The Azure DevOps provider supports service principals through a variety of authentication methods, including client certificates.
Create a Service Principal in Azure portal or using Azure PowerShell and generate a certificate for it. You do not need to assign the service principal any roles in Azure Ad.
Add the service principal to your Azure DevOps Organization.
The provider will need the Directory (tenant) ID and the Application (client) ID from the Azure AD app registration. They may be provided via the ARM_TENANT_ID
and ARM_CLIENT_ID
environment variables, or in the provider configuration block with the tenant_id
and client_id
attributes.
The certificate may be provided as a base64 string, or by a file on the filesystem with the ARM_CLIENT_CERTIFICATE
or ARM_CLIENT_CERTIFICATE_PATH
environment variables, or in the provider configuration block with the client_certificate
or client_certificate_path
attributes. To use powershell to base64 encode a .pfx file use [convert]::ToBase64String((Get-Content -path "cert_with_private_key.pfx" -Encoding byte))
. Note that base64 is NOT a security function, and the base64 string should be handled with the same precautions as the original file.
A certificate password may be specified with the ARM_CLIENT_CERTIFICATE_PASSWORD
environment variable, or in the provider configuration block with the client_certificate_password
attribute.
terraform {
required_providers {
azuredevops = {
source = "microsoft/azuredevops"
version = ">=0.1.0"
}
}
}
provider "azuredevops" {
org_service_url = "https://dev.azure.com/my-org"
client_id = "00000000-0000-0000-0000-000000000001"
tenant_id = "00000000-0000-0000-0000-000000000001"
client_certificate_path = "C:\\cert.pfx"
client_certificate_password = "cert password"
}
resource "azuredevops_project" "project" {
name = "Test Project"
description = "Test Project Description"
}
terraform {
required_providers {
azuredevops = {
source = "microsoft/azuredevops"
version = ">=0.1.0"
}
}
}
provider "azuredevops" {
org_service_url = "https://dev.azure.com/my-org"
client_id = "00000000-0000-0000-0000-000000000001"
tenant_id = "00000000-0000-0000-0000-000000000001"
client_certificate = "MII....lots.and.lots.of.ascii.characters"
client_certificate_password = "cert password"
}
resource "azuredevops_project" "project" {
name = "Test Project"
description = "Test Project Description"
}