Built-in Protections
Check No PagerDuty Alerts
This protection ensures that no active PagerDuty alerts are triggered for the provided service.
Name: check-no-pagerduty-alerts
Parameters
apiKey
- a PagerDuty API keyserviceID
- PagerDuty ServiceID of the service you want to validate
Example
application:
name: my-application
releaseChannels:
- name: my-release-channel
protections:
- ref:
name: check-no-pagerduty-alerts
parameters:
- name: apiKey
# this secret can be created with `pvnctl secrets`
secret:
secretRef:
key: pagerdutyApiKey
version: pagerdutyApiKey-0
- name: serviceID
string: '<service-id>'
lifecycle:
- preApproval: {}
- postApproval: {}
- postDeployment:
checkDuration: 300s # check for 5m
Check No Datadog Alerts
This protection ensures no active Datadog monitors are triggered that match the Datadog tags provided in TagList
.
Name: check-no-datadog-alerts
Parameters
apiKey
- a Datadog API keyappKey
- a Datadog app key with themonitors_read
scopetagList
- a space-separated list of Datadog tags to filter the monitors on
Example
application:
name: my-application
releaseChannels:
- name: my-release-channel
protections:
- ref:
name: check-no-datadog-alerts
parameters:
- name: apiKey
# this secret can be created with `pvnctl secrets`
secret:
secretRef:
key: datadogApiKey
version: datadogApiKey-0
- name: appKey
secret:
secretRef:
key: datadogAppKey
version: datadogAppKey-0
- name: tagList
string: "env:prod"
lifecycle:
- preApproval: {}
- postApproval: {}
- postDeployment:
checkDuration: 300s # check for 5m
Commit Denylist
This protection prevents known bad commits from getting deployed.
Prerequisites
Define the protection
protection:
name: no-bad-commits # name this whatever you want
builtin:
commitDenylist:
repository: github.com/foo/bar
commits:
- commit: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
- range:
startCommit: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb # older commit, exclusive
endCommit: cccccccccccccccccccccccccccccccccccccccc # newer commit, inclusive
Parameters
None
Example
application:
name: my-application
releaseChannels:
- name: my-release-channel
protections:
- ref:
name: no-bad-commits # name from earlier
lifecyle:
- preApproval: {}
Allowed Times
This protection allows deployments to only happen at certain times.
Define the protection
protection:
name: my-company-business-hours # name this whatever you want
builtin:
allowedTimes:
windows:
# provide as many as needed
- days: mon-thu,sun # "weekdays", "weekends", the short three-letter forms like "mon", "tue", and full form like "monday", "tuesday" are supported. comma-separated, can include ranges
hours: 9-12,13-17,18 # when given as ranges, it is exclusive on the end hour. So 9-12 means 9am-12pm, but not 12:01pm. Single hour without ranges is alias for n-(n+1), so 18 is the same as 18-19
tz: US/Eastern # defaults to UTC
See here for the full list of supported timezones.
Example
application:
name: my-application
releaseChannels:
- name: my-release-channel
protections:
- ref:
name: my-company-business-hours # name from earlier
lifecyle:
- preApproval: {} # don't even ask for approval when it's not business hours
- postApproval: {} # do not even enter the deployment lifecycle when it's not business hours
- deployment:
failureBehavior: BLOCK # once in deployment lifecycle, do not apply any changes when it's not business hours
Updated 7 months ago