Manages Manual or Automatic AzureRM service endpoint within Azure DevOps.
Before to create a service end point in Azure DevOps, you need to create a Service Principal in your Azure subscription.
For detailed steps to create a service principal with Azure cli see the documentation
resource "azuredevops_project" "example" {
name = "Example Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
description = "Managed by Terraform"
}
resource "azuredevops_serviceendpoint_azurerm" "example" {
project_id = azuredevops_project.example.id
service_endpoint_name = "Example AzureRM"
description = "Managed by Terraform"
service_endpoint_authentication_scheme = "ServicePrincipal"
credentials {
serviceprincipalid = "00000000-0000-0000-0000-000000000000"
serviceprincipalkey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
azurerm_spn_tenantid = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_id = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_name = "Example Subscription Name"
}
resource "azuredevops_project" "example" {
name = "Example Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
description = "Managed by Terraform"
}
resource "azuredevops_serviceendpoint_azurerm" "example" {
project_id = azuredevops_project.example.id
service_endpoint_name = "Example AzureRM"
description = "Managed by Terraform"
service_endpoint_authentication_scheme = "ServicePrincipal"
credentials {
serviceprincipalid = "00000000-0000-0000-0000-000000000000"
serviceprincipalkey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
azurerm_spn_tenantid = "00000000-0000-0000-0000-000000000000"
azurerm_management_group_id = "managementGroup"
azurerm_management_group_name = "managementGroup"
}
resource "azuredevops_project" "example" {
name = "Example Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}
resource "azuredevops_serviceendpoint_azurerm" "example" {
project_id = azuredevops_project.example.id
service_endpoint_name = "Example AzureRM"
service_endpoint_authentication_scheme = "ServicePrincipal"
azurerm_spn_tenantid = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_id = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_name = "Example Subscription Name"
}
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.0"
}
}
}
provider "azurerm" {
features {}
}
locals {
service_connection_name = "example-federated-sc"
}
resource "azuredevops_project" "example" {
name = "Example Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
description = "Managed by Terraform"
}
resource "azurerm_resource_group" "identity" {
name = "identity"
location = "UK South"
}
resource "azurerm_user_assigned_identity" "example" {
location = azurerm_resource_group.identity.location
name = "example-identity"
resource_group_name = "azurerm_resource_group.identity.name"
}
resource "azuredevops_serviceendpoint_azurerm" "example" {
project_id = azuredevops_project.example.id
service_endpoint_name = local.service_connection_name
description = "Managed by Terraform"
service_endpoint_authentication_scheme = "WorkloadIdentityFederation"
credentials {
serviceprincipalid = azurerm_user_assigned_identity.example.client_id
}
azurerm_spn_tenantid = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_id = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_name = "Example Subscription Name"
}
resource "azurerm_federated_identity_credential" "example" {
name = "example-federated-credential"
resource_group_name = azurerm_resource_group.identity.name
parent_id = azurerm_user_assigned_identity.example.id
audience = ["api://AzureADTokenExchange"]
issuer = azuredevops_serviceendpoint_azurerm.example.workload_identity_federation_issuer
subject = azuredevops_serviceendpoint_azurerm.example.workload_identity_federation_subject
}
resource "azuredevops_project" "example" {
name = "Example Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}
resource "azuredevops_serviceendpoint_azurerm" "example" {
project_id = azuredevops_project.example.id
service_endpoint_name = "Example AzureRM"
service_endpoint_authentication_scheme = "WorkloadIdentityFederation"
azurerm_spn_tenantid = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_id = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_name = "Example Subscription Name"
}
resource "azuredevops_project" "example" {
name = "Example Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}
resource "azuredevops_serviceendpoint_azurerm" "example" {
project_id = azuredevops_project.example.id
service_endpoint_name = "Example AzureRM"
service_endpoint_authentication_scheme = "ManagedServiceIdentity"
azurerm_spn_tenantid = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_id = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_name = "Example Subscription Name"
}
The following arguments are supported:
project_id
- (Required) The ID of the project.service_endpoint_name
- (Required) The Service Endpoint Name.azurerm_spn_tenantid
- (Required) The Tenant ID if the service principal.service_endpoint_authentication_scheme
- (Optional) Specifies the type of azurerm endpoint, either WorkloadIdentityFederation
, ManagedServiceIdentity
or ServicePrincipal
. Defaults to ServicePrincipal
for backwards compatibility.azurerm_management_group_id
- (Optional) The Management group ID of the Azure targets.azurerm_management_group_name
- (Optional) The Management group Name of the targets.azurerm_subscription_id
- (Optional) The Subscription ID of the Azure targets.azurerm_subscription_name
- (Optional) The Subscription Name of the targets.environment
- (Optional) The Cloud Environment to use. Defaults to AzureCloud
. Possible values are AzureCloud
, AzureChinaCloud
. Changing this forces a new resource to be created.description
- (Optional) Service connection description.credentials
- (Optional) A credentials
block.resource_group
- (Optional) The resource group used for scope of automatic service endpoint.features
- (Optional) A features
block.A credentials
block supports the following:
serviceprincipalid
- (Required) The service principal application Idserviceprincipalkey
- (Optional) The service principal secret. This not required if service_endpoint_authentication_scheme
is set to WorkloadIdentityFederation
.A features
block supports the following:
validate
- (Optional) Whether or not to validate connection with Azure after create or update operations. Defaults to false
The following attributes are exported:
id
- The ID of the service endpoint.project_id
- The ID of the project.service_endpoint_name
- The Service Endpoint name.service_principal_id
- The Application(Client) ID of the Service Principal.workload_identity_federation_issuer
- The issuer if service_endpoint_authentication_scheme
is set to WorkloadIdentityFederation
. This looks like https://vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000
, where the GUID is the Organization ID of your Azure DevOps Organisation.workload_identity_federation_subject
- The subject if service_endpoint_authentication_scheme
is set to WorkloadIdentityFederation
. This looks like sc://<organisation>/<project>/<service-connection-name>
.Azure DevOps Service Endpoint Azure Resource Manage can be imported using projectID/serviceEndpointID or projectName/serviceEndpointID
terraform import azuredevops_serviceendpoint_azurerm.example 00000000-0000-0000-0000-000000000000/00000000-0000-0000-0000-000000000000