azuredevops_branch_policy_auto_reviewers not accepting groups

[rossbeehler]

Terraform (and Azure DevOps Provider) Version

Terraform v0.14.4

• provider registry.terraform.io/hashicorp/azurerm v2.47.0
• provider registry.terraform.io/microsoft/azuredevops v0.1.2

Affected Resource(s)

azuredevops_branch_policy_auto_reviewers azuredevops_group

Expected Behavior

Should be able to set auto_reviewers branch policies to groups obtained from the azuredevops_groups data source

Actual Behavior

The id of the azuredevops_groups datasource is the descriptor, so it fails with:

Error: Error updating policy in Azure DevOps: TF402457: The settings for this policy are not correctly formatted. Error: Error converting value "descriptor-value-omitted" to type 'System.Guid'. Path 'requiredReviewerIds[0]', line 6, position 135.

Using the origin_id does give a GUID, but when using it, it fails with:

Error: Error updating policy in Azure DevOps: TF402457: The settings for this policy are not correctly formatted. Error: Invalid GUID in the requiredReviewerIds array, 'guid-omitted' - GUID's must be the identity of an individual or a group.

Steps to Reproduce

config:

data "azuredevops_group" "g1" {
     name = "Group Name"
}

resource "azuredevops_branch_policy_auto_reviewers" "p1" {
  project_id = azuredevops_project.project1.id
    settings {
    auto_reviewer_ids = [ 
         data.azuredevops_group.g1.id
    ]
    scope {
       match_type     = "Exact"
       repository_id  = data.azuredevops_git_repository.repo1.id
       repository_ref = "refs/heads/master"
    }
  }
}

run terraform apply

Important Factoids

I also created the policy in the UI, imported it, and see GUIDS that I cannot find using any Azure DevOps/Graph API method. Not sure where they come from or how to get them.

The groups I'm using are from Azure Active Directory. They appear like "[TEAM FOUNDATION]\Group Name" in the UIs and several of the API calls, but I do know the azuredevops_group data source is returning the correct group, because the descriptor matches.

[xuzhang3]

Hi @rossbeehler you can reference the group ID with azuredevops_group.g1.origin_id

[rossbeehler]

Hi @xuzhang3, I mentioned above that I tried using origin_id and received this error:

Error: Error updating policy in Azure DevOps: TF402457: The settings for this policy are not correctly formatted. Error: Invalid GUID in the requiredReviewerIds array, 'guid-omitted' - GUID's must be the identity of an individual or a group.

Is it perhaps the fact that I'm using an Azure Active Directory Group?

[xuzhang3]

Hi @rossbeehler I cannot reproduce your error, Form the error message, looks like service return the group info without origin_id. Can you find the group [TEAM FOUNDATION]\Group Name in your project groups?

[racdev]

I can replicate this issue using an Azure Active Directory Group as well. It seems that neither origin_id or descriptor is the correct format for the create request. Using the UI and inspecting the API calls made in the browser, it looks as though the groups localId value is used when adding a group as a reviewer - however this value isn't in the azuredevops_group resource schema so isnt available to use as a reviewer group ID - so this wont ever work as far as I can tell.

[rdalbuquerque]

I can reaffirm @racdev comment, I went through the same investigation. What I had to do was map the Active Directory group to an Azure Devops group and than use the Azure Devops group on the reviewers list.

[joshua-hancox]

@rdalbuquerque could you confirm which attribute you use to do this with a group? I tried with the .id attribute and the .descriptor attribute (they appear to be the same) of the Azure DevOps group and I still get:

Error: Error creating policy in Azure DevOps: TF402457: The settings for this policy are not correctly formatted. Error: Error converting value "<descriptor/id>" to type 'System.Guid'. Path 'requiredReviewerIds[0]', line 7, position 151.

I am able to add this group manually via the UI.

[joshua-hancox]

Oh actually, I found it works with .origin_id of the Azure DevOps group.

In case it helps anyone else my working configuration is like this:

# Data built-in "Contributors" AzDO group
data "azuredevops_group" "azdo" {
  project_id = azuredevops_project.example.id
  name       = "Contributors"
}

# Create/read new AzDO group for my Azure AD group
resource "azuredevops_group" "aad" {
  origin_id = data.azuread_group.example.object_id
}

# Add Azure AD group to Contributors group
resource "azuredevops_group_membership" "example" {
  group    = data.azuredevops_group.azdo.descriptor
  members = [
    azuredevops_group.aad.descriptor
  ]
}

# Add built in AzDO group "Contributors" (with my Azure AD group as a member) to auto_reviewer_ids with .origin_id)
resource "azuredevops_branch_policy_auto_reviewers" "example" {
  project_id = azuredevops_project.example.id

  settings {
    auto_reviewer_ids = [data.azuredevops_group.azdo.origin_id]
    scope {
      match_type = "DefaultBranch"
    }
  }
}

If you're only using a built in azdo group or one you created you can skip the AAD bits.

[vanchogeorgievski]

I can confirm the same result as @rossbeehler and @racdev, but with more recent Terraform and provider versions :

• Terraform v1.3.9
• provider registry.terraform.io/hashicorp/azurerm v3.66.0
• provider registry.terraform.io/microsoft/azuredevops v0.7.0

[xuzhang3]

@vanchogeorgievski are you using the ADD group id directly as the reviews IDs? The object Id of the AAD group is different from the group ID in the Azure DevOps.

[SotaNakajima]

Related: https://github.com/microsoft/terraform-provider-azuredevops/issues/864

[magodo]

This issue duplicates to #864, please keep track of #864 instead.