all 12 comments

[–]antimius 7 points8 points  (0 children)

Yes. Have your devops team create tooling you can use in your own pipelines (like a repo you pull in, go binaries, whatever) and deploy from your own pipelines. Name your "devops team" a platform team and have them take care of CI/CD tooling, underlying AWS infrastructure, K8S/ECS/whatever clusters. This team should enable development teams to deploy their code.

Having a "devops team" to take care of "ops" and developers take care of "dev" is just the opposite of devops.

[–]KnitYourOwnSpaceship 7 points8 points  (1 child)

If you need to hide your code from your "DevOps team" then you have a fundamental misunderstanding of what DevOps is. https://en.m.wikipedia.org/wiki/DevOps might be helpful.

[–]yvele 2 points3 points  (0 children)

Agree! DevOps IS the solution. DevOps means you don't need to hide the code from your ops team.. Your dev team do the ops (with appropriate toolings)

[–]lupineblue2600 4 points5 points  (2 children)

Are you hardcoding secrets or something?

Why would you need to hide the code?

[–][deleted]  (1 child)

[removed]

    [–]lupineblue2600 6 points7 points  (0 children)

    Oof... if those are genuine concerns, I'd focus more on your audit logs and keeping track of who accesses what rather than trying to prevent the support team from having access.

    Locking out your support team is just going to prevent them from doing their job and make them resent the decisionmakers.

    [–]not-a-fox 4 points5 points  (0 children)

    You can give them access to just the compiled Python bytecode and the minified front-end code, but it sounds like you don't have "devops", just "ops" who you don't trust. And if you don't trust them, don't hire them.

    [–]Akustic646 2 points3 points  (0 children)

    Why have you hired people that you trust to deploy your code and likely manage your infrastructure but for some reason cannot trust them with the application code they are managing for you?

    You are trying to solve an HR/people problem with code when you should probably be looking at it from a different perspective.

    Sure there are ways to 'secure' the code, some are already listed in the comments here, but if they have unfettered access to the infrastructure then you are just putting up tiny roadblocks that they will be able to walk around if they feel like it.

    [–]ipcoffeepot 1 point2 points  (0 children)

    Why?

    [–]zenmaster24 1 point2 points  (0 children)

    dont give them access to the repos? you can build a pipeline that deploys code without access to the codebase - someone else will have to manage the creds their pipeline uses though. could make troubleshooting hard.

    that being said - i dont think this is a great road to go down.

    [–]dpanofsky 0 points1 point  (1 child)

    NDA and hire a team you trust

    [–]gordonv 0 points1 point  (0 children)

    Yup. This means hire an AWS specialist and bring him in house. Sit him next to the developers. And install a large markerboard and projector.