azuredevops_variable_group_permissions actions are not visible in the AzureDevops UI/portal

[seblatre]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v1.7.3 on windows_amd64

• provider registry.terraform.io/microsoft/azuredevops v1.0.1 [...]

Affected Resource(s)

• azuredevops_variable_group_permissions

Terraform Configuration Files

data "azuredevops_project" "project" {
  name = "XXX"
}
resource "azuredevops_variable_group" "lib" {
  project_id   = data.azuredevops_project.project
  name         = "My var group"
  allow_access = false
}
resource "azuredevops_team" "team" {
  project_id = data.azuredevops_project.project
  name       = "Team"
}
resource "azuredevops_variable_group_permissions" "lib_permissions" {
  project_id        = data.azuredevops_project.project
  variable_group_id = azuredevops_variable_group.lib.id
  principal         = azuredevops_team.team.descriptor
  permissions = {
    "Administer" : "allow"
  }
}

Debug Output

Terraform output is not relevant for this issue (code is not producing any error).

Panic Output

Expected Behavior

I was expecting to see the created permissions in the AzureDevops UI under Security dialog of the variable group

https://dev.azure.com/yyyyyyy/XXX/_library?itemType=VariableGroups&view=VariableGroupView&variableGroupId=2459&path=My%20var%20group

Actual Behavior

The permissions for the team is not visible in the UI.

I troubleshooted a bit to get a first level analysis: When created through UI, the permissions is targeting the endpoint PUT https://dev.azure.com/corporatedatalake/_apis/securityroles/scopes/distributedtask.variablegroup/roleassignments/resources/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%242459 while the azuredevops_variable_group_permissions resource is targeting this endpoint POST https://dev.azure.com/corporatedatalake/_apis/AccessControlEntries/b7e84409-6553-448a-bbb2-af228e07cbeb

and apparently the provider resource permission are not visible in the UI.

Steps to Reproduce

1. terraform apply
2. Go to AzureDevops portal in the Library to see the Security dialob of the library

Important Factoids

References

[xuzhang3]

@seblatre azuredevops_variable_group_permissions manage the permissions by security namespaces while the UI permission mange page is using role permission APIs. They are different APIs and role permissions API is new API and easy to manage

[seblatre]

@xuzhang3, therefore no way to see it working in the AureDevops portal, right?

[xuzhang3]

@seblatre Currently yes, the old permission management page is now unavailable