Open rusticshiv86 opened 3 years ago
xuzhang3
commented
3 years ago Potential configure:
azuredevops_menbershiop {
groups {
name= "admin"
desc:= "group description"
members: {
mem1,
mem2,
}
}
}
billbirchatcoles
commented
3 years ago Hi,
We (Coles) are starting on this - to update the provider to include this feature. Our fork is https://github.com/colesgroup/terraform-provider-azuredevops.
Our branch is MADM-641-Import-groups-and-members-from-AAD-to-newly-created-project
Regards, Bill
josh-barker-coles
commented
3 years ago @xuzhang3
The below code will create an AAD Group, create an AZDO Group, and add the AAD Group into the AZDO Group as a member.
I found to destroy azdo_group_linked_to_aad, you need elevated permissions; Project Collection Administrators is sufficient, but I'm not sure if there's another group that would allow you to create/delete the AZDO group.
resource "azuread_group" "aad_group" {
name = "Example-AAD-Group"
prevent_duplicate_names = true
}
resource "azuredevops_project" "p" {
name = "Group-Demo"
}
# AZDO Group
resource "azuredevops_group" "azdo_group" {
scope = azuredevops_project.p.id
display_name = "Example-AZDO-Group"
}
# AZDO needs to know the group descriptor to add a member
# So, to get a group descriptor we need to link the aad group to an azdo group.
resource "azuredevops_group" "azdo_group_linked_to_aad" {
origin_id = azuread_group.aad_group.object_id
}
resource "azuredevops_group_membership" "membership" {
group = azuredevops_group.azdo_group.descriptor
members = [
azuredevops_group.azdo_group_linked_to_aad.descriptor
]
}
schwarzzz
commented
3 years ago Thank you @josh-barker-coles, this is working.
One question, though: Does this (the use of the azdo_group_linked_to_aad group) create any (otherwise) unnecessary objects in Azure DevOps? I checked the resulting project as well as the organization and did find a corresponding object in Azure DevOpy...
josh-barker-coles
commented
3 years ago Hi @schwarzzz,
You could try add group membership directly on the linked group - azdo_group_linked_to_aad, and not create azdo_group.
However, there could be some limitations on the linked Azure DevOps group.
For example, I don't think you can change the name of the group, as it's linked to Azure AD.
gurretl
commented
1 year ago Hi @josh-barker-coles
thanks a lot for your code but it seems that it doesn't work efficiently with multiple projects as described in this bug
Have you got any workarounds or solutions to handle this ?
The fact that you can't use scope and origin_id parameters simultaneously in azure_devops_group rsrc seems to be a limitation if you update or remove a group from a project (it removes it from all projects as it's linked to the organization.)
gurretl
commented
1 year ago Hello everyone, The only workaround I found so far is to create in AAD a project specific group. And add nested groups and members in it.
ken-vetter-absg
commented
5 months ago Hello!
I found this thread when I was looking for a solution to nest AAD (Entra) user groups into ADO Security groups.
In my area, besides the "out of the box" default ADO groups, I create ADO groups for Developers, Testers, UAT Testers, Scrum Masters, Prod Approvers. I use these groups to provide access to areas within the project and at approval gates in release pipelines. I struggled for days on how to do this and it seemed every approach recommended (from my google searches) didn't work or apply to my situation. So, given the names of the AAD groups (provided by another team), I can now successfully import those groups into my ADO security groups. For further information, I am doing this at time of project creation.
My whole task was to use Terraform to automate the steps I would manually go through to bring a new team up to speed in a new ADO project. For this post, I a will just show the code I used to add/nest the groups from AAD (Entra) to my ADO groups.
If you would like more info on my whole process, feel free to reach out.
Full disclosure. I am NOT a developer by trade, I am a server admin transitioned to Azure DevOps Engineer, so my struggle was based on my non-coding skillset. Scraped this together with direction from the Terraform documentation and a little help from some friends better at Terraform than me. :-) After I provide this, you may find better ways to do this, but I wish this was available to me weeks ago... Seems when I find stuff, it's never in a language I understand or "over-coded" which leaves me going, ha??? So this is my "simple" version of this. My repo looks like this.
Requirements: Azure DevOps, AzureRM, and AzureAD providers, plus credentials to access your corporate AAD with an SPN. Contents of files( as it works for me) follows. I have not gone back to tweak anything or remove un-needed code. Formatting may be a bit due to copy and paste. Adjust as needed.
providers.tf
terraform { required_providers { azuredevops = { source = "microsoft/azuredevops" version = "0.10.0" } azuread = { source = "azuread" version = "2.46.0" } azurerm = { source = "hashicorp/azurerm" version = "~>3.79.0" } random = { source = "hashicorp/random" version = "~>3.0" } } }
provider "azuread" { client_id = "##clientID##" client_secret = "##clientSecret##" tenant_id = "##tenantID##"
}
provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
subscription_id = "##subscriptionID##"
tenant_id = "##tenantID##"
client_id = "##clientID##"
client_secret = "##clientSecret##"
}
In my next file, I am nesting AAD groups into a few different groups - the Project Administrators group and my ADO Security groups. (I will provide one example of each and you can copy/paste for as many groups as you have). Sorry, had to change some names for security purposes, but the idea should still come across properly.
ado_add_AADgroups_to ADOgroups.tf
add Project Admins (This is the "out of the box" Project Administrators group)
data "azuredevops_group" "ProjectAdmins" {
project_id = azuredevops_project.adoproj.id
name = "Project Administrators"
}
data "azureadgroup" "AAD
resource "azuredevops_group_entitlement" "developers" {
origin = "aad"
origin_id = data.azuread_group.AAD_Developers.id
}
resource "azuredevops_group_membership" "Developers" {
group = azuredevops_group.Developers.descriptor
members = [
azuredevops_group_entitlement.developers.descriptor
]
}
That's it. Hope it works for you. If not, feel free to reach out to me and I will be happy to work through it with you. BTW, I have scripts for creating my ADO groups and nesting in the Default team. Leave a comment if you would like more info.
Community Note
Description
Recreated the issue here as requested by @xuzhang3
Currently, we can easily create user entitlements and assign them to newly created local groups within Azure DevOps. However, it would be very effective if we could have something similar for groups too.
Use case -
Create ADO Project => Create ADO group => import existing AAD group members ( or group itself) as "members" for created group.
Simply put => importing group from AAD directly into given project. Tried lot of ways already but did not help.
New or Affected Resource(s)
group and members resource as part of given provider
azuredevops_group azuredevops_group_membership azuredevops_user_entitlement
Potential Terraform Configuration
resource "azuredevops_group" "ado_gp" { scope = azuredevops_project.ado_prj.id display_name = "ado-gp-dev" description = "ADO Group for dev"
members = [ "aXXXXXXXXX" <= existing group from aad not individual member/s ] }
References
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-azure-active-directory-groups?view=azure-devops&tabs=preview-page
0000