terraform-provider-azuredevops icon indicating copy to clipboard operation
terraform-provider-azuredevops copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Recreate azuredevops_user_entitlement when user is not a project collection administrator

Open fredgate opened this issue 2 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

Terraform version : 1.2.2 provider registry.terraform.io/microsoft/azuredevops 0.2.1

Affected Resource(s)

  • azuredevops_user_entitlement

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.9.0"
    }
    azuredevops = {
      source  = "microsoft/azuredevops"
      version = "=0.2.1"
    }
  }
}

provider "azurerm" {
  features {}
}

provider "azuredevops" {
  org_service_url = "https://dev.azure.com/contoso"
}

Debug Output

2022-07-07T16:14:50.539+0200 [WARN]  Provider "registry.terraform.io/microsoft/azuredevops" produced an unexpected new value for azuredevops_user_entitlement.foo during refresh.
      - Root resource was present, but now absent

Panic Output

none

Expected Behavior

No change should be detected

Actual Behavior

Objects have changed outside of Terraform : azuredevops_user_entitlement resource will be recreated

Steps to Reproduce

  1. terraform apply with PAT of an user who is member of the Project collection administrators group
  2. terraform plan with PAT of an user who is NOT member of the Project collection administrators group (if this another user is added to the Project collection administrators group, then expected behavior occurs, no changes are detected)

Important Factoids

When an user who is not a member of the project collection administrators group, runs the terrform plan command, a change is detected by the Azure devops provider :

...

azuredevops_user_entitlement.foo: Refreshing state... [id=e8151484-ce42-4ca8-9c01-56e37952555d]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

azuredevops_user_entitlement.foo has been deleted
- resource "azuredevops_user_entitlement" "foo" {
    - descriptor           = "aad.ZTgxNTE0ODQtY2U0Mi00Y2E4LTljMDEtNTZlMzc5NTI1NTVk" -> null
      id                   = "e8151484-ce42-4ca8-9c01-56e37952555d"
      # (5 unchanged attributes hidden)
}

...

Terraform will perform the following actions:

# azuredevops_user_entitlement.foo will be created
+ resource "azuredevops_user_entitlement" "foo" {
    + account_license_type = "express"
    + descriptor           = (known after apply)
    + id                   = (known after apply)
    + licensing_source     = "account"
    + origin               = "aad"
    + origin_id            = "3cb945c8-73c9-4ede-b414-32e2298c12e8"
    + principal_name       = (known after apply)
}

References

  • Maybe https://github.com/microsoft/terraform-provider-azuredevops/issues/607

fredgate avatar Jul 09 '22 08:07 fredgate

@fredgate the error log show that the user has been changed outside of Terraform, can you provide the reproduce steps? Have you changed the authorization from PAT to System.Access.Token?

xuzhang3 avatar Jul 11 '22 08:07 xuzhang3

The user has not been changed outside Terraform.

We use Azure devops provider by authenticating using a PAT.

provider "azuredevops" {
  org_service_url = "https://dev.azure.com/contoso"
  personal_access_token = var.az_devops_pat
}

If I run the terrform plan command with a PAT associated with my account (I am a member of Project Collection Administrator group), the result is ok : no change are detected for the azuredevops_user_entitlement resource.

If a colleague (not member of Project Collection Administrator group) runs the terraform plan command with its PAT , then changes mentioned in my first post are detected by the provider. But if I add my colleague to the Project Collection Administrator group, and he runs again the terraform plan command, then no changes are detected.

fredgate avatar Jul 11 '22 12:07 fredgate

The reproduce steps are

  • terraform apply with PAT of an user who is member of the Project collection administrators group
  • terraform plan with PAT of an user who is NOT member of the Project collection administrators group (if this other user is added to the Project collection administrators group, then expected behavior occurs, no changes are detected)

The user has not been changed outside Terraform. The autorization is always using PAT (not System.Access.Token)

fredgate avatar Jul 18 '22 07:07 fredgate