-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature request] Add support for "pipeline" > "Environments" #143
Comments
Hi @DamonStamper , Environments API is supported at v6.0, Current sdk API version is 5.1. This resource will pending until auzde-deviops-sdk support it. SDK issue |
Is there a time scale for v6.0 of the SDK? Our pipelines rely heavily on this. |
Azure-DevOps-GO-SDK is managed by another team, they have working on it, but don't have a release date. |
This would definitely be great since it's the only way to do manual approval stages via yaml. Appreciate the dependency is not from you though. |
An interim approach is possible with null-resource // Create Environment using API
// https://github.com/microsoft/terraform-provider-azuredevops/issues/143
resource "null_resource" "environment" {
provisioner "local-exec" {
command = "./create_environment.sh"
environment = {
azdo_pat_token_owner_email = var.azdo_pat_token_owner_email
azdo_pat_token = var.azdo_pat_token
project_url = module.azdo.azdo_project_url
name = "core_infrastructure_env"
}
}
} # This script to call the API is required because of
# https://github.com/microsoft/terraform-provider-azuredevops/issues/143
# The Go SDK is not updated yet to interact with the API V6.0
# This is based on content from https://joefecht.com/posts/creating-an-azdo-environment-via-api/
# Payload Example:
# https://github.com/jf781/AzureDevopsEnvironments/blob/master/payload-samples/env.json
curl -X POST \
-u "${azdo_pat_token_owner_email}:${azdo_pat_token}" \
-H "Content-Type: application/json" \
--data "{\"name\":\"${name}\",\"description\":\"${name} environment\"}" "${project_url}/_apis/distributedtask/environments?api-version=5.0-preview.1"
# Note: If the environment exists, the following message will show.
# null_resource.environment (local-exec): {"$id":"1","innerException":null,"message":"Environment 'core_infrastructure_env' already exists in current project.","typeName":"Microsoft.TeamFoundation.DistributedTask.WebApi.EnvironmentExistsException, Microsoft.TeamFoundation.DistributedTask.WebApi","typeKey":"EnvironmentExistsException","errorCode":0,"eventId":3000}
|
I know it sounds ugly, but do we have to use the Go SDK, what about direct REST calls from within the TF provider? I only ask because it's been 5 months since the GO API has been updated in Github, even though it looks like these are all generated files. |
Honestly, both the go SDK and the terraform provider are maintained by
Microsoft. I don't see a reason why this hasn't been done yet...
…On Tue, 26 Jan 2021, 16:10 Richard Gavel, ***@***.***> wrote:
I know it sounds ugly, but do we have to use the Go SDK, what about direct
REST calls from within the TF provider? I only ask because it's been 5
months since the GO API has been updated in Github, even though it looks
like these are all generated files.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#143 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADI7HMUGI3LT7PQDDJHNNDS33LOXANCNFSM4PZ6635Q>
.
|
Hi @richardgavel @whiskeysierra Terraform and SDK are managed by different team, we have feedback this to the SDK team. |
@xuzhang3 I'm in no position to suggest how Microsoft conducts their (open source) business, but as a user I see they represent themselves as a company (notably an organization on github: https://github.com/microsoft) and not as a bunch of teams. Obviously you need to have an organizational structure to run a company, but I fail to see why that is relevant to the outside. Feels like a classic case of "Don't ship your org chart" to me, honestly. |
I will say this. This is an open source project that accepts contributions. I'm sure the devs that own this repo have a lot to do. But given that, ideally they would first focus on removing blockers to contributions (i.e. reviewing PRs promptly, the old SDK issue) so we can add capabilities on our own rather than demanding something of a free library (that is in support of something MS doesn't even own: Terraform). My hope is that the ADO SDK refresh might be more likely with one of their own pushing the team as opposed to a Github issue. |
Might be a reasonable approach to go forward using REST API for the time being, good suggestion by @richardgavel Go SDK repo seems to be supported by a single person (fair share of commits by me person, majority). Not much been happening there for quite a time. Best move forward and then refactor once SDK catches up? |
For those who want to get something up and running right now: The REST API provider is an acceptable workaround (for me at least) right now. It's reasonably short and configurable enough to allow even updates/replacements, i.e. it properly tracks the lifecycle of the environment resource. Exampleresource "restapi_object" "environment" {
path = "/${var.project.name}/_apis/distributedtask/environments"
data = jsonencode({
name = var.name
description = "Managed by Terraform"
})
id_attribute = "id"
update_method = "PATCH"
} The necessary settings for the provider block: provider "restapi" {
uri = "https://dev.azure.com/${var.org}"
username = "could-be-anything-but-must-not-be-empty"
write_returns_object = true
headers = {
"Accept" = "application/json;api-version=6.1-preview.1"
}
# TODO API_DATA_IS_SENSITIVE env var?
} You could pass the password (PAT in our case) to the provider block directly. I used the env var instead (example here is using a DevOps YAML pipeline): - task: CmdLine@2
# ...
env:
AZDO_PERSONAL_ACCESS_TOKEN: $(System.AccessToken)
REST_API_PASSWORD: $(System.AccessToken) I used the same technique for the Kubernetes Environment/Resource (https://docs.microsoft.com/en-us/rest/api/azure/devops/distributedtask/kubernetes?view=azure-devops-rest-6.1). Works like a charm so far: # Hard to find a good name for this:
# - DevOps UI calls it "Resource"
# - DevOps API calls it "Kubernetes" provider
# - Service Connection Link (https://joefecht.com/posts/creating-an-azdo-environment-via-api/)
resource "restapi_object" "resource" {
path = "/${var.project.name}/_apis/distributedtask/environments/${var.environment.id}/providers/kubernetes"
data = jsonencode({
name = local.application.name
namespace = kubernetes_namespace.default.metadata[0].name
clusterName = var.k8s.name
serviceEndpointId = azuredevops_serviceendpoint_kubernetes.default.id
})
id_attribute = "id"
force_new = [
"/name",
"/namespace",
"/clusterName",
"/serviceEndpointId"
]
} (The service endpoint/connection for kubernetes is managed with the DevOps provider directly.) References |
Slight fix: I used |
I also stumbled across this issue, which people might also face that want to use service account authorization for kubernetes service endpoints. I'm just leaving the link here for reference: https://developercommunity2.visualstudio.com/t/unable-to-create-a-workable-kubernetes-service-con/1337297 |
Related to the comment above, here is the # Needed because azuredevops_serviceendpoint_kubernetes doesn't allow to change acceptUntrustedCerts
resource "restapi_object" "service-connection" {
path = "/${var.project.name}/_apis/serviceendpoint/endpoints"
data = jsonencode({
name = "${var.k8s.name}/${local.application.name}"
description = "Managed by Terraform"
type = "kubernetes"
url = var.k8s.url
authorization = {
scheme = "Token"
parameters = {
apitoken = base64encode(local.service_account_token)
serviceAccountCertificate = base64encode(local.service_account_certificate)
}
}
data = {
authorizationType = "ServiceAccount"
acceptUntrustedCerts = "true"
}
serviceEndpointProjectReferences = [
{
name = "${var.k8s.name}/${local.application.name}"
description = "Managed by Terraform"
projectReference = {
id = var.realm-stage.project.id
name = var.realm-stage.project.name
}
}
]
})
id_attribute = "id"
} |
Nice, got it working with |
You can always perform the action in the UI and inspect network requests using the developer tools of your browser. The fastest way to figure out the corresponding API call. |
@rahmnstein mind to share how you created / manged environments with taht? |
I think is the endpoint. But looks like you need to put in "resource":{"type":"environment","id":"your_environment_id","name":"your_env_name"} that's based partially on using Developer Tools while creating one via the ui |
@rahmnstein I just figured the approvals. The |
Might be not the cleanest but here is a working solution for env+approvals creation
Where data_external_environment.py
|
If you take a look at #204, you can see that @tmeckel mentions the merge of v6.0 of the Azure DevOps Services REST API to the azure-devops-go-api: microsoft/azure-devops-go-api#110 I guess this is the first step towards implementing the functionality in this provider. 🙂 |
Is this unblocked after #494 ? |
@xuzhang3 we need to deploy environments using terraform too. Do you have an approximate ETA for this resource to be added to the provider and a new version released, or should we use one of the workarounds described in this thread? |
@lisaplapla This task is in our backlog but not the first priority, you can use the workaround in this thread. |
Community Note
Description
Add support for a azuredevops_environment resource.
Ideally support defining an environment, ignore deploys made to it, and defining "approvals and checks".
New or Affected Resource(s)
The text was updated successfully, but these errors were encountered: