Azure DevOps CLI Create Service Connection with Installation Token

[admin-simeon]

Extension name: Azure DevOps

Description

How do I create a GitHub service connection using an InstallationToken (the installed GitHub app) instead of an OAuth flow/PAT?

I can see the following service connection in one of my existing orgs, by running: az devops service-endpoint list

[
  {
    "authorization": {
      "scheme": "InstallationToken"
    },
    "createdBy": {
      ...
    },
    "data": {
      "AvatarUrl": "https://avatars3.githubusercontent.com/u/63518284?v=4",
      "pipelinesSourceProvider": "github"
    },
   ...
    "type": "GitHub",
    "url": "https://github.com"
  }
]

But how do I create such a connection using the DevOps CLI? It only seems to support OAuth or entering a PAT when creating a GitHub connection.

[ghost]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @narula0781, @ashishonce, @romil07.

[yonzhan]

devops

[admin-simeon]

Bump. Not supported?

[crmitchelmore]

This would be really useful. At the moment using terraform for devops isn't really possible without this

[saamorim]

As a workaround, I've tried using the az devops service-endpoint create --org [ORG] -p [PROJECT] --service-endpoint-configuration CustomServiceEndpoint.json with the file below, without much luck. When I access the project build information got the error An error occurred while fetching the pipeline. TF400864: The Item specified by the key '26501285-261b-409c-b7ce-154f1da82d74' does not exist. where the key 26501285... is the actual project id

  {
    "description": "",
    "administratorsGroup": null,
    "authorization": {
      "parameters": {
        "accessToken": null
      },
      "scheme": "InstallationToken"
    },
    "createdBy": null,
    "data": {
      "AvatarUrl": "https://avatars2.githubusercontent.com/u/2916417?v=4",
      "pipelinesSourceProvider": "github"
    },
    "name": "SomeName",
    "type": "GitHub",
    "url": "https://github.com",
    "readersGroup": null,
    "groupScopeId": null,
    "serviceEndpointProjectReferences": null,
    "operationStatus": null,
    "isReady": true,
    "isShared": false,
    "owner": "Library"
  }

Don't have the specs for this json and since I cannot create it by hand I cannot follow the https://docs.microsoft.com/en-gb/azure/devops/cli/service-endpoint?view=azure-devops#create-service-endpoint-using-a-configuration-file to get the json.

If any one figures this json schema, drop here a message.

[b0bu]

This process is terrbile and not really fit for production but you can sort of manage it via terraform. I haven't tried creating one via the cli. You can create an oauth service connection in terraform:

resource "azuredevops_serviceendpoint_github" "organisation" {
  project_id            = azuredevops_project.platform.id
  service_endpoint_name = "some_org"
  description           = ""

  auth_oauth {
    oauth_configuration_id = "000000000-0000-0000-0000-000000000000"
  }
}

Which you then have to go an manually authorize as the azuredevops_resource_authorization resource doesn't work. You can then go to your pipeline and "convert" the oauth service endpoint to an "app connection", like this:

This creates a new service connection named "my connection (1)" or whatever you called it. You can them import this new object to terraform with terraform import azuredevops_serviceendpoint_github.s projectid/service-endpoint-id and use it for any new pipelines for that project. I haven't come acorss a scenario where you'd need multiple github connections per project so it seems to be a one time operation.

resource "azuredevops_serviceendpoint_github" "s" {
  project_id            = azuredevops_project.platform.id
  service_endpoint_name = "my connection (1)"
   description           = ""
}