Permissions issue when recreating `azuredevops_git_repository` in another project

[msl0]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform v1.8.2
on linux_amd64

+ provider registry.terraform.io/microsoft/azuredevops v1.1.1

Affected Resource(s)

• azuredevops_git_repository

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
terraform {
  required_providers {
    azuredevops = {
      source  = "microsoft/azuredevops"
      version = "~> 1.1.1"
    }
  }
}

provider "azuredevops" {
  org_service_url = "https://dev.azure.com/${var.azdoorganization}"
}

data "azuredevops_project" "this" {
  name = var.project_name
}

resource "azuredevops_git_repository" "this" {
  project_id = data.azuredevops_project.this.id
  name       = var.repo_name
  initialization {
    init_type = "Clean"
  }
}

Debug Output

Panic Output

Expected Behavior

I should be able to recreate the existing repository in another project if the permissions are the same in both projects

Actual Behavior

Provider deletes the repository of the old project, but when creating the repository in the new project I get this error: TF401027: You need the Git 'ManageAdvSecScanning' permission to perform this action. Details: identity 'Build\<project_collection_build_service_id>', scope 'repository'.. When I clear the state and run Terraform, a new repository is created and the mentioned error does not appear, which proves that no additional permissions are required beyond those currently granted.

Steps to Reproduce

1. terraform apply
2. Change var.project_name
3. terraform apply

Important Factoids

I noticed that during this operation, despite deleting the old repository from Azure DevOps, Terraform does not update the state in case of a problem, which causes another problem that I mentioned here

References

[msl0]

When I extended the permissions with ManageAdvSecScanning (Advanced Security: manage settings), the problem disappeared. It looks like this permission was only required for deletion. The permissions required to create new repositories are:

• Create repository
• Advanced Security: manage settings

It would be good to include this information in the documentation

[xuzhang3]

@msl0 I tried with SPN but I can still managed the git repository with:Advanced Security disabled

Run with PAT(permission required) - **Code**: Read, Create, & Manage.

[xuzhang3]

Document updated. https://github.com/microsoft/terraform-provider-azuredevops/blob/main/website/docs/r/git_repository.html.markdown#pat-permissions-required

[msl0]

@xuzhang3 does it make a difference that I used the pipeline user (ProjectName Build Service) token instead of PAT?

[xuzhang3]

@msl0 This depends on the permissions granted to the token (ProjectName Build Service)