Problem

Starting in AAD Provider 2.0, the ability to manually set a password will be disabled. In the future it will be randomly generated by Azure

Todo

Update code and configuration

Errors

 Warning: Attribute is deprecated
│
│   with module.service_principals.azuread_application_password.workspace_sp_secret,
│   on modules/service-principal/main.tf line 19, in resource "azuread_application_password" "workspace_sp_secret":
│   19:   value                 = random_password.secret.result
│
│ [NOTE] In version 2.0 of the AzureAD provider, this attribute will become read-only as it will no longer be possible to specify a password value. It will be generated by Azure
│ Active Directory and persisted to state for reuse in your Terraform configuration.
│
│ (and 5 more similar warnings elsewhere)

User Story

• As an Azure customer
• I want a simple setup script, e.g. setup.azcli
• in order to (semi-)automate* the baseline required infrastructure

*I am choosing to use Azure CLI tools instead of bash or Powershell so that users must run the commands one at a time, which re-enforces Azure and Terraform concepts.

Desired/Expected Functionality

Users who want to try this out should be able to run simple 3 command terraform init, plan and apply without having to create remote backend (Blob Storage) for Terraform state.

Problem

If you clone this repo and try to run it locally, Terraform will require that you create a remote backend because this repo uses a remote backend, see provider.tf

terraform {
  backend "azurerm" {}
  …
}

Currently the deploy docs say to use -backend=false flag, but it does not work for if it hasn't been initialised before. See https://www.terraform.io/docs/cli/commands/init.html

To skip backend configuration, use -backend=false. Note that some other init steps require an initialized backend, so it is recommended to use this flag only when the working directory was already previously initialized for a particular backend.

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request

Minimal steps to reproduce

Create the same pipeline structure as the project:

│   cd.yaml
│   ci.yaml
│   main.tf
│   pr-main.yaml
│   pr-production.yaml
│   provider.tf
│   README.md
│   schedule-drift.yaml
│   var.tf
│
├───stages
│       ci.yaml
│       pull-request.yaml
│
├───steps
│       confirm-kv-loaded.yaml
│       debug-vars.yaml
│       terraform-init.yaml
│       terraform-plan.yaml
│
└───vars
        global.yaml

Any log messages given by the failure

In Azure DevOps pipeline, running it against the main branch, the isMain is not populated in the Debug - Branch Variables step and I get the following:

---------
Debugging
---------
isMain: 
isProduction: 
Build.SourceBranch: refs/heads/main
Finishing: Debug - Branch Variables

Expected/desired behavior

I expect the isMain: true

Versions

Task         : Bash
Description  : Run a Bash script on macOS, Linux, or Windows
Version      : 3.189.0
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/bash

Mention any other details that might be useful

The pipeline is fails at "Debug - Key Vault loaded?" step

--------------------------------
Confirm Key Vault 🔑 Integration
--------------------------------
KV_DEBUG_ENV: ***

⛔️ Key Vault not loaded
Please double check configuration Variable Groups in Azure Pipelines UI and that the YAML pipeline is running against the 'main' or 'production' branch.
##[error]Bash exited with code '1'.
Finishing: Debug - Key Vault loaded?

although $KV_DEBUG_ENV" != '$(kv-debug-env)

Currently the Azure DevOps projects are empty. In order to illustrate securing service connections by securing git repos, we need to:

• Bootstrap repos using azuredevops_git_repository Terraform resource
• Apply appropriate Admin or Contributor permissions per group
• Apply branch policy to default branching requiring minimum reviewers. Don't do pipeline run, because then we would have to create a pipeline too…

Current implementation uses Key Vault Access Policies

Since this project was initially developed, RBAC for Key Vault has GA'd and we should use that instead for a more unified permissions model across Azure resources.

Symptom

Sometimes when IaC is changed, the following messages are returned when running terraform apply and even terraform destroy

module.arm_environments["infra_shared"].azurerm_resource_group.workspace: Still destroying... [id=/subscriptions/6e3d4b6a-31b2-423b-a19a-...22/resourceGroups/infra-shared-nsh0-rg, 40s elapsed]
module.arm_environments["fruits_dev"].azurerm_resource_group.workspace: Still destroying... [id=/subscriptions/6e3d4b6a-31b2-423b-a19a-...2822/resourceGroups/fruits-dev-nsh0-rg, 40s elapsed]
module.arm_environments["fruits_prod"].azurerm_resource_group.workspace: Still destroying... [id=/subscriptions/6e3d4b6a-31b2-423b-a19a-...822/resourceGroups/fruits-prod-nsh0-rg, 40s elapsed]
module.arm_environments["veggies_prod"].azurerm_resource_group.workspace: Destruction complete after 46s
module.arm_environments["fruits_dev"].azurerm_resource_group.workspace: Destruction complete after 46s
module.arm_environments["infra_shared"].azurerm_resource_group.workspace: Destruction complete after 46s
module.arm_environments["veggies_dev"].azurerm_resource_group.workspace: Destruction complete after 46s
module.arm_environments["fruits_prod"].azurerm_resource_group.workspace: Destruction complete after 45s

Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1909980924-2329286727-2170054555-31303424.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1128492131-4123986507-3057368717-147136582.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3734241186-3076090954-2678173946-3324452108.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1909980924-2329286727-2170054555-31303424.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3466419570-1682021700-2205560075-2915369390.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3466419570-1682021700-2205560075-2915369390.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3466419570-1682021700-2205560075-2915369390.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1128492131-4123986507-3057368717-147136582.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3734241186-3076090954-2678173946-3324452108.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1909980924-2329286727-2170054555-31303424.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-1909980924-2329286727-2170054555-31303424.



Error: TF50258: An error occurred finding the group. There is no group with the security identifier (SID) S-1-9-1551374245-1204400969-2402986413-2179408616-3-3466419570-1682021700-2205560075-2915369390.

Hypothesis

Terraform is deleting ADO Projects before security groups. So when Terraform tries to remove security groups, it cannot find them and those "security identifier (SID)" are not found in terraform state. So I assume it's a weird legacy Team Foundation Server (TFS) identified.

Action

Use depends_on to force terraform to remove ADO security groups before removing projects.

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request

Minimal steps to reproduce

1. Open WSL in Windows

2. Follow all steps described in the deploy.md guide

• az login with outlook.com account (admin in tenant)
• az account set (the msdn subscription)
• mv _override.tf.sample _override.tf
• export AZDO_ORG_SERVICE_URL="https://dev.azure.com/ormikopo-devops-demo"
• export AZDO_PERSONAL_ACCESS_TOKEN="..." (token with full access in ADO organization 'ormikopo-devops-demo'
• terraform init
• terraform plan
• terraform apply

Any log messages given by the failure

Authorization/roleAssignments/48bd9431-898d-c96f-6b85-6c4db80038fb]
module.arm_environments["veggies_dev"].azurerm_role_assignment.rg_team_admins: Creation complete after 25s [id=/subscriptions/d7130c91-ee33-4fe2-8094-9eee918c70a6/resourceGroups/veggies-dev-5z86-rg/providers/Microsoft.Authorization/roleAssignments/27525561-5f47-dcc6-a306-0c0807501ea0]
module.arm_environments["veggies_prod"].azurerm_role_assignment.rg_sp: Creation complete after 23s [id=/subscriptions/d7130c91-ee33-4fe2-8094-9eee918c70a6/resourceGroups/veggies-prod-5z86-rg/providers/Microsoft.Authorization/roleAssignments/16444cd1-fe25-290c-bee6-6e9a45e1a15f]
module.arm_environments["veggies_prod"].azurerm_role_assignment.rg_team_devs: Creation complete after 25s [id=/subscriptions/d7130c91-ee33-4fe2-8094-9eee918c70a6/resourceGroups/veggies-prod-5z86-rg/providers/Microsoft.Authorization/roleAssignments/bf86d03a-c653-c599-76fb-d9e91c38c4de]
module.arm_environments["veggies_prod"].azurerm_role_assignment.rg_team_admins: Creation complete after 23s [id=/subscriptions/d7130c91-ee33-4fe2-8094-9eee918c70a6/resourceGroups/veggies-prod-5z86-rg/providers/Microsoft.Authorization/roleAssignments/30aca515-6b35-5c3f-eb01-e82b0c963984]
module.service_connections["infra_shared"].data.azurerm_client_config.current: Reading...
module.service_connections["veggies_dev"].data.azurerm_subscription.current: Reading...
module.service_connections["fruits_dev"].data.azurerm_client_config.current: Reading...
module.service_connections["infra_shared"].data.azurerm_subscription.current: Reading...
module.service_connections["fruits_prod"].data.azurerm_client_config.current: Reading...
module.service_connections["fruits_prod"].data.azurerm_client_config.current: Read complete after 0s [id=2022-06-10 08:39:33.2838608 +0000 UTC]
module.service_connections["veggies_dev"].data.azurerm_client_config.current: Reading...
module.service_connections["veggies_prod"].data.azurerm_client_config.current: Reading...
module.service_connections["fruits_prod"].data.azurerm_subscription.current: Reading...
module.service_connections["fruits_dev"].data.azurerm_subscription.current: Reading...
module.service_connections["fruits_dev"].data.azurerm_client_config.current: Read complete after 0s [id=2022-06-10 08:39:33.2843127 +0000 UTC]
module.service_connections["infra_shared"].data.azurerm_client_config.current: Read complete after 0s [id=2022-06-10 08:39:33.2855188 +0000 UTC]
module.service_connections["veggies_prod"].data.azurerm_subscription.current: Reading...
module.service_connections["veggies_prod"].data.azurerm_client_config.current: Read complete after 0s [id=2022-06-10 08:39:33.2877869 +0000 UTC]
module.service_connections["veggies_dev"].data.azurerm_client_config.current: Read complete after 0s [id=2022-06-10 08:39:33.2874753 +0000 UTC]
module.service_connections["veggies_prod"].data.azuredevops_project.team: Reading...
module.service_connections["infra_shared"].data.azuredevops_project.team: Reading...
module.service_connections["veggies_dev"].data.azuredevops_project.team: Reading...
module.service_connections["fruits_prod"].data.azuredevops_project.team: Reading...
module.service_connections["fruits_dev"].data.azuredevops_project.team: Reading...
module.service_connections["infra_shared"].data.azuredevops_project.team: Read complete after 1s [id=c04beb99-7d0b-4a0b-8081-08341d4aefed]
module.service_connections["fruits_prod"].data.azuredevops_project.team: Read complete after 1s [id=c5440b4d-f516-42ae-8136-3b6258c7446d]
module.service_connections["fruits_dev"].data.azuredevops_project.team: Read complete after 1s [id=c5440b4d-f516-42ae-8136-3b6258c7446d]
module.service_connections["veggies_dev"].data.azuredevops_project.team: Read complete after 1s [id=c21c27d4-1ee7-4538-a0af-4afe9f4a99c6]
module.service_connections["veggies_prod"].data.azuredevops_project.team: Read complete after 1s [id=c21c27d4-1ee7-4538-a0af-4afe9f4a99c6]
module.service_connections["fruits_prod"].data.azurerm_subscription.current: Read complete after 1s [id=/subscriptions/d7130c91-ee33-4fe2-8094-9eee918c70a6]
module.service_connections["fruits_dev"].data.azurerm_subscription.current: Read complete after 1s [id=/subscriptions/d7130c91-ee33-4fe2-8094-9eee918c70a6]
module.service_connections["infra_shared"].data.azurerm_subscription.current: Read complete after 1s [id=/subscriptions/d7130c91-ee33-4fe2-8094-9eee918c70a6]
module.service_connections["veggies_prod"].data.azurerm_subscription.current: Read complete after 1s [id=/subscriptions/d7130c91-ee33-4fe2-8094-9eee918c70a6]
module.service_connections["veggies_dev"].data.azurerm_subscription.current: Read complete after 1s [id=/subscriptions/d7130c91-ee33-4fe2-8094-9eee918c70a6]
module.service_connections["fruits_prod"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creating...
module.service_connections["veggies_dev"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creating...
module.service_connections["veggies_prod"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creating...
module.service_connections["infra_shared"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creating...
module.service_connections["fruits_dev"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creating...
module.service_connections["fruits_prod"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Still creating... [10s elapsed]
module.service_connections["infra_shared"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Still creating... [10s elapsed]
module.service_connections["veggies_dev"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Still creating... [10s elapsed]
module.service_connections["veggies_prod"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Still creating... [10s elapsed]
module.service_connections["fruits_dev"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Still creating... [10s elapsed]
module.service_connections["fruits_prod"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creation complete after 11s [id=b82b3ed1-7695-43c3-8545-9da7b4f07b2c]
module.service_connections["fruits_dev"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creation complete after 11s [id=0eaa1f41-21a6-437d-98f4-3fb027211c73]
module.service_connections["veggies_prod"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creation complete after 12s [id=f20b8d47-6116-41dd-891a-aa395719f22f]
module.service_connections["veggies_dev"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creation complete after 12s [id=9cb1aae4-210b-44dc-94c5-69738dec330f]
module.service_connections["infra_shared"].azuredevops_serviceendpoint_azurerm.workspace_endpoint: Creation complete after 12s [id=936a31c8-a2e7-4e52-9a77-3886e10e35a2]
╷
│ Error: REST call returned status code 400
│
│ with module.ado_collaboration_permissions_fruits.azuredevops_group.team_group,
│ on modules/azure-devops-permissions/main.tf line 16, in resource "azuredevops_group" "team_group":
│ 16: resource "azuredevops_group" "team_group" {
│
╵
╷
│ Error: REST call returned status code 400
│
│ with module.ado_team_permissions["fruits"].azuredevops_group.team_group,
│ on modules/azure-devops-permissions/main.tf line 16, in resource "azuredevops_group" "team_group":
│ 16: resource "azuredevops_group" "team_group" {
│
╵
╷
│ Error: REST call returned status code 503
│
│ with module.ado_supermarket_permissions_veggies.azuredevops_group.team_group,
│ on modules/azure-devops-permissions/main.tf line 16, in resource "azuredevops_group" "team_group":
│ 16: resource "azuredevops_group" "team_group" {
│
╵
╷
│ Error: REST call returned status code 400
│
│ with module.ado_supermarket_permissions_fruits.azuredevops_group.team_group,
│ on modules/azure-devops-permissions/main.tf line 16, in resource "azuredevops_group" "team_group":
│ 16: resource "azuredevops_group" "team_group" {
│
╵
╷
│ Error: REST call returned status code 400
│
│ with module.ado_team_permissions["infra"].azuredevops_group.team_group,
│ on modules/azure-devops-permissions/main.tf line 16, in resource "azuredevops_group" "team_group":
│ 16: resource "azuredevops_group" "team_group" {
│
╵
╷
│ Error: REST call returned status code 503
│
│ with module.ado_collaboration_permissions_veggies.azuredevops_group.admins_group,
│ on modules/azure-devops-permissions/main.tf line 39, in resource "azuredevops_group" "admins_group":
│ 39: resource "azuredevops_group" "admins_group" {
│
╵

Expected/desired behavior

Deploy the terraform resources (ADO projects, Resource groups, service principals, groups, users, etc.)

Versions

Windows 11, Terraform 1.22

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

Now that the E2E governance concept is in official docs, remove markdown and instead link to

• Azure Architecture Center (AAC) - End-to-end governance in Azure when using CI/CD (June 2021)
• Cloud Adoption Framework (CAF) - End-to-end governance from DevOps to Azure (May 2021)
• Cloud Adoption Framework (CAF) - Secure the pipeline and CI/CD workflow (May 2021)

There are open compliance tasks that need to be reviewed for your devops-governance repo.

Action required: 4 compliance tasks

To bring this repository to the standard required for 2021, we require administrators of this and all Microsoft GitHub repositories to complete a small set of tasks within the next 60 days. This is critical work to ensure the compliance and security of your Azure-Samples GitHub organization.

Please take a few minutes to complete the tasks at: https://repos.opensource.microsoft.com/orgs/Azure-Samples/repos/devops-governance/compliance

• The GitHub AE (GitHub inside Microsoft) migration survey has not been completed for this private repository
• No Service Tree mapping has been set for this repo. If this team does not use Service Tree, they can also opt-out of providing Service Tree data in the Compliance tab.
• No repository maintainers are set. The Open Source Maintainers are the decision-makers and actionable owners of the repository, irrespective of administrator permission grants on GitHub.
• Classification of the repository as production/non-production is missing in the Compliance tab.

You can close this work item once you have completed the compliance tasks, or it will automatically close within a day of taking action.

If you no longer need this repository, it might be quickest to delete the repo, too.

GitHub inside Microsoft program information

More information about GitHub inside Microsoft and the new GitHub AE product can be found at https://aka.ms/gim.

FYI: current admins at Microsoft include @julie-ng

• why use . name so that it does not appear in file system, etc.

Right now pipelines fail because Terraform cannot read the state on Blob Storage because SAS tokens expired.

Currently the supermarket is just an empty project and has no function. To demonstrate the end to end governance concept, we need to:

• Create supermarket-admins AAD group
• Assign Project Administrator permissions to fruits-all and veggies-all
• Assign Contributor permissions to fruits-all and fruits-all
• Assign Contributor permissions to fruits-all and veggies-all
• Create shared fruits and veggies repo (default)
• Create fruits-only repo and necessary additional permissions at repository scope

• As a demo maintainer
• I need to add random suffix to resource names
• so customers can successfully run demo without running into errors (because Azure requires storage account, key vault, etc. names to be globally unique)

Use https://terraform-docs.io/ to document the custom terraform modules used in this project.

This is a great project and documentation. In the accompanying article the recommendation is to create a headless owner role for the service principal.

{
  "Name": "Headless Owner",    
  "Description": "Can manage infrastructure.",
  "actions": [
    "*"
  ],
  "notActions": [
    "Microsoft.Authorization/*/Delete"
  ],
  "AssignableScopes": [
    "/subscriptions/{subscriptionId1}",
    "/subscriptions/{subscriptionId2}",
    "/providers/Microsoft.Management/managementGroups/{groupId1}"
  ]
}

However, even with these reduced permissions, as long as the Microsoft.Authorization/roleAssignments/Write permission is provided, the principal can elevate his own permissions and assign himself the Owner role and then proceed and remove any locks on resources.

Microsoft.Authorization/roleAssignments/Write is required if we want to be able to assign permissions to managed identities. Is there a way to achieve that, while avoiding providing owner access to the pipeline service account?

Could an Azure Policy help here to prevent what kind of access our custom role or service principal can assign? Or limit permission assignment only to managed identity principals?

Proof of concept script for escalation is below

# Create custom role
az role definition create --role-definition headless-owner.json

# create a resource group
az group create -n test-rg --location canadaeast

# create a lock
az lock create --name cant-delete --resource-group test-rg --lock-type CanNotDelete

# Create service principal with custom role
SPPWD=$(az ad sp create-for-rbac --name sp-pipeline --role "Headless Owner" --query password -o tsv)
SPUSER=$(az ad sp list --display-name sp-pipeline --query [].appId -o tsv)
SPID=$(az ad sp list --display-name sp-pipeline --query [].objectId -o tsv)

# Login using service principal
az login --service-principal -u $SPUSER -p $SPPWD --tenant <tenand-id>

# try to delete resource with a lock
az group delete -n test-rg --yes
# OK it fails

# try to remove the lock
az lock delete --name cant-delete --resource-group test-rg
# OK it fails

# Elevate our permissions to owner
az role assignment create --assignee-object-id $SPID --assignee-principal-type ServicePrincipal --role 'Owner' --scope "/subscriptions/<subscription id>"

# try to remove the lock again
az lock delete --name cant-delete --resource-group test-rg
az group delete -n test-rg --yes
# NOT OK was able to remove lock and delete resource group


# cleanup
az login #login with our regular user
az ad sp delete --id $SPID
az role definition delete --name "Headless Owner"

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Problem

There is a bug in the concept as it currently exists. As of today we rely on 2 AAD groups for actors, e.g. for the "Veggies" team, we have:

Expected Result

The veggie admins have elevated privileges, e.g. Administrator Access even if they have overlapping role assignments (due to membership in multiple groups).

Actual Result

• As expected: for Azure Resource Manager, veggie-admins will have Administrative permissions due to ARM's additive permissions model

• Unexpectedly: in Azure DevOps, veggie-admins will only have Contributor access because Azure DevOps uses least permissions model, as this doc describes:

  User accounts that are assigned to more than one security group are restricted to those permissions granting the least access.

Solution

To get the behavior expect, we need to have three AAD groups per domain, for example:

• veggies-all
• veggies-dev
• veggies-admin

In this way, we can avoid overlapping role assignments that result in unexpected behavior in Azure DevOps.

Tasks

• Terraform: create 3 AAD groups per domain
• Terraform: update assignments, paying extra attention to "supermarket" collaboration scenario
• Concept: update text

Upgrade Azure AD provider from v1 to v2

• Upgrade Azure AD provider to latest v2 version
• Fix breaking change - remove random password generation. Passwords now managed by Provider, which was a breaking change in Microsoft Graph API.

  The value field has become read-only as Azure Active Directory no longer accepts user-supplied password values. Passwords are instead auto-generated by Azure and exported with the value attribute by the resource.

• Best Practice - add owners to created service principals per in documentation