Project creation and permission of default repository

[Joerg-L]

hi there, so we want to create a terraform configuration which is able to do following things:

• create a project (works)
• add users to project groups (works)
• revoke access to default repository (not working)
• create additional repositorys with right permissions (on hold)

We have created following code snipped to do the permission job

data "azuredevops_project" "project" {
  project_id = var.project_id
}

data "azuredevops_git_repository" "default_repo" {
  project_id = var.project_id
  name       = data.azuredevops_project.project.name
}

data "azuredevops_groups" "project-groups" {
  project_id = var.project_id
}

resource "azuredevops_git_permissions" "default_permissions_default_repo" {
  for_each = {for group in data.azuredevops_groups.project-groups.groups:  group.principal_name => group}
  project_id    = var.project_id
  repository_id = data.azuredevops_git_repository.default_repo.id
  principal     = each.value.descriptor
  replace = true
  permissions = {
    CreateTag             = "Deny"
    CreateBranch          = "Deny"
    GenericContribute     = "Deny"
    PullRequestContribute = "Deny"
    ForcePush             = "Deny"
    ManagePermissions     = "Deny"
  }
}

We are recieving following error

for_each = {for group in data.azuredevops_groups.project-groups.groups: group.principal_name => group} │ ├──────────────── │ │ data.azuredevops_groups.project-groups.groups is a set of object, known only after apply │ │ The "for_each" map includes keys derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.

We have also tryied to fix that with two separate calls of terrform with

• First run, setting up project: terraform apply -target module.setup_projects
• Second run, setting up permissions: terraform apply -target module.setup_permissions

but that isn't fixing the issue. Someone an idea how to solve that topic?

[Joerg-L]

Okay, we have solved that now by chnage the call approach

• First run, setting up project: terraform apply
• Second run, setting up permissions: terraform apply -var run_permissions=true

While the child module has

module "default_permissions" {
  count  = var.run_permissions ? 1 : 0
  source = "./modules/default_permissions"
  project_id = azuredevops_project.this.id
}

in.

It's not perfect world solution, but it will work.

It would be more easier, if azuredevops_project would also deliver the groups back so that is not required to use

data "azuredevops_groups" "project-groups" {
  project_id = var.project_id
}

[Joerg-L]

Argh. Its not really solving the issue as

• First run, setting up project: terraform apply
• Second run, setting up permissions: terraform apply -var run_permissions=true
• Third run, setting up additional projects: terraform apply

will result in dropping the permissions again

any ideas?

[xuzhang3]

@Joerg-L have you try depends_on (depends_on = [data.azuredevops_groups.project-groups]). depends_on will blocked the azuredevops_git_permissions until azuredevops_groups finished.