terraform-provider-azuredevops
terraform-provider-azuredevops copied to clipboard
Document PAT scopes required to run various terraform
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and Azure DevOps Provider) Version
Terraform v0.15.5 on darwin_amd64
- provider registry.terraform.io/hashicorp/azurerm v2.28.0
- provider registry.terraform.io/hashicorp/template v2.2.0
- provider registry.terraform.io/microsoft/azuredevops v0.1.4
Affected Resource(s)
-
azuredevops_variable_group
-
- others
Terraform Configuration Files
resource "azuredevops_variable_group" "variablegroup" {
name = format("myrg-%s", var.ENVIRONMENT)
project_id = var.AZDO_PROJECT_ID
description = "My Variable Group"
allow_access = true
variable {
name = "AZURE_RM_SVC_CONNECTION"
value = "azure-resource-connection"
}
variable {
name = "..."
value = ...
}
Expected Behavior
Documentation pages denote which PAT scopes are required to use the particular resource type to avoid permission issues
Actual Behavior
Documentation does not note which scopes are required for PATs. Creating a PAT with expected permissions (e.g. "manage" for variable groups) results in frequent '401 Unauthorized', which are not debuggable due to #381.
As as result users have to perform trial and error regenerating PAT tokens tens of times to find the combination with least privilege.
Steps to Reproduce
- place a DevOps resource into Terraform
- create a PAT token with expected scopes required
- try pipeline
- it fails, change PAT
- repeat 3-4 many, many times
References
- #314
Yeah, this is a complete mess right now. Blind trial and error is not very fun.