marketplace.atlassian.com/apps/1221965/secret-managers-for-bamboo, which allows you to fetch the variables both for the build and the deployment from a central location without compromising on security. Note that I am affiliated with this plugin.
Hope this helps.
Welcome to the Community!
I'm not 100% sure as I haven't tried this out myself, but based on the way I have seen variables act from within Bamboo Specs (Java or YAML) I believe Deployment project are separate from Build Projects.