search

microsoft / terraform-provider-azuredevops

Terraform Azure DevOps provider
https://www.terraform.io/docs/providers/azuredevops/
MIT License
385 stars 275 forks source link

When Adding the same AAD Group as a member of an ADO group in multiple project using TF, when a single project and its group membership is destroyed using TF the group is removed from all projects #686

Closed Tolbin10088 closed 1 week ago

Tolbin10088 commented 1 year ago

Community Note

Terraform (and Azure DevOps Provider) Version

Affected Resource(s)

Terraform Configuration Files

Phase 1:

data "azuread_group" "ad_group_info" {
  display_name = "AAD Example Group"
}

resource "azuredevops_project" "terraform_ado_project1" {
  name               = "project1"
  description        =  "project1"
  visibility         = "private"
  version_control    = "Git"
  work_item_template = "Basic"
  # Enable or desiable the DevOps fetures below (enabled / disabled)
  features = {
    "boards"       = "disabled"
    "repositories" = "enabled"
    "pipelines"    = "enabled"
    "testplans"    = "disabled"
    "artifacts"    = "disabled"
  }
}

resource "azuredevops_group" "ado_group_linked_to_ad_group1" {
  origin_id = data.azuread_group.ad_group_info.object_id
}

resource "azuredevops_project" "terraform_ado_project2" {
  name               = "project2"
  description        =  "project1"
  visibility         = "private"
  version_control    = "Git"
  work_item_template = "Basic"
  # Enable or desiable the DevOps fetures below (enabled / disabled)
  features = {
    "boards"       = "disabled"
    "repositories" = "enabled"
    "pipelines"    = "enabled"
    "testplans"    = "disabled"
    "artifacts"    = "disabled"
  }
}

resource "azuredevops_group" "ado_group_linked_to_ad_group2" {
  origin_id = data.azuread_group.ad_group_info.object_id
}

Phase 2:

data "azuread_group" "ad_group_info" {
  display_name = "AAD Example Group"
}

# resource "azuredevops_project" "terraform_ado_project1" {
#   name               = "project1"
#   description        =  "project1"
#   visibility         = "private"
#   version_control    = "Git"
#   work_item_template = "Basic"
#   # Enable or desiable the DevOps fetures below (enabled / disabled)
#   features = {
#     "boards"       = "disabled"
#     "repositories" = "enabled"
#     "pipelines"    = "enabled"
#     "testplans"    = "disabled"
#     "artifacts"    = "disabled"
#   }
# }

# resource "azuredevops_group" "ado_group_linked_to_ad_group1" {
#   origin_id = data.azuread_group.ad_group_info.object_id
# }

resource "azuredevops_project" "terraform_ado_project2" {
  name               = "project2"
  description        =  "project1"
  visibility         = "private"
  version_control    = "Git"
  work_item_template = "Basic"
  # Enable or desiable the DevOps fetures below (enabled / disabled)
  features = {
    "boards"       = "disabled"
    "repositories" = "enabled"
    "pipelines"    = "enabled"
    "testplans"    = "disabled"
    "artifacts"    = "disabled"
  }
}

resource "azuredevops_group" "ado_group_linked_to_ad_group2" {
  origin_id = data.azuread_group.ad_group_info.object_id
}

Debug Output

Panic Output

Expected Behavior

During Phase 1:

During Phase 2:

Actual Behavior

During Phase 1:

During Phase 2:

This is due to a limitation in the current TF provider as its not posssible to set a 'scope' within the azuredevops_group when using the 'originid' key. This key is required when using external groups e.g. AAD groups

Steps to Reproduce

Phase 1:

  1. terraform apply using the Terraform Code Shared above

Phase 2:

  1. comment out project 1 as shown in the Phase 2 code
  2. terraform apply

Important Factoids

AAD Group created outside of this TF code and used via Azure AD Data call

From my own investigation along with @a30000931 the issue appears to be due to a limitation in the provider that prevents you from using both the 'orginid' field required when using an external group e.g. AAD and the 'scope' field which can be used when using ADO groups.

This behaviour is different from when carrying out the same tasks via the GUI. When using the GUI the ADD group remains a member of the project 2 ADO group when project 1 is destroyed

References

417

51

gurretl commented 1 year ago

Hi @Tolbin10088,

I am facing the same issue and have tried several things to fix the problem or find a workaround...

1) If you replace the following block:

resource "azuredevops_group" "ado_group_linked_to_ad_group1" {
  origin_id = data.azuread_group.ad_group_info.object_id
}

with an azuredevops_group data block, sometimes Terraform is able to find the group, and sometimes it can't, which is weird. Maybe it works if the group has been manually added to another project in the organization but I am not convinced by this workaround.

2) I also tried to create all of my ado_group_linked_to_ad_group in a specific repo/tfstate, and I still face many issues as they are not related to a project id (it can only add a few of them, sees drifts all the time, etc.).

3) An ugly workaround would be to create a new Azure AAD group dedicated to a specific project and use it then in Azure DevOps..

I guess the only way to fix the problem is to handle the scope parameter with the origin_id parameter ?

Have you found any other workarounds?

Thanks guys

gurretl commented 1 year ago

Hello everyone, The only workaround I found so far is to create in AAD a project specific group. And add nested groups and members in it.

xuzhang3 commented 2 months ago

@Tolbin10088 The AAD group was create at ORG level so you don't need to create them for every project as they are the same resource in ADO. You just need to create AAD group once in ADO.

resource "azuredevops_group" "ado_group_linked_to_ad_group2" and resource "azuredevops_group" "ado_group_linked_to_ad_group1" { are same resource.