Azure service operator for automating repo creation and access management in Azuredevops server.

[vivuu1989]

We are looking for a self service based approach to create azure repos and some default pipeline component within them to provide a self service based platform for our developers to create the repos and pipeline on demand. I couldn't find any useful azure operator resources to perform this action. Also looking for a way to grant the azuredevops collection permission on demand so that the developers just can use them for getting the access on approval basis.

[theunrepentantgeek]

The focus of ASO is on resources deployable via Azure Resource Manager - as ARM Templates and/or Bicep files - though we are extending from this base for selected child resources, such as database users.

I can't find any references describing the deployment or creation of AzureDevOps repos or pipelines via ARM, so at first inspection this seems like something we wouldn't support with ASO.

If you do have some references to share, I'm keen to read them. We'd also need to discuss what the goal-seeking design of ASO would look like when it comes to a repo or pipeline. What would it mean for a repo to drift from the original spec, and how would ASO react/compensate when that drift happened?

[buzzaII]

There seems to be the ability to use ARM / Bicrep for ADO pipelines documented here:

https://learn.microsoft.com/en-us/azure/templates/microsoft.devops/pipelines?pivots=deployment-language-bicep

Would the code generator work with these types ?

[theunrepentantgeek]

The Microsoft.DevOps pipelines resource only has preview versions - and the latest version is 2020-07-13-preview, so it's not clear whether it is well supported. (We'd normally expect to see stable versions.) We can try out the code generator and see how it goes.

[matthchr]

This describes the ADO REST API. If these resources would be handcrafted (which seems likely?), they also have a Go SDK.

[akanieski]

Just as a side note, there is also a terraform-provider-azuredevops for Azure Devops. I suppose a crossplane provider could be generated via crossplan upjet from the terraform-provider-azuredevops but It would be great if ASO could cover this natively.

Although it's sort of important to note that Azure DevOps Server and Azure DevOps Services have a significantly different authentication strategy. Both support 'Personal Access Tokens' (PAT) but only Azure DevOps Services supports Entra backed OAuth for interacting with their respective REST APIs.

More Context on an example use-case:

It's not unheard of for customers to use Terraform to define their ADO Projects, Teams, Groups, and even repos. Similarly for GitOps the same pattern could be considered. For example, imagine a customer's "COE" sort of team that defines common architectures as gitops repos. COE provides a "project creation" workflow/wizard that will essentially setup their Azure Landing Zone as well as Azure DevOps Project, Teams, Repos (populated with their desired gitops architecture). Then an AKS cluster that was provisioned as part of their Landing Zone would be configured to provide ASO configurations for within the app teams Landing Zone.

So you have a COE team that uses GitOps to manage the Landing Zones. And you have an App Team that uses GitOps to manage the app teams resources within the landing zone.

[matthchr]

We're still tentatively interesting in supporting this resource natively but it's not as easy as many other resources due to the challenges mentioned above. Tracking this and gauging interest at the moment.