Permissions to set project features are unclear

[robbert-nlo]

Hi,

I'm trying to create a new Azure DevOps project with only specific features enabled. I'm using a PAT with the following permissions:

• Build: Read & Execute
• Environment: Read & Manage
• Project & Team: Read, Write, & Manage
• Service Connections: Read, query, & manage

Terraform:

resource "azuredevops_project" "project" {

  name               = "Test"
  visibility         = "private"
  version_control    = "git"
  work_item_template = "Basic"
  description        = "Test"
    features = {
      "boards"       = "disabled"
      "repositories" = "disabled"
      "pipelines"    = "enabled"
      "testplans"    = "disabled"
      "artifacts"    = "enabled"
    }
}

This results in:

╷
│ Error:  Faild to update project features. Feature type: ms.vss-test-web.test,  Error: Request returned status: 401 Unauthorized
│ 
│   with azuredevops_project.projects["project"],
│   on devops_projects.tf line 2, in resource "azuredevops_project" "project":
│    2: resource "azuredevops_project" "project" {
│ 

What permissions do I need to assign to the PAT to be able to disable project features?

[xuzhang3]

@robbert-nlo you may may need full access permission instead of custom permission: Ref: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-pats-with-policies-for-administrators?view=azure-devops#restrict-creation-of-full-scoped-pats

[robbert-nlo]

@xuzhang3 It seems a bit overkill to give full permissions only to disable some features. I'd prefer to make this PAT's permissions follow least privilege principle. Is it not possible to allow this functionality with specific permissions?

[xuzhang3]

@robbert-nlo this is a service permission is with v6 APIs, to handle this issue. One way is using the null_resource to call the features APIs(v5) with curl etc.