Merge pull request aztfmod#291 from brk3/feature/azdo-group-perms

Add groups and permissions for azure_devops_v1
VolkerWessels · Jan 18, 2022 · be407ea · be407ea
2 parents 86930a5 + e103d69
commit be407ea
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 1 deletion.
diff --git a/caf_solution/add-ons/azure_devops_v1/azdo_pipelines.tf b/caf_solution/add-ons/azure_devops_v1/azdo_pipelines.tf
@@ -52,5 +52,15 @@ resource "azuredevops_build_definition" "build_definition" {
       value = jsonencode(variable.value)
     }
   }
+}
+
+# See https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/build_definition_permissions#permissions for a list of available permissions.
+resource "azuredevops_build_definition_permissions" "permissions" {
+  for_each = try(var.permissions.build_definitions, {})
+
+  project_id = data.azuredevops_project.project[each.value.project_key].id
+  principal  = azuredevops_group.group[each.value.group_key].id
+  build_definition_id = azuredevops_build_definition.build_definition[each.key].id
 
+  permissions = each.value.permissions
 }
diff --git a/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/group_membership.tf b/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/group_membership.tf
@@ -0,0 +1,10 @@
+data "azuredevops_users" "user" {
+  for_each = toset(var.group_settings.members.user_principal_names)
+
+  principal_name = each.value
+}
+
+resource "azuredevops_group_membership" "membership" {
+  group   = var.group_descriptor
+  members = flatten(values(data.azuredevops_users.user)[*].users[*].descriptor)
+}
diff --git a/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/main.tf b/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/main.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_providers {
+    azuredevops = {
+      source = "microsoft/azuredevops"
+    }
+  }
+}
diff --git a/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/variables.tf b/caf_solution/add-ons/azure_devops_v1/azuredevops_group_membership/variables.tf
@@ -0,0 +1,5 @@
+variable "group_descriptor" {
+}
+
+variable "group_settings" {
+}
diff --git a/caf_solution/add-ons/azure_devops_v1/azuredevops_projects.tf b/caf_solution/add-ons/azure_devops_v1/azuredevops_projects.tf
@@ -35,4 +35,32 @@ resource "azuredevops_project_features" "project" {
     "repositories" = try(lower(each.value.features.repositories), "disabled")
     "testplans"    = try(lower(each.value.features.testplans), "disabled")
   }
-}
+}
+
+resource "azuredevops_group" "group" {
+  for_each = var.groups
+
+  scope        = data.azuredevops_project.project[each.value.project_key].id
+  display_name = each.value.display_name
+  description  = each.value.description
+}
+
+module "azuredevops_group_membership" {
+  source = "./azuredevops_group_membership"
+  for_each = {
+    for key, value in var.groups : key => value
+    if try(value.members.user_principal_names, null) != null
+  }
+
+  group_descriptor = azuredevops_group.group[each.key].descriptor
+  group_settings   = each.value
+}
+
+# See https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/project_permissions#permissions for a list of available permissions.
+resource "azuredevops_project_permissions" "project_perm" {
+  for_each = try(var.permissions.projects, {})
+
+  project_id  = data.azuredevops_project.project[each.key].id
+  principal   = azuredevops_group.group[each.value.group_key].id
+  permissions = each.value.permissions
+}
diff --git a/caf_solution/add-ons/azure_devops_v1/variables.tf b/caf_solution/add-ons/azure_devops_v1/variables.tf
@@ -75,3 +75,9 @@ variable "azdo_pat_admin" {
   default     = null
   description = "(Optional). Azure Devops PAT Token. If not provided with this value must be retrieved from the Keyvault secret."
 }
+variable "groups" {
+  default = {}
+}
+variable "permissions" {
+  default = {}
+}