Terraform
Configuring Azure DevOps Server Access
These instructions are for using an on-premises installation of Azure DevOps Server 2019 for Terraform Cloud's VCS features. Azure DevOps Services has separate instructions, as do the other supported VCS providers.
Configuring a new VCS provider requires permission to manage VCS settings for the organization. (More about permissions.)
Important Notes About Authentication
Terraform Cloud uses personal access tokens to connect to Azure DevOps Server. This access method requires some additional configuration and ongoing maintenance:
- IIS Basic Authentication must be disabled on your Azure DevOps Server instance in order to use personal access tokens.
- Personal access tokens eventually expire, with a maximum allowed lifetime of one year. If Terraform Cloud's token expires, it will be unable to connect to Azure DevOps Server until the token is replaced. To avoid a gap in service, do one of the following before the token expires:
- Update the expiration date of the existing token within Azure DevOps Server.
- Create a new token, and edit Terraform Cloud's VCS connection to use it.
Step 1: On Terraform Cloud, Begin Adding a New VCS Provider
Go to your organization's settings and then click Providers. The VCS Providers page appears.
Click Add VCS Provider. The VCS Providers page appears.
Select Azure DevOps and then select Azure DevOps Server from the menu. The page moves to the next step.
On the "Set up provider" step there are three textboxes. Enter an optional Name for this VCS connection. Enter the instance URL for your Azure DevOps Server in HTTP URL and API URL textboxes. Click the "Continue" button to continue to the next step.
Leave the page open in a browser tab. In the next step you will copy values from this page, and in later steps you will continue configuring Terraform Cloud.
Step 2: On Azure DevOps Server, Create a New Personal Access Token
In a new browser tab, open your Azure DevOps Server instance and log in as whichever account you want Terraform Cloud to act as. For most organizations this should be a dedicated service user, but a personal account will also work.
Important: The account you use for connecting Terraform Cloud must have Project Collection Administrator access to any projects containing repositories of Terraform configurations, since creating webhooks requires these permissions. It is not possible to create custom access roles with lower levels of privilege, as Microsoft does not currently allow delegation of this capability.
Navigate to User settings -> Security -> Personal access tokens.
Click the "New Token" button to generate a new personal access token with "Code (Read)" and "Code (Status)" scopes. (We recommend also granting access to "All accessible organizations.")
Copy the generated token to your clipboard; you'll paste it in the next step. Leave this page open in a browser tab.
Step 3: On Terraform Cloud, Add the Personal Access Token
- On the "Configure settings" step there is one textbox. Enter your Azure DevOps Server Personal Access Token from Step 2. Click the "Continue" button to continue to the next step.
Step 4: On Workstation, Create an SSH Key for Terraform Cloud
On a secure workstation, create an SSH keypair that Terraform Cloud can use to connect to Azure DevOps Server. The exact command depends on your OS, but is usually something like ssh-keygen -t rsa -m PEM -f "/Users/<NAME>/.ssh/service_terraform" -C "service_terraform_enterprise"
. This creates a service_terraform
file with the private key, and a service_terraform.pub
file with the public key.
This SSH key must have an empty passphrase. Terraform Cloud cannot use SSH keys that require a passphrase.
Important Notes
- Do not use your personal SSH key to connect Terraform Cloud and Azure DevOps Server; generate a new one or use an existing key reserved for service access.
- In the following steps, you must provide Terraform Cloud with the private key. Although Terraform Cloud does not display the text of the key to users after it is entered, it retains it and will use it for authenticating to Azure DevOps Server.
- Protect this private key carefully. It can read code to the repositories you use to manage your infrastructure. Take note of your organization's policies for protecting important credentials and be sure to follow them.
Step 5: On Azure Devops Server, Add SSH Public Key
Navigate to User settings -> Security -> SSH public keys on your Azure DevOps Server instance.
Click the "Add" button. Paste the text of the SSH public key you created in step 3 (from the
.pub
file) into the text field, then click the "Add key" button to confirm.
Step 6: On Terraform Cloud, Add SSH Private Key
- Go back to your Terraform Cloud browser tab and paste the text of the SSH private key you created in step 3 into the Private SSH Key text field of the "Set up SSH keypair" step. Click the "Add SSH key" button.
Finished
At this point, Azure DevOps Server access for Terraform Cloud is fully configured, and you can create Terraform workspaces based on your organization's repositories.