Missing Pipeline Permissions "Edit queue build configuration" following Azure Pipelines - Sprint 237 Update

illfunkslammer commented 6 months ago

Appears that Microsoft have introduced a new RBAC assignment for Azure DevOps Pipelines (Edit queue build configuration): https://learn.microsoft.com/en-us/azure/devops/release-notes/2024/pipelines/sprint-237-update

Unless this permission is held, we are unable to invoke new AzDo pipeline builds, error: { "$id": "1", "innerException": null, "message": "TF215106: Access denied. USERNAME needs Edit queue build configuration permissions for build pipeline ####:BUILD PIPELINE NAME in team project PROJECT to perform the action. For more information, contact the Azure DevOps administrator.", "typeName": "Microsoft.TeamFoundation.Build.WebApi.AccessDeniedException, Microsoft.TeamFoundation.Build2.WebApi", "typeKey": "AccessDeniedException", "errorCode": 0, "eventId": 3000 }

As per the latest vendor documentation for the resource (azuredevops_build_definition_permissions), I am unable to find a respective permission that aligns to "Edit queue build configuration"

I beleive this may also be impacting the resource azuredevops_build_folder_permissions also.

May also be impacting azuredevops_project_permissions too; it appears that the permission START_BUILD may be a rollup of multiple other child permissions.

xuzhang3 commented 6 months ago

@illfunkslammer you can get the sub permission names by API, the names are in the action block: https://learn.microsoft.com/en-us/rest/api/azure/devops/security/security-namespaces/query?view=azure-devops-rest-7.1&tabs=HTTP

{
            "namespaceId": "33344d9c-fc72-4d6f-aba5-fa317101a7e9",
            "name": "Build",
            "displayName": null,
            "separatorValue": "/",
            "elementLength": -1,
            "writePermission": 16384,
            "readPermission": 0,
            "dataspaceCategory": "Build",
            "actions": [
                {
                    "bit": 1,
                    "name": "ViewBuilds",
                    "displayName": "View builds",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 2,
                    "name": "EditBuildQuality",
                    "displayName": "Edit build quality",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 4,
                    "name": "RetainIndefinitely",
                    "displayName": "Retain indefinitely",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 8,
                    "name": "DeleteBuilds",
                    "displayName": "Delete builds ",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 16,
                    "name": "ManageBuildQualities",
                    "displayName": "Manage build qualities",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 32,
                    "name": "DestroyBuilds",
                    "displayName": "Destroy builds",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 64,
                    "name": "UpdateBuildInformation",
                    "displayName": "Update build information",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 128,
                    "name": "QueueBuilds",
                    "displayName": "Queue builds",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 256,
                    "name": "ManageBuildQueue",
                    "displayName": "Manage build queue",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 512,
                    "name": "StopBuilds",
                    "displayName": "Stop builds",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 1024,
                    "name": "ViewBuildDefinition",
                    "displayName": "View build pipeline",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 2048,
                    "name": "EditBuildDefinition",
                    "displayName": "Edit build pipeline",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 4096,
                    "name": "DeleteBuildDefinition",
                    "displayName": "Delete build pipeline",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 8192,
                    "name": "OverrideBuildCheckInValidation",
                    "displayName": "Override check-in validation by build",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 16384,
                    "name": "AdministerBuildPermissions",
                    "displayName": "Administer build permissions",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 32768,
                    "name": "CreateBuildDefinition",
                    "displayName": "Create build pipeline",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                },
                {
                    "bit": 65536,
                    "name": "EditPipelineQueueConfigurationPermission",
                    "displayName": "Edit queue build configuration",
                    "namespaceId": "00000000-0000-0000-0000-000000000000"
                }
            ],
            "structureValue": 1,
            "extensionType": "Microsoft.TeamFoundation.Build.Server.BuildSecurityExtension",
            "isRemotable": true,
            "useTokenTranslator": true,
            "systemBitMask": 0
        },

Krn-01 commented 4 months ago

This will Help You. https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=azure-devops

debben commented 2 months ago

I'm having a similar issue with azuredevops_build_folder_permissions after "create build pipeline" was added as a permission https://learn.microsoft.com/en-us/azure/devops/release-notes/2024/pipelines/sprint-243-update#create-build-pipeline-permission.

housten commented 1 month ago

@xuzhang3 Is EditPipelineQueueConfigurationPermission settable through the Azure Devops terraform provider?

ChristopherMank commented 1 month ago

Is EditPipelineQueueConfigurationPermission settable through the Azure Devops terraform provider?

Yes, it's just not listed in the docs. If you add it to the permissions block, it will work.

microsoft / terraform-provider-azuredevops

Missing Pipeline Permissions "Edit queue build configuration" following Azure Pipelines - Sprint 237 Update #1040