search

microsoft / terraform-provider-azuredevops

Terraform Azure DevOps provider
https://www.terraform.io/docs/providers/azuredevops/
MIT License
386 stars 276 forks source link

Is it possible to update the security of an agent pool with terraform? #910

Open vamshisiram opened 1 year ago

vamshisiram commented 1 year ago

Right now, we have four agent pools manually created outside of terraform at the DevOps Org level. I want to just update the security for the agent pools at the project level, whenever a new project is created with Terraform.

is this possible? if so, can i please get information on how?

i looked at the API for agent pools and could not find that info.

thanks for looking into this.

If you have a support request or question please submit them to one of these resources:

xuzhang3 commented 1 year ago

@vamshisiram This feature not supported yet. Is Settings -> Agent pools -> Security the feature you want?

vamshisiram commented 1 year ago

Yes, that is what I want.

I want to manage the security of an existing pool with terraform or api. Is that possible?

Get Outlook for iOShttps://aka.ms/o0ukef

From: xuzhang3 @.> Sent: Wednesday, November 8, 2023 12:30:47 AM To: microsoft/terraform-provider-azuredevops @.> Cc: vamshisiram @.>; Mention @.> Subject: Re: [microsoft/terraform-provider-azuredevops] Is it possible to update the security of an agent pool with terraform? (Issue #910)

@vamshisiramhttps://github.com/vamshisiram This feature not supported yet. Is Settings -> Agent pools -> Security the feature you want?

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/terraform-provider-azuredevops/issues/910#issuecomment-1801314609, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AVU36WVX7J2SEEXLVOFIU2LYDM7LPAVCNFSM6AAAAAA6R62OLWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBRGMYTINRQHE. You are receiving this because you were mentioned.Message ID: @.***>

xuzhang3 commented 1 year ago

Which security feature? Settings -> Agent pools -> Security or Settings -> Agent pools -> <Agent Pool Name> -> Security.

vamshisiram commented 1 year ago

Any one would work.

ideally both settings.

So, is either of them possible today?

Get Outlook for iOShttps://aka.ms/o0ukef

From: xuzhang3 @.> Sent: Wednesday, November 8, 2023 9:55:20 PM To: microsoft/terraform-provider-azuredevops @.> Cc: vamshisiram @.>; Mention @.> Subject: Re: [microsoft/terraform-provider-azuredevops] Is it possible to update the security of an agent pool with terraform? (Issue #910)

Which security feature? Settings -> Agent pools -> Security or Settings -> Agent pools -> -> Security.

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/terraform-provider-azuredevops/issues/910#issuecomment-1803208582, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AVU36WQVP4G4HB5747M2L7TYDRV4RAVCNFSM6AAAAAA6R62OLWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBTGIYDQNJYGI. You are receiving this because you were mentioned.Message ID: @.***>

xuzhang3 commented 1 year ago

@vamshisiram The pipeline permission in Settings -> Agent pools -> <Agent Pool Name> -> Security has been support by resource : https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/pipeline_authorization

vamshisiram commented 1 year ago

@xuzhang3

Is this at the organization level?

I would like something at the project level. Is that possible?

vamshisiram commented 1 year ago

@xuzhang3 I reviewed the link you shared. It is for authorizing a pipeline access to a resource. It is not for controlling agent pool security.

Please clarify if the following is available:

Org settings > Agent Pools > Security.

Or

Project settings > Agent Pools > Security.

This is for adding a project admin or contributor to the agent pool, not for a pipeline access to the agent pool.

I hope this helps ask my question clearly.

Please let me know. @xuzhang3

xuzhang3 commented 1 year ago

@vamshisiram Settings > Agent Pools > Security not supported yet.

vamshisiram commented 1 year ago

Ok. Thanks for clarifying.

Do you have an idea of when the security would be added to be supported by terraform?

Get Outlook for iOShttps://aka.ms/o0ukef

From: xuzhang3 @.> Sent: Thursday, November 9, 2023 11:53:16 PM To: microsoft/terraform-provider-azuredevops @.> Cc: vamshisiram @.>; Mention @.> Subject: Re: [microsoft/terraform-provider-azuredevops] Is it possible to update the security of an agent pool with terraform? (Issue #910)

@vamshisiramhttps://github.com/vamshisiram Settings > Agent Pools > Security not supported yet.

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/terraform-provider-azuredevops/issues/910#issuecomment-1805252823, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AVU36WXB3LLTCU5ZM2XQ72DYDXMOZAVCNFSM6AAAAAA6R62OLWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBVGI2TEOBSGM. You are receiving this because you were mentioned.Message ID: @.***>

xuzhang3 commented 1 year ago

@vamshisiram I have put this into our backlog but I cannot give you any ETA of this, we are block by other tasks.

jan-mrm commented 9 months ago

@xuzhang3 is that something one can contribute? I just had a look but I'm not sure what I would need to do to even get the client. At https://github.com/microsoft/azure-devops-go-api/tree/dev/azuredevops/v7 are not the required client calls. Not in security nor in something extra like securityroles what I'd guess from the ADO rest api https://learn.microsoft.com/en-us/rest/api/azure/devops/securityroles/roleassignments/set-role-assignment?view=azure-devops-rest-7.0

xuzhang3 commented 9 months ago

@jan-mrm which type of security you want? Pipeline permission or user permission, pipeline permissions can be managed by azuredevops_pipeline_authorization. The user permission not supported, you can mange the user permission by Security API or the new API(role assignment)you mentioned

jan-mrm commented 9 months ago

@xuzhang3 I'd be interested in Settings -> Agent pools -> <Agent> -> Security. User/Group permissions. I wanted to add the client for the new role assignments api but I couldn't find the it in the azure-go-api repo. Is it possible to add the client for the new role assignments api?

xuzhang3 commented 9 months ago

As I know Security Role Assignment not include in the go-sdk security

xuzhang3 commented 9 months ago

go-sdk feature support : https://github.com/microsoft/azure-devops-go-api/issues/148

jan-mrm commented 9 months ago

@xuzhang3 cool, thank you 👍 for the next time i also know what to do

DmitrySandalov commented 3 months ago

The issue seems to be related to https://github.com/microsoft/terraform-provider-azuredevops/issues/729

ozbillwang commented 3 months ago

With current way, we can create the agent pool at the organization level.

Then I have to manually add it in that project I created recently.

Still waiting the improvement that I can manage the agent pool at project level.

xuzhang3 commented 3 months ago

@ozbillwang project level agent pool can be managed by azuredevops_agent_queue