Creating shared service connection that allows service connection created in a project to be shared across to other projects?

[mitzen]

Issues on GitHub are intended to be related to bugs or feature requests with provider codebase, so we recommend using our other community resources instead of asking here 👍.

---

hi there,

I am trying to create shared service connection that allows service connection created in a project to be shared across to other project within the same organization. By sharing I mean your azure devops project -> Project settings -> Service Connection -> Security -> Project Permission.

I tried azuredevops_serviceendpoint_azurerm and azuredevops_resource_authorization but wasn't able to get this to work. Is this possible to create such connection, if yes how do I go about doing that?

Thank you.

If you have a support request or question please submit them to one of these resources:

• Terraform community resources
• HashiCorp support (Terraform Enterprise customers)

[tmeckel]

Should be feasible to be implemented after the provider is using the v6 API #494

[mitzen]

that's great! when are you guys planning to work on this feature?

[tmeckel]

No plans at all, because the provider is a community driven project and not a Microsoft official product with a roadmap. But @xuzhang3 you can correct me, if I stated that wrong.

The implementation though seems to be pretty straight forward.

1. Providing an additional data source to look up existing Service Endpoints, so that the ID value from the data source can be used as reference.

2. Implement the new resource by using the Share Service Endpoint. The code for deleting a shared Service Endpoint can be implemented by using the Service Endpoint Framework what is already present in the provider.

[slushysnowman]

Yeah this would be a great feature to add - currently we are doing this through terraform by:

1. Creating a service endpoint as normal
2. Using a null_resource to do the share

Rough code we use to achieve this below just in case anyone else wants to accomplish this in the meantime

resource "azuredevops_serviceendpoint_dockerregistry" "test" {
  project_id            = data.azuredevops_project.home_project.id
  service_endpoint_name = "TEST-${data.azuredevops_project.shared_project.name}"
  docker_registry       = "https://xyz.test"
  docker_username       = "test-user"
  docker_password       = var.sc_password
  registry_type         = "Others"
  description           = "test sc"
}

resource "null_resource" "service_endpoint_share" {
  provisioner "local-exec" {
    command = <<EOH
    curl \
      --location \
      --request PATCH 'https://dev.azure.com/org/_apis/serviceendpoint/endpoints/${azuredevops_serviceendpoint_dockerregistry.test.id}?api-version=6.0-preview.4' \
      --header 'Authorization: Basic ${base64encode("${var.ado_pat_user}:${var.ado_pat}")}' \
      --header 'Content-Type: application/json' \
      --data-raw '[
        {
          "projectReference": {
            "id": "${data.azuredevops_project.shared_project.id}",
            "name": "${data.azuredevops_project.shared_project.name}"
          },
          "name": "${azuredevops_serviceendpoint_dockerregistry.test.service_endpoint_name}",
          "description": "test sc"
        }
      ]'
    EOH
  }
}

This works, but it'd be great if we didn't have to use a null_resource to achieve this.

Would the implementation of this be a modification to the existing serviceendpoint resources? Or would it be a standalone resource?