Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Allow azuredevops_git_permissions to assign users #1096

Open
rubenaster opened this issue Jul 10, 2024 · 3 comments
Open

[Feature Request] Allow azuredevops_git_permissions to assign users #1096

rubenaster opened this issue Jul 10, 2024 · 3 comments
Labels
new-feature

Comments

@rubenaster
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently, azuredevops_git_permissions allows only to use groups as service principals, but not just single users. It also explicitly informs about that.

In general you're able to configure repository permissions for single user. My request is to reflect this also in the resource.

New or Affected Resource(s)

  • azuredevops_git_permissions

Potential Terraform Configuration

data "azuredevops_users" "build_service" {
  principal_name = azuredevops_project.main.id
}

resource "azuredevops_git_permissions" "project_build_service" {
  project_id    = azuredevops_git_repository.project.project_id
  repository_id = azuredevops_git_repository.projectid

  principal = data.azuredevops_users.build_service.id
  permissions = {
    GenericContribute = "Allow"
  }
}
@ialexj
Copy link

ialexj commented Aug 6, 2024

My use case for this is to set the permissions for the build service user on a repository, likely same as OP.

This is a workaround using local-exec, found to be working on stock Terraform Cloud agents:

data "azuredevops_client_config" "org" {}

data "azuredevops_project" "project" {
  project_id = var.project_id
}

locals {
  organization_name  = regex("https?://.+?/(.+?)/", data.azuredevops_client_config.org.organization_url)[0]
  build_service_name = "${data.azuredevops_project.project.name} Build Service (${local.organization_name})"
}

resource "azuredevops_git_repository" "repo" {
  # ...
}

resource "terraform_data" "assign_build_user_permissions" {
  lifecycle {
    replace_triggered_by = [
      azuredevops_git_repository.repo
    ]
  }

  provisioner "local-exec" {
    interpreter = ["/bin/bash", "-c"]

    command = replace(<<-EOT
      DESCRIPTOR=$(curl "https://vssps.dev.azure.com/$ORGNAME/_apis/identities" --get --data "searchFilter=DisplayName" --data-urlencode "filterValue=$BUILDUSER" --data 'api-version=7.0-preview' --location -u ":$AZDO_PERSONAL_ACCESS_TOKEN" -s -f | jq -r '.value[].descriptor')
      curl "https://dev.azure.com/$ORGNAME/_apis/AccessControlEntries/2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87?api-version=7.0-preview" --data $${JSONTEMPLATE//@DESCRIPTOR/$DESCRIPTOR} -u ":$AZDO_PERSONAL_ACCESS_TOKEN" -H 'Content-Type: application/json' -s -f
      EOT
    , "\r", "") # convert to unix newlines (otherwise $DESCRIPTOR ends up with an extra \r)

    environment = {
      BUILDUSER = local.build_service_name
      ORGNAME   = local.organization_name
      JSONTEMPLATE = jsonencode({
        token = "repoV2/${data.azuredevops_project.project.project_id}/${azuredevops_git_repository.repo.id}"
        merge = true
        accessControlEntries = [
          # GenericContribute, CreateTag, PullRequestContribute
          for allow in [4, 32, 16384] : { descriptor = "@DESCRIPTOR", allow = allow }
        ]
      })
    }
  }
}

@Jaroslav24
Copy link

Jaroslav24 commented Aug 15, 2024
edited
Loading

I found that it is possible to assign permissions to users. Even though the docs say it is only possible to groups.
What you need is a user descriptor. You can get one for Build Service using data block:

data "azuredevops_users" "build_service" {
  principal_name = azuredevops_project.main.id
}

resource "azuredevops_git_permissions" "project_build_service" {
  project_id    = azuredevops_git_repository.project.project_id
  repository_id = azuredevops_git_repository.projectid
//Then use the descriptor in principal param
  principal = data.azuredevops_users.build_service.users[0].descriptor
  permissions = {
    GenericContribute = "Allow"
  }
}

@ialexj
Copy link

ialexj commented Aug 27, 2024

Worked for me as well with a few syntax tweaks, here's my final code:

data "azuredevops_users" "build_service" {
  principal_name = var.project_id
}

resource "azuredevops_git_permissions" "build_service_permission" {
  project_id    = var.project_id
  repository_id = azuredevops_git_repository.repo.id
  principal     = one(data.azuredevops_users.build_service.users).descriptor
  permissions = {
    GenericContribute     = "Allow"
    #PullRequestContribute = "Allow"
    #CreateTag             = "Allow"
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new-feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rubenaster @ialexj @xuzhang3 @Jaroslav24