-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Allow azuredevops_git_permissions to assign users #1096
Comments
My use case for this is to set the permissions for the build service user on a repository, likely same as OP. This is a workaround using data "azuredevops_client_config" "org" {}
data "azuredevops_project" "project" {
project_id = var.project_id
}
locals {
organization_name = regex("https?://.+?/(.+?)/", data.azuredevops_client_config.org.organization_url)[0]
build_service_name = "${data.azuredevops_project.project.name} Build Service (${local.organization_name})"
}
resource "azuredevops_git_repository" "repo" {
# ...
}
resource "terraform_data" "assign_build_user_permissions" {
lifecycle {
replace_triggered_by = [
azuredevops_git_repository.repo
]
}
provisioner "local-exec" {
interpreter = ["/bin/bash", "-c"]
command = replace(<<-EOT
DESCRIPTOR=$(curl "https://vssps.dev.azure.com/$ORGNAME/_apis/identities" --get --data "searchFilter=DisplayName" --data-urlencode "filterValue=$BUILDUSER" --data 'api-version=7.0-preview' --location -u ":$AZDO_PERSONAL_ACCESS_TOKEN" -s -f | jq -r '.value[].descriptor')
curl "https://dev.azure.com/$ORGNAME/_apis/AccessControlEntries/2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87?api-version=7.0-preview" --data $${JSONTEMPLATE//@DESCRIPTOR/$DESCRIPTOR} -u ":$AZDO_PERSONAL_ACCESS_TOKEN" -H 'Content-Type: application/json' -s -f
EOT
, "\r", "") # convert to unix newlines (otherwise $DESCRIPTOR ends up with an extra \r)
environment = {
BUILDUSER = local.build_service_name
ORGNAME = local.organization_name
JSONTEMPLATE = jsonencode({
token = "repoV2/${data.azuredevops_project.project.project_id}/${azuredevops_git_repository.repo.id}"
merge = true
accessControlEntries = [
# GenericContribute, CreateTag, PullRequestContribute
for allow in [4, 32, 16384] : { descriptor = "@DESCRIPTOR", allow = allow }
]
})
}
}
} |
I found that it is possible to assign permissions to users. Even though the docs say it is only possible to groups.
|
Worked for me as well with a few syntax tweaks, here's my final code: data "azuredevops_users" "build_service" {
principal_name = var.project_id
}
resource "azuredevops_git_permissions" "build_service_permission" {
project_id = var.project_id
repository_id = azuredevops_git_repository.repo.id
principal = one(data.azuredevops_users.build_service.users).descriptor
permissions = {
GenericContribute = "Allow"
#PullRequestContribute = "Allow"
#CreateTag = "Allow"
}
} |
Community Note
Description
Currently, azuredevops_git_permissions allows only to use groups as service principals, but not just single users. It also explicitly informs about that.
In general you're able to configure repository permissions for single user. My request is to reflect this also in the resource.
New or Affected Resource(s)
Potential Terraform Configuration
The text was updated successfully, but these errors were encountered: