Permission Error for azuredevops_pipeline_authorization type endpoint

[FRUCHTiii]

Within our code we try to replace the azuredevops_resource_authorization with azuredevops_pipeline_authorization.
On both we want to enable open access on our service connections.

With the old resource the authorization works as expected if we try to get to the new resource it is broken.
The User with runs terraform has admin permissions on the service connection and also created the service connection so I'm quite sure that this isn't a permission error.

Is there anything I can do to use the new resource?

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform: v1.9.3
Azure DevOps Provider: v1.2.0

Affected Resource(s)

• azuredevops_pipeline_authorization

Terraform Configuration Files

data "azuredevops_project" "project" {
  name = upper(var.project_id) # current naming convention -> upper case project names
}

data "azurerm_key_vault_secret" "token" {
  name         = var.secret
  key_vault_id = var.key_vault_id
}

# AzureRM Service Connection
data "azurerm_key_vault_secret" "spn_id" {
  name         = var.spn_id
  key_vault_id = var.key_vault_id
}

resource "azuredevops_serviceendpoint_azurerm" "azurerm" {
  project_id            = data.azuredevops_project.project.id
  service_endpoint_name = var.name
  description           = "Service Connection for 'AzureRM' to manage configure Azure Infrastructure  (managed-by Terraform; created-by ${upper(var.description_delivery_id != "" ? var.description_delivery_id : var.delivery_id)}; supported-by ITPD)"
  credentials {
    serviceprincipalid  = data.azurerm_key_vault_secret.spn_id.value
    serviceprincipalkey = data.azurerm_key_vault_secret.token.value
  }
  azurerm_spn_tenantid      = "2d1c5c5c-c864-4908-b034-dcf8eed82382"
  azurerm_subscription_id   = var.subscription_id
  azurerm_subscription_name = var.subscription_name
}

resource "azuredevops_pipeline_authorization" "azurerm_auth" {
  project_id                = data.azuredevops_project.project.id
  resource_id               = azuredevops_serviceendpoint_azurerm.azurerm.id
  type                      = "endpoint"
}

Expected Behavior

The Provider should set the settings for the service connection to open access

Actual Behavior

We get the following Error:

╷
│ Error:  creating authorized resource: The resource doesn't exist or the user doesn't have admin permission for all resources of that type.
│ 
│   with module.cd-test.module.npm[0].azuredevops_pipeline_authorization.npm_auth,
│   on .terraform/modules/cd-test/npm/main.tf line 18, in resource "azuredevops_pipeline_authorization" "npm_auth":
│   18: resource "azuredevops_pipeline_authorization" "npm_auth" {
│ 
╵

[xuzhang3]

@FRUCHTiii Cannot reproduce this error. The could be the permission issue or the resource not exist, if I set "resource_id" with a dummy value I get the same error

[FRUCHTiii]

Thank you for your reply and help.

I try to replace the old, deprected, resource with the new.

My Terraform plan looks like this

  # module.cd-test.module.sonarqube[0].azuredevops_pipeline_authorization.sonarqube_auth will be created
  + resource "azuredevops_pipeline_authorization" "sonarqube_auth" {
      + id          = (known after apply)
      + project_id  = "eecb6be9-f80a-4c8d-XXXX-0d356db27bc2"
      + resource_id = "61e9a1e4-c366-4cbd-8d03-2dc329f0e9a5"
      + type        = "endpoint"
    }

  # module.cd-test.module.sonarqube[0].azuredevops_resource_authorization.sonarqube_auth will be destroyed
  # (because azuredevops_resource_authorization.sonarqube_auth is not in configuration)
  - resource "azuredevops_resource_authorization" "sonarqube_auth" {
      - authorized    = true -> null
      - definition_id = 0 -> null
      - id            = "61e9a1e4-c366-4cbd-8d03-2dc329f0e9a5" -> null
      - project_id    = "eecb6be9-f80a-4c8d-XXXX-0d356db27bc2" -> null
      - resource_id   = "61e9a1e4-c366-4cbd-8d03-2dc329f0e9a5" -> null
      - type          = "endpoint" -> null
    }

As you can see the resource_id is exactly the same and is set correct. As the old resource is working fine.

Thats how I set up both resources.

resource "azuredevops_resource_authorization" "sonarqube_auth" {
  project_id  = data.azuredevops_project.delivery.id
  resource_id = azuredevops_serviceendpoint_sonarqube.sonarqube.id
  authorized  = true
}

resource "azuredevops_pipeline_authorization" "sonarqube_auth" {
  project_id                = data.azuredevops_project.delivery.id
  resource_id               = azuredevops_serviceendpoint_sonarqube.sonarqube.id
  type                      = "endpoint"
}

I'm not able to see my issue over here.
Do you have some advice to troubleshoot this?

[xuzhang3]

@FRUCHTiii I tried the PAT token with limited permission and still works for me.

Don't know how the token generated in your environment, if the resource exist this could be the token permission issue. The token does not have right permission.

In addition, the old deprecated resource azuredevops_resource_authorization and new resource azuredevops_pipeline_authorization. The are using different API:

• azuredevops_resource_authorization resource:
  https://learn.microsoft.com/en-us/rest/api/azure/devops/approvalsandchecks/pipeline-permissions/update-pipeline-permisions-for-resource?view=azure-devops-rest-7.1&tabs=HTTP#scopes
• azuredevops_resource_authorization resource:
  https://learn.microsoft.com/en-us/rest/api/azure/devops/build/authorizedresources/authorize-project-resources?view=azure-devops-rest-7.1#scopes

[FRUCHTiii]

We don't run terraform with a PAT we use a managed idendity instead.

The MA is Project Admin

So it has admin permissions within the complete project.
This MA has Administrator permissions on all service connections

And the MA also created the service connection so it gets admin permissions automatically and explicit

I rellay don't see permission issue

[xuzhang3]

Tried the MSI, still works. A bit weird that the old authentication worked and the new one didn't.

[xuzhang3]

@FRUCHTiii Just come to my mind that the authorization API will get all authorizations, including other pipeline authorizations. This may be the root cause.

[FRUCHTiii]

@xuzhang3 I think I'm not really getting you're answer.
What can I do to troubleshoot or fix it? Or is it a bug?

[xuzhang3]

@FRUCHTiii I mean, there are other pipes that are granted but PAT does not have the access permission

[FRUCHTiii]

@xuzhang3 I gave this problem another try today.

When I'm adding the UMI to the Project Collection Administrators on the Organization Level then I'm able to use the new resource and roll-out the changes.

As soon as I'm remove this and the UMI is "only" Project Administrators on the Project Level I'm unable to use this resource.

So from my perspective this looks like the api is doing things in the background that aren't supoosed to and this whole thing feels like a bug to me.

To add all UMI to Project Collection Administrators on the Organization Level is a completly No-Go to me and feels like a security issue.

[dzindzinj]

I've fixed my issue #923 (comment) by adding Endpoint Administrator permission to the service account that was running terraform.

[FRUCHTiii]

@@xuzhang3 tried version 1.4 and still get the same error.

• My Managed Identity is Project Admin (and automatically contained within the Endpoint Admins)
• Endpoint Admins have Admin Permissions within the Service Connection Tab
• Endpoint Admins and Project Admins have both full Permissions on Pipeline Tab

I have no Idea to get this fixed or what the next steps could be to find the issue.

[xuzhang3]

@FRUCHTiii Weird . I just need to add the identity/SPN to the Endpoint Amin and this works for me.