diff --git a/azure/terraform/azure-devops/project/import-github-repo.tf b/azure/terraform/azure-devops/project/import-github-repo.tf deleted file mode 100644 index 1f2f7f7..0000000 --- a/azure/terraform/azure-devops/project/import-github-repo.tf +++ /dev/null @@ -1,12 +0,0 @@ -# Note that this example should import the GitHub Repo for this code into Azure DevOps. However, it appears as though this is still not fully supported. -# Also at this time only public repos are supported for import. -# -#resource "azuredevops_git_repository" "imported_repo" { -# project_id = azuredevops_project.terraform_ado_project.id -# name = "Imported Repo" -# initialization { -# init_type = "Import" -# source_type = "Git" -# source_url = "xxxxxxxxxxxxxxxxxxxx -# } -#} \ No newline at end of file diff --git a/azure/terraform/azure-devops/project/main.tf b/azure/terraform/azure-devops/project/main.tf index 10de66a..ba7e930 100644 --- a/azure/terraform/azure-devops/project/main.tf +++ b/azure/terraform/azure-devops/project/main.tf @@ -2,7 +2,7 @@ resource "random_pet" "suffix" { length = 1 } -resource "azuredevops_project" "terraform_ado_project" { +resource "azuredevops_project" "devops_project" { name = "${var.project_name}-${random_pet.suffix.id}" description = var.description visibility = var.visibility @@ -19,7 +19,7 @@ resource "azuredevops_project" "terraform_ado_project" { } resource "azuredevops_serviceendpoint_github" "serviceendpoint_github" { - project_id = azuredevops_project.terraform_ado_project.id + project_id = azuredevops_project.devops_project.id service_endpoint_name = "Sample GithHub Personal Access Token" auth_personal { @@ -28,4 +28,89 @@ resource "azuredevops_serviceendpoint_github" "serviceendpoint_github" { } } +# create limted ADO Project admin group +resource "azuredevops_group" "admin_group" { + scope = azuredevops_project.devops_project.id + display_name = "Admin Group" + description = "DevOps Project Administrator Group" +} + +resource "azuredevops_project_permissions" "admin_group_permission" { + project_id = azuredevops_project.devops_project.id + principal = azuredevops_group.admin_group.id + permissions = { + DELETE = "Deny" + RENAME = "Deny" + } +} + +# Get the default reader group for the project +data "azuredevops_group" "reader_group" { + project_id = azuredevops_project.devops_project.id + name = "Readers" +} + +# Get the default user group for the project +data "azuredevops_group" "user_group" { + project_id = azuredevops_project.devops_project.id + name = "Contributors" +} + +# iterate through the list of users and redue to a map of user with only their euid +locals { + all_users = { for user in var.users : user.euid => user } + reader_users = { for user in var.users : user.euid => user if contains(user.roles, "reader") } + admin_users = { for user in var.users : user.euid => user if contains(user.roles, "admin") } + user_users = { for user in var.users : user.euid => user if contains(user.roles, "user") } +} + +# Get now all users according to their permissions in ADO +data "azuredevops_users" "reader" { + for_each = local.reader_users + + principal_name = each.value.euid +} + +data "azuredevops_users" "admin" { + for_each = local.admin_users + + principal_name = each.value.euid +} + +data "azuredevops_users" "user" { + for_each = local.user_users + + principal_name = each.value.euid +} + +# Assign Users to the specific Azure DevOps Groups +resource "azuredevops_group_membership" "admin_user_group_assignmnet" { + depends_on = [azuredevops_group.admin_group] + + for_each = data.azuredevops_users.admin + group = azuredevops_group.admin_group.id + members = [ + tolist(each.value.users)[0].descriptor + ] +} + +resource "azuredevops_group_membership" "user_user_group_assignmnet" { + depends_on = [data.azuredevops_group.user_group] + + for_each = data.azuredevops_users.user + group = data.azuredevops_group.user_group.id + members = [ + tolist(each.value.users)[0].descriptor + ] +} + +resource "azuredevops_group_membership" "reader_user_group_assignmnet" { + depends_on = [data.azuredevops_group.reader_group] + + for_each = data.azuredevops_users.reader + group = data.azuredevops_group.reader_group.id + members = [ + tolist(each.value.users)[0].descriptor + ] +} diff --git a/azure/terraform/azure-devops/project/outputs.tf b/azure/terraform/azure-devops/project/outputs.tf index 74239b6..a49ef78 100644 --- a/azure/terraform/azure-devops/project/outputs.tf +++ b/azure/terraform/azure-devops/project/outputs.tf @@ -1,7 +1,7 @@ output "Project_ID" { - value = azuredevops_project.terraform_ado_project.id + value = azuredevops_project.devops_project.id } output "process_template_id" { - value = azuredevops_project.terraform_ado_project.process_template_id + value = azuredevops_project.devops_project.process_template_id } diff --git a/azure/terraform/azure-devops/project/provider.tf b/azure/terraform/azure-devops/project/provider.tf index 1518cf5..20eb733 100644 --- a/azure/terraform/azure-devops/project/provider.tf +++ b/azure/terraform/azure-devops/project/provider.tf @@ -13,8 +13,6 @@ terraform { } provider "azuredevops" { - # Remember to specify the org service url and personal access token details below - org_service_url = "XXXXXXXXXXXXXXXXXXX" - # personal_access_token = "XXXXXXXXXXXXXXXXXXX" + # Remember to specify the org service url and personal access token } diff --git a/azure/terraform/azure-devops/project/variables.tf b/azure/terraform/azure-devops/project/variables.tf index b1f2d1c..fdb238f 100644 --- a/azure/terraform/azure-devops/project/variables.tf +++ b/azure/terraform/azure-devops/project/variables.tf @@ -28,3 +28,16 @@ variable "work_item_template" { description = "Specifies the work item template. Valid values: Agile, Basic, CMMI, Scrum or a custom, pre-existing one. Defaults to Agile." default = "Agile" } + +# User Assignments +variable "users" { + type = list(object({ + meshIdentifier = string + username = string + firstName = string + lastName = string + email = string + euid = string + roles = list(string) + })) +} \ No newline at end of file