Permissions on ServiceConnections can't be set properly.

[Bjego]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Hey, we are creating and sharing several serviceconnections across the organisation. This works pretty well with the terraform provider. But unfortunally we can't change the Endpoint Readers via Terraform

New or Affected Resource(s)

A permission block in all the serviceconnection objects, where we can manipulate the rights of every serviceconnection, or an service connection permission object which links one or more azure devops group entitlements to a service connection by id.

Potential Terraform Configuration

resource "azuredevops_serviceendpoint_azurerm" "example" {
  project_id                             = azuredevops_project.example.id
  service_endpoint_name                  = "Example AzureRM"
  description                            = "Managed by Terraform"
  service_endpoint_authentication_scheme = "ServicePrincipal"
  credentials {
    serviceprincipalid  = "00000000-0000-0000-0000-000000000000"
    serviceprincipalkey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  }
  azurerm_spn_tenantid      = "00000000-0000-0000-0000-000000000000"
  azurerm_subscription_id   = "00000000-0000-0000-0000-000000000000"
  azurerm_subscription_name = "Example Subscription Name"
}

resource "azuredevops_serviceendpoint_permission" "examplePermission" {
  project_id = azuredevops_project.example.id
  serviceendpoint_id = azuredevops_serviceendpoint_azurerm.example.id
  endpointReaders = [azuredevops_group_entitlement.example.descriptor]
}

References

I think the webapi can handle this, as Create and Update have the parameter "readersGroup"

https://learn.microsoft.com/en-us/rest/api/azure/devops/serviceendpoint/endpoints/update-service-endpoint?view=azure-devops-rest-7.0&tabs=HTTP

https://learn.microsoft.com/en-us/rest/api/azure/devops/serviceendpoint/endpoints/create?view=azure-devops-rest-7.0&tabs=HTTP

• 0000

[xuzhang3]

@Bjego does azuredevops_securityrole_assignment cover your requirements.

[Bjego]

@xuzhang3 yes, I figured it out. Here is the solution:

resource "azuredevops_securityrole_assignment" "serviceconnection-user" {
  scope       = "distributedtask.serviceendpointrole"
  resource_id = azuredevops_project.project.id
  identity_id = data.azuredevops_group.contributors.origin_id
  role_name   = "User"
}

[Bjego]

I've written a blog article: https://bw861987.medium.com/azure-devops-terraform-change-serviceconnection-and-environment-permissions-for-a-project-a0d59bfa2da1