Azure DevOps Terraform change serviceconnection and environment permissions for a project

Today I was asked to change the terraform code for an azure devops project to make all contributors “User” of all serviceconnections within that project and also to make them “Administrator” of all pipeline environments.

This isn’t quite obvious, I had to use the browser debug tools to analyse the http calls from the Ui first, as there is no build in ressource for this.

But first of all here is the solution to make all contributors “User” of all serviceconnections:

resource "azuredevops_securityrole_assignment" "serviceconnection-user" {
  scope       = "distributedtask.serviceendpointrole"
  resource_id = azuredevops_project.project.id
  identity_id = data.azuredevops_group.contributors.origin_id
  role_name   = "User"
}

and here is the solution for the environments:

resource "azuredevops_securityrole_assignment" "environment-admin" {
  scope       = "distributedtask.globalenvironmentreferencerole"
  resource_id = azuredevops_project.project.id
  identity_id = data.azuredevops_group.contributors.origin_id
  role_name   = "Administrator"
}

The only tricky point is the part where you need to get the scope. You have to open azure devops navigate to e.g. environments of a project. And select the permission feature.

Use the add Button to open up the dialog to add a permission, select a group and a right.

Now open up you browser dev tools with F12

Go to the networksection and click on the add button and on the final save button

A fetch request is created and you can get the scope from there.