• Home
  • About
Post header banner
User's profile
Ajanthan HR Published on Mar 30 • 3 min read

GitHub Access Governance with Pulumi.

This is a submission for the Pulumi Deploy and Document Challenge: Get Creative with Pulumi and GitHub

Introduction

Managing user access in GitHub at scale is not easy, especially when you have to handle multiple repositories, teams, and permissions across an organization. It becomes even more challenging when you need to ensure security and compliance.

That's where Pulumi comes in. It's a powerful Infrastructure as Code (IaC) tool that allows you to define and enforce access policies using familiar programming languages like Python, TypeScript, and Go. Instead of manually managing permissions, you can automate everything with code, making it more efficient and scalable.

What I Built: Automated GitHub Access Management

This project aims to create a fully automated system for simplified permission management, eliminating the need to manually configure settings within GitHub's interface.

The solution allows you to define user roles and repository access configurations within a straightforward YAML file. Pulumi, combined with Python and GitHub Actions, automates the provisioning and enforcement of these access controls.

This approach is ideal for startups, enterprises, open-source projects, and any team seeking a hassle-free, scalable solution for GitHub access management.

Live Demo: Setting Up and Running the Project

Note: Make sure pulumi installation is done before. if not kindly refer https://www.pulumi.com/docs/iac/download-install
Follow these steps to see the project in action:

Step 1: Clone the Repository 

git clone https://github.com/Ajanhari/pulumi-github-access-governance.git
cd pulumi-github-access-governance
Enter fullscreen mode Exit fullscreen mode

Step 2: Set Up Pulumi and Install Dependencies 

pip install pulumi pulumi-github pyyaml
Enter fullscreen mode Exit fullscreen mode

Step 3: Configure Pulumi for Your GitHub Organization 

# Login to Pulumi locally
pulumi login --local

# Set GitHub Personal Access Token (Replace with actual token)
pulumi config set --secret githubToken "<YOUR_GITHUB_PERSONAL_ACCESS_TOKEN>"

# Initialize a new Pulumi stack named "dev"
pulumi stack init dev

# Set GitHub organization/owner (Replace 'YourOrgName' with your actual org)
pulumi config set github:owner "YourOrgName"

# Set GitHub API Base URL
pulumi config set github:baseUrl "https://api.github.com"
Enter fullscreen mode Exit fullscreen mode

Note: Replace with your actual GitHub Personal Access Token. Treat this token as a secret and manage it accordingly. YourOrgName should be replaced with your GitHub Organization name.

Step 4: Modify users.yaml to Assign Roles

Modify the users.yaml file to define roles and assign users to repositories.

repositories:
  repo1:
    admin:
      - Ajanthan
      - Sachin
    maintain:
      - maintainer1
    write:
      - Varun
      - dev2
    triage: []
    read: []
  repo2:
    admin:
      - Ajanthan
      - Sachin
    write:
      - Varun
Enter fullscreen mode Exit fullscreen mode

Step 5: Deploy Changes 

pulumi up --yes
Enter fullscreen mode Exit fullscreen mode

Step 6: Verify in GitHub

Check your GitHub repository settings to confirm the updated access permissions.

Step 7: Automate with GitHub Actions

Push the updated users.yaml file to the repository and let GitHub Actions handle the provisioning.

git add users.yaml
git commit -m "Updated user roles"
git push origin main
Enter fullscreen mode Exit fullscreen mode

GitHub Actions will automatically apply the changes.

Project Repo

https://github.com/Ajanhari/pulumi-github-access-governance

Key Advantages

Centralized User Management: Define and manage all access permissions in a single YAML file.
Automated Access Control: Eliminates the need for manual configuration, reducing human error and saving time.
Scalability: Designed to efficiently handle access management for hundreds of repositories.
Compliance & Security: Leverages GitHub Actions for audit trails and logs, enhancing compliance and security.

Conclusion

If you're seeking to streamline GitHub access governance across multiple repositories, Pulumi offers a powerful and efficient solution. By leveraging Infrastructure as Code principles, Pulumi simplifies permission management, enhances scalability, and improves the reliability of your GitHub access controls. This approach saves time and reduces risk, allowing your team to focus on development and innovation.

If you have any queries, let me know in the comments section. Happy to assist you.

Note: This code is tested in github enterprise account.