Use PAT Lifecyle Management APIs to generate dynamic/ephemeral PAT token for provider

robertscully-wpp commented 6 months ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I have been making use of Federated Credentials for app registration to create dynamic tokens for Terraform executions using the Azure provider.

I would like to make use of the features of the PAT lifecycle API, as documented here, to generate an ephemeral PAT for managing Azure Devops using an Entra App Registration.

In this scenario, when an App Registration is configured to have Azure Devops API access with the user_impersonisation delegated permission, is it possible to use the same OIDC mechanism that the Azure provider uses to:

authenticate to Entra
generate an ephemeral token for the app registration
use this to generate the ephemeral PAT using the AzureDevops PAT lifecycle management API?
use the ephemeral PAT for the azuredevops provider

New or Affected Resource(s)

Potential Terraform Configuration

References

jubr commented 3 months ago

@robertscully-wpp you might not have to given #747 is released in v1.0.0

Also, a workaround was mentioned in the comments at https://github.com/microsoft/terraform-provider-azuredevops/pull/747#discussion_r1420241486

robertscully-wpp commented 3 months ago

@jubr thanks for the feedback on here, will have a read through the comments and release notes.

microsoft / terraform-provider-azuredevops