@pulumi/azuredevops
Version:
A Pulumi package for creating and managing Azure DevOps.
444 lines (443 loc) • 19.3 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "./types/input";
import * as outputs from "./types/output";
/**
* Manages Manual or Automatic Azure Resource Manager service endpoint within Azure DevOps.
*
* ~>**NOTE:**
* If you receive an error message like:```Failed to obtain the Json Web Token(JWT) using service principal client ID. Exception message: A configuration issue is preventing authentication - check the error message from the server for details.```
* You should check the secret of this Application or if you recently rotate the secret, wait a few minutes for Azure to propagate the secret.
*
* ## Requirements (Manual AzureRM Service Endpoint)
*
* Before to create a service end point in Azure DevOps, you need to create a Service Principal in your Azure subscription.
*
* For detailed steps to create a service principal with Azure cli see the [documentation](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest)
*
* ## Example Usage
*
* ### Service Principal Manual AzureRM Service Endpoint (Subscription Scoped)
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuredevops from "@pulumi/azuredevops";
*
* const example = new azuredevops.Project("example", {
* name: "Example Project",
* visibility: "private",
* versionControl: "Git",
* workItemTemplate: "Agile",
* description: "Managed by Pulumi",
* });
* const exampleServiceEndpointAzureRM = new azuredevops.ServiceEndpointAzureRM("example", {
* projectId: example.id,
* serviceEndpointName: "Example AzureRM",
* description: "Managed by Pulumi",
* serviceEndpointAuthenticationScheme: "ServicePrincipal",
* credentials: {
* serviceprincipalid: "00000000-0000-0000-0000-000000000000",
* serviceprincipalkey: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
* },
* azurermSpnTenantid: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionId: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionName: "Example Subscription Name",
* });
* ```
*
* ### Service Principal Manual AzureRM Service Endpoint (ManagementGroup Scoped)
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuredevops from "@pulumi/azuredevops";
*
* const example = new azuredevops.Project("example", {
* name: "Example Project",
* visibility: "private",
* versionControl: "Git",
* workItemTemplate: "Agile",
* description: "Managed by Pulumi",
* });
* const exampleServiceEndpointAzureRM = new azuredevops.ServiceEndpointAzureRM("example", {
* projectId: example.id,
* serviceEndpointName: "Example AzureRM",
* description: "Managed by Pulumi",
* serviceEndpointAuthenticationScheme: "ServicePrincipal",
* credentials: {
* serviceprincipalid: "00000000-0000-0000-0000-000000000000",
* serviceprincipalkey: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
* },
* azurermSpnTenantid: "00000000-0000-0000-0000-000000000000",
* azurermManagementGroupId: "managementGroup",
* azurermManagementGroupName: "managementGroup",
* });
* ```
*
* ### Service Principal Automatic AzureRM Service Endpoint
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuredevops from "@pulumi/azuredevops";
*
* const example = new azuredevops.Project("example", {
* name: "Example Project",
* visibility: "private",
* versionControl: "Git",
* workItemTemplate: "Agile",
* });
* const exampleServiceEndpointAzureRM = new azuredevops.ServiceEndpointAzureRM("example", {
* projectId: example.id,
* serviceEndpointName: "Example AzureRM",
* serviceEndpointAuthenticationScheme: "ServicePrincipal",
* azurermSpnTenantid: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionId: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionName: "Example Subscription Name",
* });
* ```
*
* ### Workload Identity Federation Manual AzureRM Service Endpoint (Subscription Scoped)
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuredevops from "@pulumi/azuredevops";
* import * as azurerm from "@pulumi/azurerm";
*
* const serviceConnectionName = "example-federated-sc";
* const example = new azuredevops.Project("example", {
* name: "Example Project",
* visibility: "private",
* versionControl: "Git",
* workItemTemplate: "Agile",
* description: "Managed by Pulumi",
* });
* const identity = new azurerm.index.ResourceGroup("identity", {
* name: "identity",
* location: "UK South",
* });
* const exampleUserAssignedIdentity = new azurerm.index.UserAssignedIdentity("example", {
* location: identity.location,
* name: "example-identity",
* resourceGroupName: "azurerm_resource_group.identity.name",
* });
* const exampleServiceEndpointAzureRM = new azuredevops.ServiceEndpointAzureRM("example", {
* projectId: example.id,
* serviceEndpointName: serviceConnectionName,
* description: "Managed by Pulumi",
* serviceEndpointAuthenticationScheme: "WorkloadIdentityFederation",
* credentials: {
* serviceprincipalid: exampleUserAssignedIdentity.clientId,
* },
* azurermSpnTenantid: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionId: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionName: "Example Subscription Name",
* });
* const exampleFederatedIdentityCredential = new azurerm.index.FederatedIdentityCredential("example", {
* name: "example-federated-credential",
* resourceGroupName: identity.name,
* parentId: exampleUserAssignedIdentity.id,
* audience: ["api://AzureADTokenExchange"],
* issuer: exampleServiceEndpointAzureRM.workloadIdentityFederationIssuer,
* subject: exampleServiceEndpointAzureRM.workloadIdentityFederationSubject,
* });
* ```
*
* ### Workload Identity Federation Automatic AzureRM Service Endpoint
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuredevops from "@pulumi/azuredevops";
*
* const example = new azuredevops.Project("example", {
* name: "Example Project",
* visibility: "private",
* versionControl: "Git",
* workItemTemplate: "Agile",
* });
* const exampleServiceEndpointAzureRM = new azuredevops.ServiceEndpointAzureRM("example", {
* projectId: example.id,
* serviceEndpointName: "Example AzureRM",
* serviceEndpointAuthenticationScheme: "WorkloadIdentityFederation",
* azurermSpnTenantid: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionId: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionName: "Example Subscription Name",
* });
* ```
*
* ### Managed Identity AzureRM Service Endpoint
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuredevops from "@pulumi/azuredevops";
*
* const example = new azuredevops.Project("example", {
* name: "Example Project",
* visibility: "private",
* versionControl: "Git",
* workItemTemplate: "Agile",
* });
* const exampleServiceEndpointAzureRM = new azuredevops.ServiceEndpointAzureRM("example", {
* projectId: example.id,
* serviceEndpointName: "Example AzureRM",
* serviceEndpointAuthenticationScheme: "ManagedServiceIdentity",
* azurermSpnTenantid: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionId: "00000000-0000-0000-0000-000000000000",
* azurermSubscriptionName: "Example Subscription Name",
* });
* ```
*
* ## Relevant Links
*
* - [Azure DevOps Service REST API 7.0 - Service End points](https://docs.microsoft.com/en-us/rest/api/azure/devops/serviceendpoint/endpoints?view=azure-devops-rest-7.0)
*
* ## Import
*
* Azure DevOps Azure Resource Manager Service Endpoint can be imported using **projectID/serviceEndpointID** or **projectName/serviceEndpointID**
*
* ```sh
* $ pulumi import azuredevops:index/serviceEndpointAzureRM:ServiceEndpointAzureRM example 00000000-0000-0000-0000-000000000000/00000000-0000-0000-0000-000000000000
* ```
*/
export declare class ServiceEndpointAzureRM extends pulumi.CustomResource {
/**
* Get an existing ServiceEndpointAzureRM resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ServiceEndpointAzureRMState, opts?: pulumi.CustomResourceOptions): ServiceEndpointAzureRM;
/**
* Returns true if the given object is an instance of ServiceEndpointAzureRM. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is ServiceEndpointAzureRM;
readonly authorization: pulumi.Output<{
[key: string]: string;
}>;
/**
* The Management group ID of the Azure targets.
*/
readonly azurermManagementGroupId: pulumi.Output<string | undefined>;
/**
* The Management group Name of the targets.
*/
readonly azurermManagementGroupName: pulumi.Output<string | undefined>;
/**
* The Tenant ID of the service principal.
*/
readonly azurermSpnTenantid: pulumi.Output<string>;
/**
* The Subscription ID of the Azure targets.
*/
readonly azurermSubscriptionId: pulumi.Output<string | undefined>;
/**
* The Subscription Name of the targets.
*/
readonly azurermSubscriptionName: pulumi.Output<string | undefined>;
/**
* A `credentials` block as defined below.
*/
readonly credentials: pulumi.Output<outputs.ServiceEndpointAzureRMCredentials | undefined>;
/**
* Service connection description.
*/
readonly description: pulumi.Output<string | undefined>;
/**
* The Cloud Environment to use. Defaults to `AzureCloud`. Possible values are `AzureCloud`, `AzureChinaCloud`, `AzureUSGovernment`, `AzureGermanCloud` and `AzureStack`. Changing this forces a new resource to be created.
*/
readonly environment: pulumi.Output<string | undefined>;
/**
* A `features` block as defined below.
*/
readonly features: pulumi.Output<outputs.ServiceEndpointAzureRMFeatures | undefined>;
/**
* The ID of the project.
*/
readonly projectId: pulumi.Output<string>;
/**
* The resource group used for scope of automatic service endpoint.
*/
readonly resourceGroup: pulumi.Output<string | undefined>;
/**
* The server URL of the service endpoint. Changing this forces a new resource to be created.
*
* > **NOTE:** One of either `Subscription` scoped i.e. `azurermSubscriptionId`, `azurermSubscriptionName` or `ManagementGroup` scoped i.e. `azurermManagementGroupId`, `azurermManagementGroupName` values must be specified.
*/
readonly serverUrl: pulumi.Output<string>;
/**
* Specifies the type of Azure Resource Manager Service Endpoint. Possible values are `WorkloadIdentityFederation`, `ManagedServiceIdentity` or `ServicePrincipal`. Defaults to `ServicePrincipal` for backwards compatibility.
*
* > **NOTE:** The `WorkloadIdentityFederation` authentication scheme is currently in private preview. Your organisation must be part of the preview and the feature toggle must be turned on to use it. More details can be found [here](https://aka.ms/azdo-rm-workload-identity).
*/
readonly serviceEndpointAuthenticationScheme: pulumi.Output<string | undefined>;
/**
* The Service Endpoint Name.
*/
readonly serviceEndpointName: pulumi.Output<string>;
/**
* The Application(Client) ID of the Service Principal.
*/
readonly servicePrincipalId: pulumi.Output<string>;
/**
* The issuer if `serviceEndpointAuthenticationScheme` is set to `WorkloadIdentityFederation`. This looks like `https://vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000`, where the GUID is the Organization ID of your Azure DevOps Organisation.
*/
readonly workloadIdentityFederationIssuer: pulumi.Output<string>;
/**
* The subject if `serviceEndpointAuthenticationScheme` is set to `WorkloadIdentityFederation`. This looks like `sc://<organisation>/<project>/<service-connection-name>`.
*/
readonly workloadIdentityFederationSubject: pulumi.Output<string>;
/**
* Create a ServiceEndpointAzureRM resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: ServiceEndpointAzureRMArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering ServiceEndpointAzureRM resources.
*/
export interface ServiceEndpointAzureRMState {
authorization?: pulumi.Input<{
[key: string]: pulumi.Input<string>;
}>;
/**
* The Management group ID of the Azure targets.
*/
azurermManagementGroupId?: pulumi.Input<string>;
/**
* The Management group Name of the targets.
*/
azurermManagementGroupName?: pulumi.Input<string>;
/**
* The Tenant ID of the service principal.
*/
azurermSpnTenantid?: pulumi.Input<string>;
/**
* The Subscription ID of the Azure targets.
*/
azurermSubscriptionId?: pulumi.Input<string>;
/**
* The Subscription Name of the targets.
*/
azurermSubscriptionName?: pulumi.Input<string>;
/**
* A `credentials` block as defined below.
*/
credentials?: pulumi.Input<inputs.ServiceEndpointAzureRMCredentials>;
/**
* Service connection description.
*/
description?: pulumi.Input<string>;
/**
* The Cloud Environment to use. Defaults to `AzureCloud`. Possible values are `AzureCloud`, `AzureChinaCloud`, `AzureUSGovernment`, `AzureGermanCloud` and `AzureStack`. Changing this forces a new resource to be created.
*/
environment?: pulumi.Input<string>;
/**
* A `features` block as defined below.
*/
features?: pulumi.Input<inputs.ServiceEndpointAzureRMFeatures>;
/**
* The ID of the project.
*/
projectId?: pulumi.Input<string>;
/**
* The resource group used for scope of automatic service endpoint.
*/
resourceGroup?: pulumi.Input<string>;
/**
* The server URL of the service endpoint. Changing this forces a new resource to be created.
*
* > **NOTE:** One of either `Subscription` scoped i.e. `azurermSubscriptionId`, `azurermSubscriptionName` or `ManagementGroup` scoped i.e. `azurermManagementGroupId`, `azurermManagementGroupName` values must be specified.
*/
serverUrl?: pulumi.Input<string>;
/**
* Specifies the type of Azure Resource Manager Service Endpoint. Possible values are `WorkloadIdentityFederation`, `ManagedServiceIdentity` or `ServicePrincipal`. Defaults to `ServicePrincipal` for backwards compatibility.
*
* > **NOTE:** The `WorkloadIdentityFederation` authentication scheme is currently in private preview. Your organisation must be part of the preview and the feature toggle must be turned on to use it. More details can be found [here](https://aka.ms/azdo-rm-workload-identity).
*/
serviceEndpointAuthenticationScheme?: pulumi.Input<string>;
/**
* The Service Endpoint Name.
*/
serviceEndpointName?: pulumi.Input<string>;
/**
* The Application(Client) ID of the Service Principal.
*/
servicePrincipalId?: pulumi.Input<string>;
/**
* The issuer if `serviceEndpointAuthenticationScheme` is set to `WorkloadIdentityFederation`. This looks like `https://vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000`, where the GUID is the Organization ID of your Azure DevOps Organisation.
*/
workloadIdentityFederationIssuer?: pulumi.Input<string>;
/**
* The subject if `serviceEndpointAuthenticationScheme` is set to `WorkloadIdentityFederation`. This looks like `sc://<organisation>/<project>/<service-connection-name>`.
*/
workloadIdentityFederationSubject?: pulumi.Input<string>;
}
/**
* The set of arguments for constructing a ServiceEndpointAzureRM resource.
*/
export interface ServiceEndpointAzureRMArgs {
/**
* The Management group ID of the Azure targets.
*/
azurermManagementGroupId?: pulumi.Input<string>;
/**
* The Management group Name of the targets.
*/
azurermManagementGroupName?: pulumi.Input<string>;
/**
* The Tenant ID of the service principal.
*/
azurermSpnTenantid?: pulumi.Input<string>;
/**
* The Subscription ID of the Azure targets.
*/
azurermSubscriptionId?: pulumi.Input<string>;
/**
* The Subscription Name of the targets.
*/
azurermSubscriptionName?: pulumi.Input<string>;
/**
* A `credentials` block as defined below.
*/
credentials?: pulumi.Input<inputs.ServiceEndpointAzureRMCredentials>;
/**
* Service connection description.
*/
description?: pulumi.Input<string>;
/**
* The Cloud Environment to use. Defaults to `AzureCloud`. Possible values are `AzureCloud`, `AzureChinaCloud`, `AzureUSGovernment`, `AzureGermanCloud` and `AzureStack`. Changing this forces a new resource to be created.
*/
environment?: pulumi.Input<string>;
/**
* A `features` block as defined below.
*/
features?: pulumi.Input<inputs.ServiceEndpointAzureRMFeatures>;
/**
* The ID of the project.
*/
projectId: pulumi.Input<string>;
/**
* The resource group used for scope of automatic service endpoint.
*/
resourceGroup?: pulumi.Input<string>;
/**
* The server URL of the service endpoint. Changing this forces a new resource to be created.
*
* > **NOTE:** One of either `Subscription` scoped i.e. `azurermSubscriptionId`, `azurermSubscriptionName` or `ManagementGroup` scoped i.e. `azurermManagementGroupId`, `azurermManagementGroupName` values must be specified.
*/
serverUrl?: pulumi.Input<string>;
/**
* Specifies the type of Azure Resource Manager Service Endpoint. Possible values are `WorkloadIdentityFederation`, `ManagedServiceIdentity` or `ServicePrincipal`. Defaults to `ServicePrincipal` for backwards compatibility.
*
* > **NOTE:** The `WorkloadIdentityFederation` authentication scheme is currently in private preview. Your organisation must be part of the preview and the feature toggle must be turned on to use it. More details can be found [here](https://aka.ms/azdo-rm-workload-identity).
*/
serviceEndpointAuthenticationScheme?: pulumi.Input<string>;
/**
* The Service Endpoint Name.
*/
serviceEndpointName: pulumi.Input<string>;
}