azuredevops.ServiceendpointPermissions

Explore with Pulumi AI

Manages permissions for a Service Endpoint

Note Permissions can be assigned to group principals and not to single user principals.

Permission levels

Permission for Service Endpoints within Azure DevOps can be applied on two different levels. Those levels are reflected by specifying (or omitting) values for the arguments project_id and serviceendpoint_id.

PAT Permissions Required

  • Project & Team: vso.security_manage - Grants the ability to read, write, and manage security permissions.

Example Usage

using System.Collections.Generic;
using Pulumi;
using AzureDevOps = Pulumi.AzureDevOps;

return await Deployment.RunAsync(() => 
{
    var exampleProject = new AzureDevOps.Project("exampleProject", new()
    {
        WorkItemTemplate = "Agile",
        VersionControl = "Git",
        Visibility = "private",
        Description = "Managed by Terraform",
    });

    var example_readers = AzureDevOps.GetGroup.Invoke(new()
    {
        ProjectId = exampleProject.Id,
        Name = "Readers",
    });

    var example_root_permissions = new AzureDevOps.ServiceendpointPermissions("example-root-permissions", new()
    {
        ProjectId = exampleProject.Id,
        Principal = example_readers.Apply(example_readers => example_readers.Apply(getGroupResult => getGroupResult.Id)),
        Permissions = 
        {
            { "Use", "allow" },
            { "Administer", "allow" },
            { "Create", "allow" },
            { "ViewAuthorization", "allow" },
            { "ViewEndpoint", "allow" },
        },
    });

    var exampleServiceEndpointDockerRegistry = new AzureDevOps.ServiceEndpointDockerRegistry("exampleServiceEndpointDockerRegistry", new()
    {
        ProjectId = exampleProject.Id,
        ServiceEndpointName = "Example Docker Hub",
        DockerUsername = "username",
        DockerEmail = "email@example.com",
        DockerPassword = "password",
        RegistryType = "DockerHub",
    });

    var example_permissions = new AzureDevOps.ServiceendpointPermissions("example-permissions", new()
    {
        ProjectId = exampleProject.Id,
        Principal = example_readers.Apply(example_readers => example_readers.Apply(getGroupResult => getGroupResult.Id)),
        ServiceendpointId = exampleServiceEndpointDockerRegistry.Id,
        Permissions = 
        {
            { "Use", "allow" },
            { "Administer", "deny" },
            { "Create", "deny" },
            { "ViewAuthorization", "allow" },
            { "ViewEndpoint", "allow" },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-azuredevops/sdk/v2/go/azuredevops"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleProject, err := azuredevops.NewProject(ctx, "exampleProject", &azuredevops.ProjectArgs{
			WorkItemTemplate: pulumi.String("Agile"),
			VersionControl:   pulumi.String("Git"),
			Visibility:       pulumi.String("private"),
			Description:      pulumi.String("Managed by Terraform"),
		})
		if err != nil {
			return err
		}
		example_readers := azuredevops.LookupGroupOutput(ctx, azuredevops.GetGroupOutputArgs{
			ProjectId: exampleProject.ID(),
			Name:      pulumi.String("Readers"),
		}, nil)
		_, err = azuredevops.NewServiceendpointPermissions(ctx, "example-root-permissions", &azuredevops.ServiceendpointPermissionsArgs{
			ProjectId: exampleProject.ID(),
			Principal: example_readers.ApplyT(func(example_readers azuredevops.GetGroupResult) (*string, error) {
				return &example_readers.Id, nil
			}).(pulumi.StringPtrOutput),
			Permissions: pulumi.StringMap{
				"Use":               pulumi.String("allow"),
				"Administer":        pulumi.String("allow"),
				"Create":            pulumi.String("allow"),
				"ViewAuthorization": pulumi.String("allow"),
				"ViewEndpoint":      pulumi.String("allow"),
			},
		})
		if err != nil {
			return err
		}
		exampleServiceEndpointDockerRegistry, err := azuredevops.NewServiceEndpointDockerRegistry(ctx, "exampleServiceEndpointDockerRegistry", &azuredevops.ServiceEndpointDockerRegistryArgs{
			ProjectId:           exampleProject.ID(),
			ServiceEndpointName: pulumi.String("Example Docker Hub"),
			DockerUsername:      pulumi.String("username"),
			DockerEmail:         pulumi.String("email@example.com"),
			DockerPassword:      pulumi.String("password"),
			RegistryType:        pulumi.String("DockerHub"),
		})
		if err != nil {
			return err
		}
		_, err = azuredevops.NewServiceendpointPermissions(ctx, "example-permissions", &azuredevops.ServiceendpointPermissionsArgs{
			ProjectId: exampleProject.ID(),
			Principal: example_readers.ApplyT(func(example_readers azuredevops.GetGroupResult) (*string, error) {
				return &example_readers.Id, nil
			}).(pulumi.StringPtrOutput),
			ServiceendpointId: exampleServiceEndpointDockerRegistry.ID(),
			Permissions: pulumi.StringMap{
				"Use":               pulumi.String("allow"),
				"Administer":        pulumi.String("deny"),
				"Create":            pulumi.String("deny"),
				"ViewAuthorization": pulumi.String("allow"),
				"ViewEndpoint":      pulumi.String("allow"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuredevops.Project;
import com.pulumi.azuredevops.ProjectArgs;
import com.pulumi.azuredevops.AzuredevopsFunctions;
import com.pulumi.azuredevops.inputs.GetGroupArgs;
import com.pulumi.azuredevops.ServiceendpointPermissions;
import com.pulumi.azuredevops.ServiceendpointPermissionsArgs;
import com.pulumi.azuredevops.ServiceEndpointDockerRegistry;
import com.pulumi.azuredevops.ServiceEndpointDockerRegistryArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var exampleProject = new Project("exampleProject", ProjectArgs.builder()        
            .workItemTemplate("Agile")
            .versionControl("Git")
            .visibility("private")
            .description("Managed by Terraform")
            .build());

        final var example-readers = AzuredevopsFunctions.getGroup(GetGroupArgs.builder()
            .projectId(exampleProject.id())
            .name("Readers")
            .build());

        var example_root_permissions = new ServiceendpointPermissions("example-root-permissions", ServiceendpointPermissionsArgs.builder()        
            .projectId(exampleProject.id())
            .principal(example_readers.applyValue(example_readers -> example_readers.id()))
            .permissions(Map.ofEntries(
                Map.entry("Use", "allow"),
                Map.entry("Administer", "allow"),
                Map.entry("Create", "allow"),
                Map.entry("ViewAuthorization", "allow"),
                Map.entry("ViewEndpoint", "allow")
            ))
            .build());

        var exampleServiceEndpointDockerRegistry = new ServiceEndpointDockerRegistry("exampleServiceEndpointDockerRegistry", ServiceEndpointDockerRegistryArgs.builder()        
            .projectId(exampleProject.id())
            .serviceEndpointName("Example Docker Hub")
            .dockerUsername("username")
            .dockerEmail("email@example.com")
            .dockerPassword("password")
            .registryType("DockerHub")
            .build());

        var example_permissions = new ServiceendpointPermissions("example-permissions", ServiceendpointPermissionsArgs.builder()        
            .projectId(exampleProject.id())
            .principal(example_readers.applyValue(example_readers -> example_readers.id()))
            .serviceendpointId(exampleServiceEndpointDockerRegistry.id())
            .permissions(Map.ofEntries(
                Map.entry("Use", "allow"),
                Map.entry("Administer", "deny"),
                Map.entry("Create", "deny"),
                Map.entry("ViewAuthorization", "allow"),
                Map.entry("ViewEndpoint", "allow")
            ))
            .build());

    }
}
import pulumi
import pulumi_azuredevops as azuredevops

example_project = azuredevops.Project("exampleProject",
    work_item_template="Agile",
    version_control="Git",
    visibility="private",
    description="Managed by Terraform")
example_readers = azuredevops.get_group_output(project_id=example_project.id,
    name="Readers")
example_root_permissions = azuredevops.ServiceendpointPermissions("example-root-permissions",
    project_id=example_project.id,
    principal=example_readers.id,
    permissions={
        "Use": "allow",
        "Administer": "allow",
        "Create": "allow",
        "ViewAuthorization": "allow",
        "ViewEndpoint": "allow",
    })
example_service_endpoint_docker_registry = azuredevops.ServiceEndpointDockerRegistry("exampleServiceEndpointDockerRegistry",
    project_id=example_project.id,
    service_endpoint_name="Example Docker Hub",
    docker_username="username",
    docker_email="email@example.com",
    docker_password="password",
    registry_type="DockerHub")
example_permissions = azuredevops.ServiceendpointPermissions("example-permissions",
    project_id=example_project.id,
    principal=example_readers.id,
    serviceendpoint_id=example_service_endpoint_docker_registry.id,
    permissions={
        "Use": "allow",
        "Administer": "deny",
        "Create": "deny",
        "ViewAuthorization": "allow",
        "ViewEndpoint": "allow",
    })
import * as pulumi from "@pulumi/pulumi";
import * as azuredevops from "@pulumi/azuredevops";

const exampleProject = new azuredevops.Project("exampleProject", {
    workItemTemplate: "Agile",
    versionControl: "Git",
    visibility: "private",
    description: "Managed by Terraform",
});
const example-readers = azuredevops.getGroupOutput({
    projectId: exampleProject.id,
    name: "Readers",
});
const example_root_permissions = new azuredevops.ServiceendpointPermissions("example-root-permissions", {
    projectId: exampleProject.id,
    principal: example_readers.apply(example_readers => example_readers.id),
    permissions: {
        Use: "allow",
        Administer: "allow",
        Create: "allow",
        ViewAuthorization: "allow",
        ViewEndpoint: "allow",
    },
});
const exampleServiceEndpointDockerRegistry = new azuredevops.ServiceEndpointDockerRegistry("exampleServiceEndpointDockerRegistry", {
    projectId: exampleProject.id,
    serviceEndpointName: "Example Docker Hub",
    dockerUsername: "username",
    dockerEmail: "email@example.com",
    dockerPassword: "password",
    registryType: "DockerHub",
});
const example_permissions = new azuredevops.ServiceendpointPermissions("example-permissions", {
    projectId: exampleProject.id,
    principal: example_readers.apply(example_readers => example_readers.id),
    serviceendpointId: exampleServiceEndpointDockerRegistry.id,
    permissions: {
        Use: "allow",
        Administer: "deny",
        Create: "deny",
        ViewAuthorization: "allow",
        ViewEndpoint: "allow",
    },
});
resources:
  exampleProject:
    type: azuredevops:Project
    properties:
      workItemTemplate: Agile
      versionControl: Git
      visibility: private
      description: Managed by Terraform
  example-root-permissions:
    type: azuredevops:ServiceendpointPermissions
    properties:
      projectId: ${exampleProject.id}
      principal: ${["example-readers"].id}
      permissions:
        Use: allow
        Administer: allow
        Create: allow
        ViewAuthorization: allow
        ViewEndpoint: allow
  exampleServiceEndpointDockerRegistry:
    type: azuredevops:ServiceEndpointDockerRegistry
    properties:
      projectId: ${exampleProject.id}
      serviceEndpointName: Example Docker Hub
      dockerUsername: username
      dockerEmail: email@example.com
      dockerPassword: password
      registryType: DockerHub
  example-permissions:
    type: azuredevops:ServiceendpointPermissions
    properties:
      projectId: ${exampleProject.id}
      principal: ${["example-readers"].id}
      serviceendpointId: ${exampleServiceEndpointDockerRegistry.id}
      permissions:
        Use: allow
        Administer: deny
        Create: deny
        ViewAuthorization: allow
        ViewEndpoint: allow
variables:
  example-readers:
    fn::invoke:
      Function: azuredevops:getGroup
      Arguments:
        projectId: ${exampleProject.id}
        name: Readers

Create ServiceendpointPermissions Resource

new ServiceendpointPermissions(name: string, args: ServiceendpointPermissionsArgs, opts?: CustomResourceOptions);
@overload
def ServiceendpointPermissions(resource_name: str,
                               opts: Optional[ResourceOptions] = None,
                               permissions: Optional[Mapping[str, str]] = None,
                               principal: Optional[str] = None,
                               project_id: Optional[str] = None,
                               replace: Optional[bool] = None,
                               serviceendpoint_id: Optional[str] = None)
@overload
def ServiceendpointPermissions(resource_name: str,
                               args: ServiceendpointPermissionsArgs,
                               opts: Optional[ResourceOptions] = None)
func NewServiceendpointPermissions(ctx *Context, name string, args ServiceendpointPermissionsArgs, opts ...ResourceOption) (*ServiceendpointPermissions, error)
public ServiceendpointPermissions(string name, ServiceendpointPermissionsArgs args, CustomResourceOptions? opts = null)
public ServiceendpointPermissions(String name, ServiceendpointPermissionsArgs args)
public ServiceendpointPermissions(String name, ServiceendpointPermissionsArgs args, CustomResourceOptions options)
type: azuredevops:ServiceendpointPermissions
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args ServiceendpointPermissionsArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ServiceendpointPermissionsArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ServiceendpointPermissionsArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ServiceendpointPermissionsArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args ServiceendpointPermissionsArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

ServiceendpointPermissions Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The ServiceendpointPermissions resource accepts the following input properties:

Permissions Dictionary<string, string>

the permissions to assign. The following permissions are available.

Principal string

The group principal to assign the permissions.

ProjectId string

The ID of the project.

Replace bool

Replace (true) or merge (false) the permissions. Default: true

ServiceendpointId string

The id of the service endpoint to assign the permissions.

Permissions map[string]string

the permissions to assign. The following permissions are available.

Principal string

The group principal to assign the permissions.

ProjectId string

The ID of the project.

Replace bool

Replace (true) or merge (false) the permissions. Default: true

ServiceendpointId string

The id of the service endpoint to assign the permissions.

permissions Map<String,String>

the permissions to assign. The following permissions are available.

principal String

The group principal to assign the permissions.

projectId String

The ID of the project.

replace Boolean

Replace (true) or merge (false) the permissions. Default: true

serviceendpointId String

The id of the service endpoint to assign the permissions.

permissions {[key: string]: string}

the permissions to assign. The following permissions are available.

principal string

The group principal to assign the permissions.

projectId string

The ID of the project.

replace boolean

Replace (true) or merge (false) the permissions. Default: true

serviceendpointId string

The id of the service endpoint to assign the permissions.

permissions Mapping[str, str]

the permissions to assign. The following permissions are available.

principal str

The group principal to assign the permissions.

project_id str

The ID of the project.

replace bool

Replace (true) or merge (false) the permissions. Default: true

serviceendpoint_id str

The id of the service endpoint to assign the permissions.

permissions Map<String>

the permissions to assign. The following permissions are available.

principal String

The group principal to assign the permissions.

projectId String

The ID of the project.

replace Boolean

Replace (true) or merge (false) the permissions. Default: true

serviceendpointId String

The id of the service endpoint to assign the permissions.

Outputs

All input properties are implicitly available as output properties. Additionally, the ServiceendpointPermissions resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing ServiceendpointPermissions Resource

Get an existing ServiceendpointPermissions resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ServiceendpointPermissionsState, opts?: CustomResourceOptions): ServiceendpointPermissions
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        permissions: Optional[Mapping[str, str]] = None,
        principal: Optional[str] = None,
        project_id: Optional[str] = None,
        replace: Optional[bool] = None,
        serviceendpoint_id: Optional[str] = None) -> ServiceendpointPermissions
func GetServiceendpointPermissions(ctx *Context, name string, id IDInput, state *ServiceendpointPermissionsState, opts ...ResourceOption) (*ServiceendpointPermissions, error)
public static ServiceendpointPermissions Get(string name, Input<string> id, ServiceendpointPermissionsState? state, CustomResourceOptions? opts = null)
public static ServiceendpointPermissions get(String name, Output<String> id, ServiceendpointPermissionsState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Permissions Dictionary<string, string>

the permissions to assign. The following permissions are available.

Principal string

The group principal to assign the permissions.

ProjectId string

The ID of the project.

Replace bool

Replace (true) or merge (false) the permissions. Default: true

ServiceendpointId string

The id of the service endpoint to assign the permissions.

Permissions map[string]string

the permissions to assign. The following permissions are available.

Principal string

The group principal to assign the permissions.

ProjectId string

The ID of the project.

Replace bool

Replace (true) or merge (false) the permissions. Default: true

ServiceendpointId string

The id of the service endpoint to assign the permissions.

permissions Map<String,String>

the permissions to assign. The following permissions are available.

principal String

The group principal to assign the permissions.

projectId String

The ID of the project.

replace Boolean

Replace (true) or merge (false) the permissions. Default: true

serviceendpointId String

The id of the service endpoint to assign the permissions.

permissions {[key: string]: string}

the permissions to assign. The following permissions are available.

principal string

The group principal to assign the permissions.

projectId string

The ID of the project.

replace boolean

Replace (true) or merge (false) the permissions. Default: true

serviceendpointId string

The id of the service endpoint to assign the permissions.

permissions Mapping[str, str]

the permissions to assign. The following permissions are available.

principal str

The group principal to assign the permissions.

project_id str

The ID of the project.

replace bool

Replace (true) or merge (false) the permissions. Default: true

serviceendpoint_id str

The id of the service endpoint to assign the permissions.

permissions Map<String>

the permissions to assign. The following permissions are available.

principal String

The group principal to assign the permissions.

projectId String

The ID of the project.

replace Boolean

Replace (true) or merge (false) the permissions. Default: true

serviceendpointId String

The id of the service endpoint to assign the permissions.

Import

The resource does not support import.

Package Details

Repository
Azure DevOps pulumi/pulumi-azuredevops
License
Apache-2.0
Notes

This Pulumi package is based on the azuredevops Terraform Provider.