search

microsoft / terraform-provider-azuredevops

Terraform Azure DevOps provider
https://www.terraform.io/docs/providers/azuredevops/
MIT License
380 stars 272 forks source link

Can't link Azure DevOps Group to Azure AD (Microsoft Entra) Group with service accounts. #896

Open wi5nia opened 12 months ago

wi5nia commented 12 months ago

Hi,

I am trying to write some code which will link and ADO Group to an AAD Group. When we run this code locally when being logged with an user who is in the Project Collection Administrators group and also a Global Admin of the tenant to which the ADO organisation is connected all is working just fine.

When I move my code and execution to ADO it starts to fail with this error.

2023-10-10T12:11:51.690Z [ERROR] provider.terraform-provider-azuredevops_v0.9.1: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.14.0/tfprotov5/internal/diag/diagnostics.go:55 diagnostic_severity=ERROR diagnostic_summary="REST call returned status code 503" tf_proto_version=5.3 tf_req_id=9e182511-ea55-d17d-45f6-1616b7f64546 tf_resource_type=azuredevops_group @module=sdk.proto diagnostic_detail= tf_provider_addr=registry.terraform.io/microsoft/azuredevops tf_rpc=ApplyResourceChange timestamp=2023-10-10T12:11:51.689Z
2023-10-10T12:11:51.691Z [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2023-10-10T12:11:51.691Z [ERROR] vertex "azuredevops_group.link" error: REST call returned status code 503
╷
│ Error: REST call returned status code 503
│ 
│   with azuredevops_group.link,
│   on main.tf line 54, in resource "azuredevops_group" "link":
│   54: resource "azuredevops_group" "link" {
│ 
╵

Here is the Terraform code

terraform {
  required_providers {
    azuredevops = {
      source = "microsoft/azuredevops"
    }
    azuread = {
      source = "hashicorp/azuread"
    }
  }
}

variable "AZDO_PERSONAL_ACCESS_TOKEN" {
  type = string
}

variable "ARM_TENANT_ID" {
  type = string
}

variable "ARM_CLIENT_ID" {
  type = string
}

variable "ARM_OIDC_TOKEN" {
  type = string
}

provider "azuredevops" {
  org_service_url       = "https://dev.azure.com/{my_org_name}"
  personal_access_token = var.AZDO_PERSONAL_ACCESS_TOKEN
}

provider "azuread" {
  tenant_id = var.ARM_TENANT_ID
  client_id = var.ARM_CLIENT_ID
  oidc_token = var.ARM_OIDC_TOKEN
}

resource "azuredevops_project" "example" {
  name = "ADOAADTest"
}

resource "azuredevops_group" "somegroup" {
    scope = azuredevops_project.example.id
    display_name = "test"
    description = "Some description"
}

resource "azuread_group" "aad_group" {
  display_name = "test"
  security_enabled = true
}

resource "azuredevops_group" "link" {
    origin_id = azuread_group.aad_group.object_id
}

resource "azuredevops_group_membership" "membership" {
    group = azuredevops_group.somegroup.descriptor
    members = [
        azuredevops_group.link.descriptor
    ]
}

And here is the ADO pipeline code

pool:
  vmImage: ubuntu-latest

trigger:
  batch: true
  branches:
    include:
      - main

workspace:
  clean: outputs | resources | all

steps:
  - download: none

  - checkout: self
    persistCredentials: true

  - task: AzureCLI@2
    displayName: 'Prepare Credentials for Terraform Backend State'
    inputs:
      addSpnToEnvironment: true
      azureSubscription: 'spnname'
      scriptLocation: 'inlineScript'
      scriptType: 'bash'
      inlineScript: |
        set -euo pipefail
        echo "##vso[task.setvariable variable=TF_VAR_ARM_TENANT_ID;issecret=false]${tenantId}"
        echo "##vso[task.setvariable variable=TF_VAR_ARM_CLIENT_ID;issecret=false]${servicePrincipalId}"
        echo "##vso[task.setvariable variable=TF_VAR_ARM_OIDC_TOKEN;issecret=false]${idToken}"

  - task: TerraformInstaller@0   
    displayName: "Install Terraform"   
    inputs:     
      terraformVersion: '1.5.6'     
      terraformDownloadLocation: 'https://releases.hashicorp.com/terraform'

  - script: |
      terraform init \
      && terraform apply --auto-approve
    displayName: 'Terraform Apply for test Environment'
    env:
      TF_LOG: DEBUG
      ARM_USE_OIDC: true
      TF_VAR_AZDO_PERSONAL_ACCESS_TOKEN: $(System.AccessToken)

The project build account is part of the Project Collection Service Accounts group

image

Which is a part of the Project Collection Administrators group

image

The SPN which is used for the deployment has those permissions and we are using federated identity

image

Any ideas what could be the issue?

DenisBalan commented 11 months ago

To add more context, the issue that is described is exactly the same as https://developercommunity.visualstudio.com/t/build-agent-calling-azure-devops-rest-api-exceptio/660783

POST https://vssps.dev.azure.com/yyyyyyy/_apis/Graph/Groups HTTP/1.1
Host: vssps.dev.azure.com
User-Agent: go/go1.18.1 (windows amd64) azure-devops-go-api/7.1.220.1 (dev) terraform-provider-azuredevops/v0.9.1
Content-Length: 51
Accept: application/json;api-version=7.1-preview.1
Authorization: Bearer %jwt_token%
Content-Type: application/json;charset=utf-8
X-Tfs-Fedauthredirect: Suppress
X-Tfs-Session: xxxx-3a17-4496-bd80-7234bf7196b8
Accept-Encoding: gzip

{"originId":"xxxx-2b24-470a-abc2-f830687a354e"}
HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 2277
Content-Type: application/json; charset=utf-8; api-version=7.1-preview.1
Expires: -1
P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
X-TFS-ProcessId: xxxx-c120-4883-85f7-2dc5f2438eca
Strict-Transport-Security: max-age=31536000; includeSubDomains
ActivityId: xxxx-f9e0-4f07-b9de-c7a59c53886b
X-TFS-Session: xxxx-3a17-4496-bd80-7234bf7196b8
X-VSS-E2EID: xxxx-f9e0-4f07-b9de-c7a59c53886b
X-VSS-SenderDeploymentId: xxxx-39e8-4313-9ff3-23ace0f8f4cf
X-VSS-UserData: xxxx-4f2c-4786-94db-625742a99ff0:xxxxx-8ff9-4ab2-9cdb-43ff960dd619
X-FRAME-OPTIONS: SAMEORIGIN
Request-Context: appId=cid-v1:xxxx-b90c-42de-941e-931f9b06ee5f
Access-Control-Expose-Headers: Request-Context
X-Content-Type-Options: nosniff
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 768AB29019B340FE9FAC30A63BEF4644 Ref B: BUH01EDGE0322 Ref C: 2023-10-12T10:49:33Z
Date: Thu, 12 Oct 2023 10:49:33 GMT

{"count":2167,"value":"Microsoft.VisualStudio.Services.Aad.AadAccessException: The requesting identity (CUID 00000000-0000-0000-0000-000000000000) does not have permission to access the tenant (76f33c20-5979-4408-adf7-8b3c4be95e52).\r\n   at Microsoft.VisualStudio.Services.Aad.SharedAadService.AuthorizeRequest(IVssRequestContext context, AadServiceRequest request, String& tenantId, Boolean& application) in D:\\a\\_work\\1\\s\\Vssf\\Sdk\\CloudServer\\AzureActiveDirectory\\SharedAadService.cs:line 641\r\n   at Microsoft.VisualStudio.Services.Aad.SharedAadService.ProcessRequest[T](IVssRequestContext context, AadServiceRequest request, IAadPerfCounter counter, String operation) in D:\\a\\_work\\1\\s\\Vssf\\Sdk\\CloudServer\\AzureActiveDirectory\\SharedAadService.cs:line 287\r\n   at Microsoft.VisualStudio.Services.Aad.SharedAadService.GetGroupsWithIds[T](IVssRequestContext context, GetGroupsWithIdsRequest`1 request) in D:\\a\\_work\\1\\s\\Vssf\\Sdk\\CloudServer\\AzureActiveDirectory\\SharedAadService.cs:line 183\r\n   at Microsoft.VisualStudio.Services.Directories.DirectoryService.Components.GetAadGroupUsingOriginIdAsObjectId.ReadAadObjectsInSingleTenant(IVssRequestContext requestContext, IEnumerable`1 ids, String tenantId) in D:\\a\\_work\\1\\s\\Sps\\Service\\Identity\\Cloud.Extensions\\Directory\\FilterHelpers\\GetAadGroupUsingOriginIdAsObjectId.cs:line 39\r\n   at Microsoft.VisualStudio.Services.Directories.DirectoryService.Components.GetAadObjectById`2.GetAadResponse(IVssRequestContext requestContext, IList`1 candidateMembers) in D:\\a\\_work\\1\\s\\Sps\\Service\\Identity\\Cloud.Extensions\\Directory\\FilterHelpers\\GetAadObjectById.cs:line 119\r\n   at Microsoft.VisualStudio.Services.Directories.DirectoryService.Components.GetAadObjectById`2.GetAadObjectsUnchecked(IVssRequestContext requestContext, IList`1 candidateMembers) in D:\\a\\_work\\1\\s\\Sps\\Service\\Identity\\Cloud.Extensions\\Directory\\FilterHelpers\\GetAadObjectById.cs:line 96\r\n   at Microsoft.VisualStudio.Services.Directories.DirectoryService.Components.GetAadObjectById`2.GetAadObjects(IVssRequestContext requestContext, IEnumerable`1 candidateMembers) in D:\\a\\_work\\1\\s\\Sps\\Service\\Identity\\Cloud.Extensions\\Directory\\FilterHelpers\\GetAadObjectById.cs:line 47"}