Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Environment permissions for azuredevops_pipeline_authorization #923

Open
hbuckle opened this issue Nov 9, 2023 · 7 comments
Open

Environment permissions for azuredevops_pipeline_authorization #923

hbuckle opened this issue Nov 9, 2023 · 7 comments

Comments

@hbuckle
Copy link
Contributor

hbuckle commented Nov 9, 2023

resource "azuredevops_project" "project" {
  name               = var.name
  work_item_template = var.work_item_template
  version_control    = "Git"
  visibility         = "private"
}

resource "azuredevops_environment" "example" {
  project_id = azuredevops_project.project.id
  name       = "example"
}

resource "azuredevops_pipeline_authorization" "example" {
  project_id  = azuredevops_project.project.id
  resource_id = azuredevops_environment.example.id
  type        = "environment"
}

I get the following error from the azuredevops_pipeline_authorization resource

│ Error:  creating authorized resource: The resource doesn't exist or the user doesn't have admin permission for all resources of that type.

The user running Terraform is Administrator on the environment resource (as they just created it), and also Project Administrator (as they just created that also).

The only way I found to fix it is to make the user Administrator on all environments for the project, but that has to be done by a project collection administrator, as by default project administrators are only granted Creator permission on the Environment namespace.

So is there any way to grant all pipelines permissions to an environment without the user being project collection administrator?

@jubr
Copy link

jubr commented Feb 21, 2024

I think I might be running into the same type of problem, but then for a cross-project repository authorization. So to add to the above example:

resource "azuredevops_project" "other-project" {
  name               = var.other_name
  work_item_template = var.work_item_template
  version_control    = "Git"
  visibility         = "private"
}

// This will have auto-created a repo with the same name
data "azuredevops_git_repository" "other-repo" {
  project_id = azuredevops_project.other-project.id
  name       = var.other_name
}

// Allow pipeline(s) in "project" to access "other-repo" in "other-project"
resource "azuredevops_pipeline_authorization" "to-other-repo" {
  project_id  = azuredevops_project.project.id
  resource_id = azuredevops_git_repository.other-repo.id
  type        = "repository"
  #pipeline_id = azuredevops_build_definition.in-first-project.id // not-set: allow all pipelines
}

Note the error is exacty the same (minus the "for all resources of that type"):

│ Error:  creating authorized resource:
          The resource doesn't exist or the user doesn't have admin permission.

And if I enable line pipeline_id the first part of the error is the same, but the underlying error is not:

│ Error:  creating authorized resource:
          The resource doesn't exist or the user doesn't have use permission.

Perhaps worth mentioning I already turned enforce_job_scope off for both projects with:

resource "azuredevops_project_pipeline_settings" "_" {
  for_each = toset(["project", "other-project"])
  project_id                           = azuredevops_project[each.key].id
  enforce_job_scope                    = false
  enforce_job_scope_for_release        = false
  //... other settings
}

I suspect this might be the same administrators-permission required. So this leads back to @hbuckle's original question:

So is there any way to grant all pipelines permissions [to an environment/repository] without the user being project collection administrator?

Can you please help us out @xuzhang3? 🙏

@kerko
Copy link

kerko commented Mar 14, 2024

@jubr
Since I hit the same problem as you. FYI:
The problem ist that the resource will always prepend the project id to resource id for this type

The correct resource id for cross project repository authorization would be: "otherProjectId.repositoryId" but that can not be set atm

@xuzhang3
Copy link
Collaborator

xuzhang3 commented Mar 25, 2024

@jubr @kerko cross project authorization supported in #973 , will be available in v1.1.0

@FRUCHTiii
Copy link
Contributor

I still get the error, even with version 1.2.0

Is there any fix for it @xuzhang3 ?

│ Error:  creating authorized resource: The resource doesn't exist or the user doesn't have admin permission for all resources of that type.
│ 
│   with module.cd-test.module.npm[0].azuredevops_pipeline_authorization.npm_auth,
│   on .terraform/modules/cd-test/npm/main.tf line 18, in resource "azuredevops_pipeline_authorization" "npm_auth":
│   18: resource "azuredevops_pipeline_authorization" "npm_auth" {
│ 
╵
╷
│ Error:  creating authorized resource: The resource doesn't exist or the user doesn't have admin permission for all resources of that type.
│ 
│   with module.cd-test.module.sonarqube[0].azuredevops_pipeline_authorization.sonarqube_auth,
│   on .terraform/modules/cd-test/sonarqube/main.tf line 19, in resource "azuredevops_pipeline_authorization" "sonarqube_auth":
│   19: resource "azuredevops_pipeline_authorization" "sonarqube_auth" {

@xuzhang3
Copy link
Collaborator

xuzhang3 commented Sep 2, 2024

@FRUCHTiii can you share your TF script?

@FRUCHTiii
Copy link
Contributor

FRUCHTiii commented Sep 25, 2024

@xuzhang3 Unfortunately I don't have a Terraform Scirpt.

At first I thought i have this issue here but then recognized that I'm using a different type of this resource.

My issue is described here #1117

But IMHO for me it looks like a very similar issue within the api.

@dzindzinj
Copy link

dzindzinj commented Oct 11, 2024

Have the same error as @FRUCHTiii, I was able to create endpoint for acr and grant it all pipeline permission with old resource but not the new one.

resource "azuredevops_serviceendpoint_azurecr" "main" {
    project_id                             = data.azuredevops_project.main.id
    resource_group                         = azurerm_resource_group.acr.name
    service_endpoint_name                  = "example"
    service_endpoint_authentication_scheme = "WorkloadIdentityFederation"
    azurecr_spn_tenantid                   = data.azurerm_subscription.current.tenant_id
    azurecr_name                           = azurerm_container_registry.acr.name
    azurecr_subscription_id                = data.azurerm_subscription.current.subscription_id
    azurecr_subscription_name              = data.azurerm_subscription.current.display_name

    credentials {
      serviceprincipalid = azurerm_user_assigned_identity.acr.client_id
    }
}

resource "azurerm_federated_identity_credential" "main" {
    name                = "fed-wif"
    resource_group_name = azurerm_resource_group.acr.name
    parent_id           = azurerm_user_assigned_identity.acr.id # has to be managed identity
    audience            = ["api://AzureADTokenExchange"]
    issuer              = azuredevops_serviceendpoint_azurecr.main.workload_identity_federation_issuer
    subject             = azuredevops_serviceendpoint_azurecr.main.workload_identity_federation_subject
}

# Does not work - permission error / resource not found
# resource "azuredevops_pipeline_authorization" "pipeline_access" {
#  project_id  = data.azuredevops_project.main.id
#  resource_id = azuredevops_serviceendpoint_azurecr.main.id
#  type        = "endpoint"
#  #pipeline_id - all pipelines if not specified
#}

# works but deprecated
resource "azuredevops_resource_authorization" "pipeline_access" {
  project_id  = data.azuredevops_project.main.id
  resource_id = azuredevops_serviceendpoint_azurecr.main.id
  type        = "endpoint"
  authorized  = true
}

Edit:
Worth to note that I am unable to make changes to the ACR service connection via Azure DevOps UI either with the error message that the service connection was created using Azure DevOps REST API

Endpoint of this type and scheme cannot be modified through the UI. Use Azure DevOps REST API instead. Learn more at https://aka.ms/azdo-rm-wif-docker-cross-tenant

The creator and owner of the ACR endpoint is "Project collection Build Service (Org)" - same pipeline and token.

Edit:
Fixed by adding Endpoint Administrator permission to the service account that was running my terraform code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants