(https://www.hashicorp.

com)

azuredevops_serviceendpoint_azurerm
Manages Manual or Automatic AzureRM service endpoint within Azure DevOps.

Requirements (Manual AzureRM Service Endpoint)

Before to create a service end point in Azure DevOps, you need to create a Service Principal in your Azure
subscription.

For detailed steps to create a service principal with Azure cli see the documentation
(https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-
latest)

Example Usage

Manual AzureRM Service Endpoint

resource "azuredevops_project" "project" {

project_name = "Sample Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}

resource "azuredevops_serviceendpoint_azurerm" "endpointazure" {

project_id = azuredevops_project.project.id
service_endpoint_name = "TestServiceRM"
credentials {
serviceprincipalid = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
serviceprincipalkey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
azurerm_spn_tenantid = "xxxxxxx-xxxx-xxx-xxxxx-xxxxxxxx"
azurerm_subscription_id = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
azurerm_subscription_name = "Sample Subscription"
}

Automatic AzureRM Service Endpoint

 resource "azuredevops_project" "project" {
project_name = "Sample Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}

resource "azuredevops_serviceendpoint_azurerm" "endpointazure" {

project_id = azuredevops_project.project.id
service_endpoint_name = "TestServiceRM"
azurerm_spn_tenantid = "xxxxxxx-xxxx-xxx-xxxxx-xxxxxxxx"
azurerm_subscription_id = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx"
azurerm_subscription_name = "Microsoft Azure DEMO"
}

Argument Reference

The following arguments are supported:

project_id - (Required) The project ID or project name.

service_endpoint_name - (Required) The Service Endpoint name.

azurerm_spn_tenantid - (Required) The tenant id if the service principal.

azurerm_subscription_id - (Required) The subscription Id of the Azure targets.

azurerm_subscription_name - (Required) The subscription Name of the targets.

credentials - (Optional) A credentials block.

resource_group - (Optional) The resource group used for scope of automatic service endpoint.

A credentials block supports the following:

serviceprincipalid - (Required) The service principal application Id

serviceprincipalkey - (Required) The service principal secret.

Attributes Reference

The following attributes are exported:

id - The ID of the service endpoint.

project_id - The project ID or project name.

service_endpoint_name - The Service Endpoint name.

Relevant Links

Azure DevOps Service REST API 5.1 - Service End points (https://docs.microsoft.com/en-
us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-5.1)
 (https://www.hashicorp.com)

azuredevops_serviceendpoint_bitbucket
Manages a Bitbucket service endpoint within Azure DevOps.

Example Usage

resource "azuredevops_project" "project" {

project_name = "Sample Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}

resource "azuredevops_serviceendpoint_bitbucket" "serviceendpoint" {

project_id = azuredevops_project.project.id
username = "xxxx"
password = "xxxx"
service_endpoint_name = "test-bitbucket"
description = "test"
}

Argument Reference

The following arguments are supported:

project_id - (Required) The project ID or project name.

service_endpoint_name - (Required) The Service Endpoint name.

username - (Required) Bitbucket account username.

password - (Required) Bitbucket account password.

description - (Optional) The Service Endpoint description. Defaults to Managed by Terraform .

Attributes Reference

The following attributes are exported:

id - The ID of the service endpoint.

project_id - The project ID or project name.

service_endpoint_name - The Service Endpoint name.

Relevant Links

Azure DevOps Service REST API 5.1 - Agent Pools (https://docs.microsoft.com/en-

us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-5.1)

Import

Azure DevOps Service Endpoint Bitbucket can be imported using the projectID/serviceEndpointID, e.g.

terraform import azuredevops_serviceendpoint_bitbucket.serviceendpoint xxxxxxxx-xxxx-xxxx-xxxx-xxxxxx

xxxxxx/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
 (https://www.hashicorp.com)

azuredevops_serviceendpoint_dockerhub
Manages a Docker Hub service endpoint within Azure DevOps.

Example Usage

resource "azuredevops_project" "project" {

project_name = "Sample Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}

resource "azuredevops_serviceendpoint_dockerhub" "serviceendpoint" {

project_id = azuredevops_project.project.id
service_endpoint_name = "Sample Docker Hub"

docker_username = "sample"

docker_email = "email@example.com"

docker_password = "12345"

Argument Reference

The following arguments are supported:

project_id - (Required) The project ID or project name.

service_endpoint_name - (Required) The Service Endpoint name.

description - (Required) The Service Endpoint description.

docker_username - (Required) The username for Docker Hub account. Defaults to

AZDO_DOCKERHUB_SERVICE_CONNECTION_USERNAME environment variable, if present.

docker_email - (Required) The email for Docker Hub account. Defaults to

AZDO_DOCKERHUB_SERVICE_CONNECTION_EMAIL environment variable, if present.

docker_password - (Required) The password for Docker Hub account. Defaults to

AZDO_DOCKERHUB_SERVICE_CONNECTION_PASSWORD environment variable, if present.
Attributes Reference

The following attributes are exported:

id - The ID of the service endpoint.

project_id - The project ID or project name.

service_endpoint_name - The Service Endpoint name.

Relevant Links

Azure DevOps Service REST API 5.1 - Agent Pools (https://docs.microsoft.com/en-

us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-5.1)
 (https://www.hashicorp.com)

azuredevops_serviceendpoint_dockerhub
Manages a Docker Registry service endpoint within Azure DevOps.

Example Usage

resource "azuredevops_project" "project" {

project_name = "Sample Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}

resource "azuredevops_serviceendpoint_dockerregistry" "dockerhubregistry" {

project_id = azuredevops_project.project.id
service_endpoint_name = "Sample Docker Hub"

docker_username = "sample"
docker_email = "email@example.com"
docker_password = "12345"
registry_type = "DockerHub"
}

resource "azuredevops_serviceendpoint_dockerregistry" "otherregistry" {

project_id = azuredevops_project.project.id
service_endpoint_name = "Sample Docker Registry"
docker_registry = "https://sample.azurecr.io/v1"
docker_username = "sample"
docker_password = "12345"
registry_type = "Others"
}

Argument Reference

The following arguments are supported:

project_id - (Required) The project ID or project name.

service_endpoint_name - (Required) The name you will use to refer to this service connection in task inputs.

description - (Optional) The name you will use to refer to this service connection in task inputs.

docker_registry - (Optional) The URL of the Docker registry. (Default: " https://index.docker.io/v1/"
(https://index.docker.io/v1/%22))
 docker_username - (Optional) The identifier of the Docker account user.

docker_email - (Optional) The email for Docker account user.

docker_password - (Optional) The password for the account user identified above.

registry_type - (Optional) Can be "DockerHub" or "Others" (Default "DockerHub")

Attributes Reference

The following attributes are exported:

id - The ID of the service endpoint.

project_id - The project ID or project name.

service_endpoint_name - The Service Endpoint name.

Relevant Links

Azure DevOps Service REST API 5.1 - Service Endpoints (https://docs.microsoft.com/en-

us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-5.1)

Docker Registry Service Connection (https://docs.microsoft.com/en-

us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#sep-docreg)
 (https://www.hashicorp.com)

azuredevops_serviceendpoint_github
Manages a GitHub service endpoint within Azure DevOps.

Example Usage

resource "azuredevops_project" "project" {

project_name = "Sample Project"
visibility = "private"
version_control = "Git"
work_item_template = "Agile"
}

resource "azuredevops_serviceendpoint_github" "serviceendpoint_gh_1" {

project_id = azuredevops_project.project.id
service_endpoint_name = "Sample GithHub Personal Access Token"

auth_personal {

personal_access_token = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}

resource "azuredevops_serviceendpoint_github" "serviceendpoint_gh_2" {

project_id = azuredevops_project.project.id
service_endpoint_name = "Sample GithHub Grant"

auth_oauth {
oauth_configuration_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
}

resource "azuredevops_serviceendpoint_github" "serviceendpoint_gh_3" {

project_id = azuredevops_project.project.id
service_endpoint_name = "Sample GithHub Apps: Azure Pipelines"

description = ""
}

Argument Reference

The following arguments are supported:

 project_id - (Required) The project ID or project name.

service_endpoint_name - (Required) The Service Endpoint name.

description - (Optional) The Service Endpoint description. Defaults to Managed by Terraform .

auth_personal - (Optional) An auth_personal block as documented below. Allows connecting using a

personal access token.

auth_oauth - (Optional) An auth_oauth block as documented below. Allows connecting using an Oauth
token.

NOTE: Github Apps can not be created or updated via terraform. You must install and configure the app on Github
and then import it. You must also set the description to "" explicitly."

auth_personal block supports the following:

personal_access_token - (Required) The Personal Access Token for Github.

auth_oauth block supports the following:

oauth_configuration_id - (Required) NOTE: Github OAuth flow can not be performed via terraform. You
must create this on Azure DevOps and then import it. The OAuth Configuration ID.

Attributes Reference

The following attributes are exported:

id - The ID of the service endpoint.

project_id - The project ID or project name.

service_endpoint_name - The Service Endpoint name.

Relevant Links

Azure DevOps Service REST API 5.1 - Agent Pools (https://docs.microsoft.com/en-

us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-5.1)

Import

Azure DevOps Service Endpoint GitHub can be imported using the serviceendpoint id, e.g.

terraform import azuredevops_serviceendpoint_github.serviceendpoint d81afa1d-9ad2-4c7d-b016-9ebb90f43

5f5
 (https://www.hashicorp.com)

azuredevops_serviceendpoint_kubernetes
Manages a Kubernetes service endpoint within Azure DevOps.

Example Usage
data "azuredevops_project" "p" {
project_name = "contoso"
}

resource "azuredevops_serviceendpoint_kubernetes" "se_azure_sub" {

project_id = data.azuredevops_project.p
service_endpoint_name = "Sample Kubernetes"
apiserver_url = "https://sample-kubernetes-cluster.hcp.westeurope.azmk8s.io"
authorization_type = "AzureSubscription"

azure_subscription {
subscription_id = "001ac454-bb17-475a-8648-82c4234545be"
subscription_name = "Microsoft Azure DEMO"
tenant_id = "8c46c3eb-ca1f-4a0b-8dfa-7c3baaf69d45"
resourcegroup_id = "sample-rg"
namespace = "default"
cluster_name = "sample-aks"
}
}

resource "azuredevops_serviceendpoint_kubernetes" "se_kubeconfig" {

project_id = data.azuredevops_project.p
service_endpoint_name = "Sample Kubernetes"
apiserver_url = "https://sample-kubernetes-cluster.hcp.westeurope.azmk8s.io"
authorization_type = "Kubeconfig"

kubeconfig {
kube_config = <<EOT
apiVersion: v1
clusters:
- cluster:
certificate-authority: fake-ca-file
server: https://1.2.3.4
name: development
contexts:
- context:
cluster: development
namespace: frontend
user: developer
name: dev-frontend
current-context: dev-frontend
kind: Config
preferences: {}
users:
- name: developer
user:
client-certificate: fake-cert-file
client-key: fake-key-file
EOT
accept_untrusted_certs = true
 accept_untrusted_certs = true
cluster_context = "dev-frontend"
}
}

resource "azuredevops_serviceendpoint_kubernetes" "se_service_account" {

project_id = data.azuredevops_project.p
service_endpoint_name = "Sample Kubernetes"
apiserver_url = "https://sample-kubernetes-cluster.hcp.westeurope.azmk8s.io"
authorization_type = "ServiceAccount"

service_account {
token = "bXktYXBw[...]K8bPxc2uQ=="
ca_cert = "Mzk1MjgkdmRnN0pi[...]mHHRUH14gw4Q=="
}
}

Argument Reference
The following arguments are supported:

project_id - (Required) The project ID or project name.

service_endpoint_name - (Required) The Service Endpoint name.
apiserver_url - (Required) The Service Endpoint description.
authorization_type - (Required) The authentication method used to authenticate on the Kubernetes cluster. The
value should be one of AzureSubscription, Kubeconfig, ServiceAccount.
azure_subscription - (Optional) The configuration for authorization_type="AzureSubscription".
azure_environment - (Optional) Azure environment refers to whether the public cloud offering or domestic
(government) clouds are being used. Currently, only the public cloud is supported. The value must be AzureCloud.
This is also the default-value.
cluster_name - (Required) The name of the Kubernetes cluster.
subscription_id - (Required) The id of the Azure subscription.
subscription_name - (Required) The name of the Azure subscription.
tenant_id - (Required) The id of the tenant used by the subscription.
resourcegroup_id - (Required) The resource group id, to which the Kubernetes cluster is deployed.
namespace - (Optional) The Kubernetes namespace. Default value is "default".
kubeconfig - (Optional) The configuration for authorization_type="Kubeconfig".
kube_config - (Required) The content of the kubeconfig in yaml notation to be used to communicate with the
API-Server of Kubernetes.
accept_untrusted_certs - (Optional) Set this option to allow clients to accept a self-signed certificate.
cluster_context - (Optional) Context within the kubeconfig file that is to be used for identifying the cluster.
Default value is the current-context set in kubeconfig.
service_account - (Optional) The configuration for authorization_type="ServiceAccount". This type uses the
credentials of a service account currently deployed to the cluster.
token - (Required) The token from a Kubernetes secret object.
ca_cert - (Required) The certificate from a Kubernetes secret object.

Attributes Reference
The following attributes are exported:
id - The ID of the service endpoint.
project_id - The project ID or project name.
service_endpoint_name - The Service Endpoint name.

Relevant Links
Azure DevOps Service REST API 5.1 - Endpoints (https://docs.microsoft.com/en-
us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-5.1)
 (https://www.hashicorp.com)

azuredevops_user_entitlement
Manages a user entitlement within Azure DevOps.

Example Usage

resource "azuredevops_user_entitlement" "user" {

principal_name = "foo@contoso.com"
}

Argument Reference

principal_name - (Optional) The principal name is the PrincipalName of a graph member from the source
provider. Usually, e-mail address.

origin_id - (Optional) The unique identifier from the system of origin. Typically a sid, object id or Guid. e.g.
Used for member of other tenant on Azure Active Directory.

origin - (Optional) The type of source provider for the origin identifier.

account_license_type - (Optional) Type of Account License. Valid values: advanced , earlyAdopter ,

express , none , professional , or stakeholder . Defaults to express . In addition the value basic is allowed
which is an alias for express and reflects the name of the express license used in the Azure DevOps web
interface.

licensing_source - (Optional) The source of the licensing (e.g. Account. MSDN etc.) Valid values: account
(Default), auto , msdn , none , profile , trail

NOTE: A user can only be referenced by it's principal_name or by the combination of origin_id and
origin .

Attributes Reference

The following attributes are exported:

id - The id of the entitlement.

descriptor - The descriptor is the primary way to reference the graph subject while the system is running.
This field will uniquely identify the user graph subject.
Relevant Links

Azure DevOps Service REST API 5.1 - User Entitlements - Add (https://docs.microsoft.com/en-
us/rest/api/azure/devops/memberentitlementmanagement/user%20entitlements/add?view=azure-
devops-rest-5.1)

Import

The resources allows the import via the UUID of a user entitlement or by using the principal name of a user owning
an entitlement.

PAT Permissions Required

Member Entitlement Management: Read & Write

 (https://www.hashicorp.com)

azuredevops_variable_group
Manages variable groups within Azure DevOps.

Example Usage

resource "azuredevops_project" "project" {

project_name = "Test Project"
}

resource "azuredevops_variable_group" "variablegroup" {

project_id = azuredevops_project.project.id
name = "Test Variable Group"
description = "Test Variable Group Description"
allow_access = true

variable {
name = "key"
value = "value"
}

variable {
name = "Account Password"
value = "p@ssword123"
is_secret = true
}
}

Argument Reference

The following arguments are supported:

project_id - (Required) The project ID or project name.

name - (Required) The name of the Variable Group.

description - (Optional) The description of the Variable Group.

allow_access - (Required) Boolean that indicate if this variable group is shared by all pipelines of this project.

variable - (Optional) One or more variable blocks as documented below.

A variable block supports the following:

name - (Required) The key value used for the variable. Must be unique within the Variable Group.

value - (Optional) The value of the variable. If omitted, it will default to empty string.
 secret_value - (Optional) The secret value of the variable. If omitted, it will default to empty string. Used
when is_secret set to true .

is_secret - (Optional) A boolean flag describing if the variable value is sensitive. Defaults to false .

Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - The ID of the Variable Group returned after creation in Azure DevOps.

Relevant Links

Azure DevOps Service REST API 5.1 - Variable Groups (https://docs.microsoft.com/en-

us/rest/api/azure/devops/distributedtask/variablegroups?view=azure-devops-rest-5.1)

Azure DevOps Service REST API 5.1 - Authorized Resources (https://docs.microsoft.com/en-

us/rest/api/azure/devops/build/authorizedresources?view=azure-devops-rest-5.1)

Import

Azure DevOps Variable groups can be imported using the project name/variable group Id or by the project
Guid/variable group Id, e.g.

terraform import azuredevops_variable_group.variablegroup "Test Project"/10

or
terraform import azuredevops_variable_group.variablegroup 782a8123-1019-xxxx-xxxx-xxxxxxxx/10

Note that for secret variables, the import command retrieve blank value in the tfstate.

PAT Permissions Required

Variable Groups: Read, Create, & Manage