terraform-provider-azuredevops icon indicating copy to clipboard operation
terraform-provider-azuredevops copied to clipboard

Published 20 hours ago verified publisher icon microsoft

`azuredevops_serviceendpoint_azurecr` fails when using `$(System.AccessToken)` in DevOps pipeline

Open karlschriek opened this issue 2 years ago • 3 comments

We are building terraform resources (including azuredevops resources) by running Terrafom jobs in DevOps build pipelines. Most of these work without any issue, but creating an azuredevops_serviceendpoint_azurecr fails with the following error:

│ Error: waiting for service endpoint ready. Error looking up service endpoint given ID (yyyyy-ea93-49ba-ab54-8a97f2633ff5) and project ID (d5a24b7f-ca79-4831-942a-xxxx): map[state:Failed statusMessage:TF14045: The identity with type 'Microsoft.TeamFoundation.ServiceIdentity' could not be found.]

The token we is for a project scope Job Agent (i.e $(System.AccessToken) within the pipeline yaml spec) , which has Project Collection Administrator permissions. I am able to create other service connections with this agent, for example azuredevops_serviceendpoint_azurerm works fine. If I run terraform apply locally with a token for the user that is the owner of the DevOps organization, azuredevops_serviceendpoint_azurecr builds without any issue.

This is on terraform 1.1.7, azuredevops provider 0.2.0.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

karlschriek avatar May 25 '22 14:05 karlschriek

Maybe just to clarify a bit, it actually does make sense that $(System.AccessToken) would not be able to do this, since it doesn't have any rights on AAD/ARM, which presumably are necessary in the background. I have however also tried this with an Access token for a a user that does have all permissions and still get the same failure.

I think this opens up a larger questions though, which is that we typically use various dfferent terraform providers (azurerm, azuread, azuredevops) in the same pipeline, and will initiate the azurerm and azuread providers with a Service Principal, whereas the azuredevops provider must be initiated with a DevOps user token.

In order words, the scoping here is:

  • Service Principal has the necessary permissions for AAD and ARM resources
  • DevOps Token has the necessary permissions for DevOps resources

But azuredevops_serviceendpoint_azurecr breaks this approach, since now the DevOps Token must be associated with a user that also has permissions on AAD and ARM resources.

It would be better in my opinion if azuredevops_serviceendpoint_azurecr (or some alternative resource) could be defined to take as input the object ids for objects created via azurerm and azuread providers and have it construct only the DevOps resources needed to complete the container registry.

karlschriek avatar Jun 10 '22 10:06 karlschriek

wanted to check in since I'm experiencing a similar issue, did you find a resolution to the issue?

NattyMojo avatar Aug 25 '22 19:08 NattyMojo

@karlschriek @NattyMojo $(System.AccessToken) have limit permissions, you can update the permission scope by update permission scope of Group(Project Collection Build Service). This token used to run the pipelines.

xuzhang3 avatar Oct 12 '22 08:10 xuzhang3