azuredevops_git_permissions fails to apply on Azure DevOps Server 2022

[paddymorgan84]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform: v1.9.8
Azure DevOps Provider: 1.4.0

Affected Resource(s)

• azuredevops_git_permissions

Terraform Configuration Files

data "azuredevops_project" "Project" {
  name = var.project_name
}

data "azuredevops_identity_group" "contributors" {
  project_id = data.azuredevops_project.MedisoftEMR.id
  name       = "[${var.project_name}]\\Contributors"
}

resource "azuredevops_git_permissions" "contributors-permissions" {
  project_id    = data.azuredevops_project.Project.id
  repository_id = var.repository_id
  principal     = data.azuredevops_identity_group.contributors.id
  permissions = {
    PolicyExempt            = "Deny"
    PullRequestBypassPolicy = "Deny"
    GenericContribute       = "Allow"
    PullRequestContribute   = "Allow"
    CreateBranch            = "Allow"
    CreateTag               = "Allow"
    DeleteRepository        = "Deny"
    EditPolicies            = "Deny"
    ForcePush               = "Deny"
    ManageNote              = "Allow"
    ManagePermissions       = "Deny"
    GenericRead             = "Allow"
    RemoveOthersLocks       = "Deny"
    RenameRepository        = "Deny"
  }
}

Debug Output

Panic Output

Expected Behavior

Permissions should have been set for the contributors project group at the repository level.

Actual Behavior

An error is thrown:

 Error: The string must have at least one character.
│ Parameter name: descriptors element.IdentityType
│ 
│   with module.repository["monitoring"].module.permissions.azuredevops_git_permissions.contributors-permissions,
│   on modules/repository/modules/permissions/main.tf line 10, in resource "azuredevops_git_permissions" "contributors-permissions":
│   10: resource "azuredevops_git_permissions" "contributors-permissions" {

Steps to Reproduce

1. terraform apply

Important Factoids

Nothing particularly atypical, but I am using Azure DevOps Server 2022 rather than Azure DevOps services, which means that rather than using the azuredevops_group data source used in the documentation I'm using azuredevops_identity_group instead.

References

• #0000

[xuzhang3]

@paddymorgan84 ADO server is not supported by this provider. All resources target ADO services. There might some API or feature difference between ADO service and ADO service

[paddymorgan84]

Thanks @xuzhang3. I didn't realise this was the case, it seems odd because there are resources such as azuredevops_identity_group that have been created specifically to handle on premise Azure DevOps?

[xuzhang3]

@paddymorgan84 Most of the API between ADO service and ADO service are same but some are different. azuredevops_identity_group was originally added to support the on-premise/non-cloud APIs.

[balazs92117]

I have the same problem on ADO service, so it's not happening only on on-prem ADO.

[dtap001]

I have cloud ADO still getting the same eror. Any update?

Using probider 1.6.0

[xuzhang3]

Hi all, , this is not a bug. The principal = data.azuredevops_identity_group.contributors.id here should be the subjectDescriptor of the identity group. In the original HCL script shared by @paddymorgan84 is using the ID which is not correct, also the azuredevops_identity_group does not support export the subjectDescriptor so there is not workaround at the moment

[xuzhang3]

#1292 will support exporting the subjectDescriptor for the identity groups, which can be used for permission management.

[dtap001]

HI @xuzhang3! Thanks for the quick reaction!

Is that means that I can use this:

resource "azuredevops_git_permissions" "example-branch-permissions" {
  project_id    = azuredevops_git_repository.example.project_id
  repository_id = azuredevops_git_repository.example.id
  principal     = data.azuredevops_group.example-project-contributors.id
  permissions = {
    RemoveOthersLocks = "Allow"
    ForcePush         = "Deny"
  }
}

Where the principal is a groupid which I have created under devops/project settings/general/permissions/groups? If not, can you please provide a full example?

[xuzhang3]

@dtap001 The ID of the azuredevops_group is the group descriptor, this HCL will work as expect. Due to historical reasons, resource IDs are not unified. The ID in azuredevops_identity_group is a UUID that doesn't comply with the permission setting.