-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Environment permissions for azuredevops_pipeline_authorization #923
Comments
I think I might be running into the same type of problem, but then for a cross-project resource "azuredevops_project" "other-project" {
name = var.other_name
work_item_template = var.work_item_template
version_control = "Git"
visibility = "private"
}
// This will have auto-created a repo with the same name
data "azuredevops_git_repository" "other-repo" {
project_id = azuredevops_project.other-project.id
name = var.other_name
}
// Allow pipeline(s) in "project" to access "other-repo" in "other-project"
resource "azuredevops_pipeline_authorization" "to-other-repo" {
project_id = azuredevops_project.project.id
resource_id = azuredevops_git_repository.other-repo.id
type = "repository"
#pipeline_id = azuredevops_build_definition.in-first-project.id // not-set: allow all pipelines
} Note the error is exacty the same (minus the "for all resources of that type"): │ Error: creating authorized resource:
The resource doesn't exist or the user doesn't have admin permission. And if I enable line │ Error: creating authorized resource:
The resource doesn't exist or the user doesn't have use permission. Perhaps worth mentioning I already turned resource "azuredevops_project_pipeline_settings" "_" {
for_each = toset(["project", "other-project"])
project_id = azuredevops_project[each.key].id
enforce_job_scope = false
enforce_job_scope_for_release = false
//... other settings
} I suspect this might be the same administrators-permission required. So this leads back to @hbuckle's original question:
Can you please help us out @xuzhang3? 🙏 |
@jubr The correct resource id for cross project repository authorization would be: "otherProjectId.repositoryId" but that can not be set atm |
I still get the error, even with version 1.2.0 Is there any fix for it @xuzhang3 ?
|
@FRUCHTiii can you share your TF script? |
Have the same error as @FRUCHTiii, I was able to create endpoint for acr and grant it all pipeline permission with old resource but not the new one.
Edit: Endpoint of this type and scheme cannot be modified through the UI. Use Azure DevOps REST API instead. Learn more at https://aka.ms/azdo-rm-wif-docker-cross-tenant The creator and owner of the ACR endpoint is "Project collection Build Service (Org)" - same pipeline and token. Edit: |
I get the following error from the
azuredevops_pipeline_authorization
resourceThe user running Terraform is Administrator on the environment resource (as they just created it), and also Project Administrator (as they just created that also).
The only way I found to fix it is to make the user Administrator on all environments for the project, but that has to be done by a project collection administrator, as by default project administrators are only granted Creator permission on the Environment namespace.
So is there any way to grant all pipelines permissions to an environment without the user being project collection administrator?
The text was updated successfully, but these errors were encountered: