search

microsoft / terraform-provider-azuredevops

Terraform Azure DevOps provider
https://www.terraform.io/docs/providers/azuredevops/
MIT License
377 stars 268 forks source link

The `azuredevops_user_entitlement` resource doesn't work with the System Token provided in an Azure DevOps pipeline #1089

Open JustinDroege opened 1 month ago

JustinDroege commented 1 month ago

Terraform (and Azure DevOps Provider) Version

Terraform Version: 1.8 Azure Devops Provider Version: 1.1.1 Azure Devops Services & Managed Build Agents

Affected Resource(s)

Terraform Configuration Files

resource "azuredevops_user_entitlement" "this" {
  principal_name       = 'user@user.de'
}

Expected Behavior

Currently, we are using the Terraform provider in the context of an Azure DevOps Services pipeline. We are using the $System.AccessToken to set the environment variable AZDO_PERSONAL_ACCESS_TOKEN. In the provider configuration, we apply the Azure DevOps Organization ID. When the pipeline is executed, we expect to be able to authorize users from the same Entra instance, which is also used by the Azure DevOps Organization, to be part of the Organization.

Actual Behavior

We receive an error stating that it is not possible and that the users are not part of the directory. The output looks like this: Error: Creating user entitlement: Adding user entitlement: (5102) You are trying to invite a user from outside your directory, but something went wrong. Please contact Azure DevOps support.

With a personal token (PAT), everything works fine, so the user is part of the directory. We also tried giving the Build Service account all permissions.

Steps to Reproduce

  1. Use the azure_devops_entitlement resource and set a valid UPN.
  2. Set the organization ID in the provider configuration block: 
    provider "azuredevops" {
org_service_url = 'bla'
}
  3. Execute the apply in an Azure DevOps Pipeline with the given $System.AccessToken: AZDO_PERSONAL_ACCESS_TOKEN=$(System.AccessToken) terraform apply

References

xuzhang3 commented 1 month ago

PAT is a bit different from the System.AccessToken, they have different permission scopes More details: https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/guides/authenticating_using_the_personal_access_token

JustinDroege commented 1 month ago

@xuzhang3 Thx for the fast answer. We already knew that and therefore tried adding the Build Service to the Project Collection Administrators and disabled the feature "Limit job authorization scope to current project for non-release pipelines", but this didn’t help us. Do you know if it’s even possible to set the scope for inviting users on a System Token?

xuzhang3 commented 1 month ago

@JustinDroege you may need to update the permission for collection build service accounts More details: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/access-tokens?view=azure-devops&tabs=yaml

The token's permissions are derived from (a) job authorization scope and (b) the permissions you set on project or collection build service account.
JustinDroege commented 1 month ago

Hey, I did some research and it seems that Azure DevOps currently doesn't support this use case. I tried all the different configurations mentioned in your link. I also tried the same with the CLI and got the same error. I guess our solution will be to use a technical user with the correct permissions and use the PAT from that user. Thanks for your help. I think we can close this now :)

@xuzhang3