terraform-provider-azuredevops
terraform-provider-azuredevops copied to clipboard
microsoft
Missing Pipeline Permissions "Edit queue build configuration" following Azure Pipelines - Sprint 237 Update
Appears that Microsoft have introduced a new RBAC assignment for Azure DevOps Pipelines (Edit queue build configuration): https://learn.microsoft.com/en-us/azure/devops/release-notes/2024/pipelines/sprint-237-update
Unless this permission is held, we are unable to invoke new AzDo pipeline builds, error:
{ "$id": "1", "innerException": null, "message": "TF215106: Access denied. USERNAME needs Edit queue build configuration permissions for build pipeline ####:BUILD PIPELINE NAME in team project PROJECT to perform the action. For more information, contact the Azure DevOps administrator.", "typeName": "Microsoft.TeamFoundation.Build.WebApi.AccessDeniedException, Microsoft.TeamFoundation.Build2.WebApi", "typeKey": "AccessDeniedException", "errorCode": 0, "eventId": 3000 }
As per the latest vendor documentation for the resource (azuredevops_build_definition_permissions), I am unable to find a respective permission that aligns to "Edit queue build configuration"
I beleive this may also be impacting the resource azuredevops_build_folder_permissions also.
May also be impacting azuredevops_project_permissions too; it appears that the permission START_BUILD may be a rollup of multiple other child permissions.
@illfunkslammer you can get the sub permission names by API, the names are in the action block: https://learn.microsoft.com/en-us/rest/api/azure/devops/security/security-namespaces/query?view=azure-devops-rest-7.1&tabs=HTTP
{
"namespaceId": "33344d9c-fc72-4d6f-aba5-fa317101a7e9",
"name": "Build",
"displayName": null,
"separatorValue": "/",
"elementLength": -1,
"writePermission": 16384,
"readPermission": 0,
"dataspaceCategory": "Build",
"actions": [
{
"bit": 1,
"name": "ViewBuilds",
"displayName": "View builds",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 2,
"name": "EditBuildQuality",
"displayName": "Edit build quality",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 4,
"name": "RetainIndefinitely",
"displayName": "Retain indefinitely",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 8,
"name": "DeleteBuilds",
"displayName": "Delete builds ",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 16,
"name": "ManageBuildQualities",
"displayName": "Manage build qualities",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 32,
"name": "DestroyBuilds",
"displayName": "Destroy builds",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 64,
"name": "UpdateBuildInformation",
"displayName": "Update build information",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 128,
"name": "QueueBuilds",
"displayName": "Queue builds",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 256,
"name": "ManageBuildQueue",
"displayName": "Manage build queue",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 512,
"name": "StopBuilds",
"displayName": "Stop builds",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 1024,
"name": "ViewBuildDefinition",
"displayName": "View build pipeline",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 2048,
"name": "EditBuildDefinition",
"displayName": "Edit build pipeline",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 4096,
"name": "DeleteBuildDefinition",
"displayName": "Delete build pipeline",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 8192,
"name": "OverrideBuildCheckInValidation",
"displayName": "Override check-in validation by build",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 16384,
"name": "AdministerBuildPermissions",
"displayName": "Administer build permissions",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 32768,
"name": "CreateBuildDefinition",
"displayName": "Create build pipeline",
"namespaceId": "00000000-0000-0000-0000-000000000000"
},
{
"bit": 65536,
"name": "EditPipelineQueueConfigurationPermission",
"displayName": "Edit queue build configuration",
"namespaceId": "00000000-0000-0000-0000-000000000000"
}
],
"structureValue": 1,
"extensionType": "Microsoft.TeamFoundation.Build.Server.BuildSecurityExtension",
"isRemotable": true,
"useTokenTranslator": true,
"systemBitMask": 0
},
This will Help You. https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions?view=azure-devops
I'm having a similar issue with azuredevops_build_folder_permissions after "create build pipeline" was added as a permission https://learn.microsoft.com/en-us/azure/devops/release-notes/2024/pipelines/sprint-243-update#create-build-pipeline-permission.
@xuzhang3 Is EditPipelineQueueConfigurationPermission settable through the Azure Devops terraform provider?
Is EditPipelineQueueConfigurationPermission settable through the Azure Devops terraform provider?
Yes, it's just not listed in the docs. If you add it to the permissions block, it will work.
