Ajanthan HR

Posted on Mar 30 • Edited on Mar 31

GitHub Access Governance with Pulumi.

#devchallenge #pulumichallenge #github #githubchallenge

This is a submission for the Pulumi Deploy and Document Challenge: Get Creative with Pulumi and GitHub

Introduction

Managing user access in GitHub at scale is not easy, especially when you have to handle multiple repositories, teams, and permissions across an organization. It becomes even more challenging when you need to ensure security and compliance.

That's where Pulumi comes in. It's a powerful Infrastructure as Code (IaC) tool that allows you to define and enforce access policies using familiar programming languages like Python, TypeScript, and Go. Instead of manually managing permissions, you can automate everything with code, making it more efficient and scalable.

What I Built: Automated GitHub Access Management

This project aims to create a fully automated system for simplified permission management, eliminating the need to manually configure settings within GitHub's interface.

The solution allows you to define user roles and repository access configurations within a straightforward YAML file. Pulumi, combined with Python and GitHub Actions, automates the provisioning and enforcement of these access controls.

This approach is ideal for startups, enterprises, open-source projects, and any team seeking a hassle-free, scalable solution for GitHub access management.

Live Demo: Setting Up and Running the Project

Note: Make sure pulumi installation is done before. if not kindly refer https://www.pulumi.com/docs/iac/download-install
Follow these steps to see the project in action:

Step 1: Clone the Repository

git clone https://github.com/Ajanhari/pulumi-github-access-governance.git
cd pulumi-github-access-governance

Step 2: Set Up Pulumi and Install Dependencies

pip install pulumi pulumi-github pyyaml

Step 3: Configure Pulumi for Your GitHub Organization

# Login to Pulumi locally
pulumi login --local

# Set GitHub Personal Access Token (Replace with actual token)
pulumi config set --secret githubToken "<YOUR_GITHUB_PERSONAL_ACCESS_TOKEN>"

# Initialize a new Pulumi stack named "dev"
pulumi stack init dev

# Set GitHub organization/owner (Replace 'YourOrgName' with your actual org)
pulumi config set github:owner "YourOrgName"

# Set GitHub API Base URL
pulumi config set github:baseUrl "https://api.github.com"

Note: Replace with your actual GitHub Personal Access Token. Treat this token as a secret and manage it accordingly. YourOrgName should be replaced with your GitHub Organization name.

Step 4: Modify `users.yaml` to Assign Roles

Modify the users.yaml file to define roles and assign users to repositories.

repositories:
  repo1:
    admin:
      - Ajanthan
      - Sachin
    maintain:
      - maintainer1
    write:
      - Varun
      - dev2
    triage: []
    read: []
  repo2:
    admin:
      - Ajanthan
      - Sachin
    write:
      - Varun

Step 5: Deploy Changes

pulumi up --yes

Step 6: Verify in GitHub

Check your GitHub repository settings to confirm the updated access permissions.

Step 7: Automate with GitHub Actions

Push the updated users.yaml file to the repository and let GitHub Actions handle the provisioning.

git add users.yaml
git commit -m "Updated user roles"
git push origin main

GitHub Actions will automatically apply the changes.

Project Repo

https://github.com/Ajanhari/pulumi-github-access-governance

Key Advantages

Centralized User Management: Define and manage all access permissions in a single YAML file.
Automated Access Control: Eliminates the need for manual configuration, reducing human error and saving time.
Scalability: Designed to efficiently handle access management for hundreds of repositories.
Compliance & Security: Leverages GitHub Actions for audit trails and logs, enhancing compliance and security.

Conclusion

If you're seeking to streamline GitHub access governance across multiple repositories, Pulumi offers a powerful and efficient solution. By leveraging Infrastructure as Code principles, Pulumi simplifies permission management, enhances scalability, and improves the reliability of your GitHub access controls. This approach saves time and reduces risk, allowing your team to focus on development and innovation.

If you have any queries, let me know in the comments section. Happy to assist you.

Note: This code is tested in github enterprise account.

Quadratic AI – The Spreadsheet with AI, Code, and Connections

AI-Powered Insights: Ask questions in plain English and get instant visualizations
Multi-Language Support: Seamlessly switch between Python, SQL, and JavaScript in one workspace
Zero Setup Required: Connect to databases or drag-and-drop files straight from your browser
Live Collaboration: Work together in real-time, no matter where your team is located
Beyond Formulas: Tackle complex analysis that traditional spreadsheets can't handle

Get started for free.

Watch The Demo 📊✨

Top comments (3)

bassg0navy • Apr 10

I think the following is a great advantage of this approach:

Logs changes via GitHub Actions

This is a common theme I'm seeing for automating things in this fashion that is usually better or more verbose than the user interface provided by some SaaS tools.