Satak · August 27, 2021 12:57
diff --git a/import_script.ps1 b/import_script.ps1
 $devOpsProjects = (az devops project list | ConvertFrom-Json).value

 foreach ($i in $devOpsProjects) {
  Write-Output "importing $($i.name)"

  $command = @"
 terraform import 'azuredevops_project.project[\"$($i.name)\"]' "$($i.id)"
 "@
  Invoke-Expression $command
 }

 $hash = @{}
 $stateData = Get-Content .\terraform.tfstate | ConvertFrom-Json

 foreach ($attr in $stateData.resources.instances.attributes) {
  $hash.add(
    $attr.name, @{
      description        = $attr.description
      work_item_template = $attr.work_item_template
    })
 }

 $terraformProjectsData = $hash | ConvertTo-Json

 @"
 variable "projects" {
  default = $terraformProjectsData
 }
 "@ | Out-File "variables.tf" -Force
diff --git a/main.tf b/main.tf
 terraform {
  required_providers {
    azuredevops = {
      source = "microsoft/azuredevops"
    }
    azuread = {}
  }
 }

 variable "projects" {
  default = {
    "sk-test-1" : {
      description = "Test Project Description 1"
    }
    "sk-test-2" : {
      description = "Test Project Description 2"
    }
  }
 }

 # create DevOps Project
 resource "azuredevops_project" "project" {
  for_each           = var.projects
  name               = each.key
  description        = each.value.description
  visibility         = "private"
  version_control    = "Git"
  work_item_template = "Agile"

  features = {
    "testplans" = "disabled"
    "artifacts" = "disabled"
  }
 }

 # Create Reader AAD Group
 resource "azuread_group" "aad_group_readers" {
  for_each         = var.projects
  display_name     = "devops-${each.key}-readers"
  security_enabled = true
 }

 # Create Contributor AAD Group
 resource "azuread_group" "aad_group_contributors" {
  for_each         = var.projects
  display_name     = "devops-${each.key}-contributors"
  security_enabled = true
 }

 # Create Reader DevOps Group (background system)
 resource "azuredevops_group" "aad_group_readers" {
  for_each    = var.projects
  origin_id   = azuread_group.aad_group_readers[each.key].object_id
  description = "${each.key}_aad_group_readers"
  depends_on = [
    azuread_group.aad_group_readers
  ]
 }

 # Create Contributor DevOps Group (background system)
 resource "azuredevops_group" "aad_group_contributors" {
  for_each    = var.projects
  origin_id   = azuread_group.aad_group_contributors[each.key].object_id
  description = "${each.key}_aad_group_contributors"
  depends_on = [
    azuread_group.aad_group_contributors
  ]
 }

 # Get built-in readers group
 data "azuredevops_group" "built_in_readers" {
  for_each   = var.projects
  project_id = azuredevops_project.project[each.key].id
  name       = "Readers"
 }

 # Get built-in contributors group
 data "azuredevops_group" "built_in_contributors" {
  for_each   = var.projects
  project_id = azuredevops_project.project[each.key].id
  name       = "Contributors"
 }

 # Add AAD Group membership to built-in readers group
 resource "azuredevops_group_membership" "readers" {
  for_each = var.projects
  group    = data.azuredevops_group.built_in_readers[each.key].descriptor
  members = [
    azuredevops_group.aad_group_readers[each.key].descriptor
  ]
 }

 # Add AAD Group membership to built-in contributors group
 resource "azuredevops_group_membership" "contributors" {
  for_each = var.projects
  group    = data.azuredevops_group.built_in_contributors[each.key].descriptor
  members = [
    azuredevops_group.aad_group_contributors[each.key].descriptor
  ]
 }
diff --git a/remove_old_users.ps1 b/remove_old_users.ps1
 $allUsers = az devops user list | ConvertFrom-Json
 $allADUsers = az ad user list | ConvertFrom-Json
 $date = get-date

 $oldUsers = ($allUsers.items | where { $_.lastAccessedDate -lt ($date.AddMonths(-2)) })

 $data = foreach ($user in $oldUsers) {
  $adUser = $allADUsers | where mail -eq $user.user.mailAddress
  [PSCustomObject]@{
    id                  = $user.id
    devopsPrincipalName = $user.user.principalName
    aadPrincipalName    = $adUser.userPrincipalName
    loginSinceDays      = (($date - (Get-Date $user.lastAccessedDate)).totalDays -as [int])
  }
  # az devops user remove --user $user.id --yes
  # az ad user delete --id $adUser.userPrincipalName
 }

 $data  | Sort-Object loginSinceDays | select devopsPrincipalName
	$devOpsProjects = (az devops project list \| ConvertFrom-Json).value

	foreach ($i in $devOpsProjects) {
	Write-Output "importing $($i.name)"

	$command = @"
	terraform import 'azuredevops_project.project[\"$($i.name)\"]' "$($i.id)"
	"@
	Invoke-Expression $command
	}

	$hash = @{}
	$stateData = Get-Content .\terraform.tfstate \| ConvertFrom-Json

	foreach ($attr in $stateData.resources.instances.attributes) {
	$hash.add(
	$attr.name, @{
	description = $attr.description
	work_item_template = $attr.work_item_template
	})
	}

	$terraformProjectsData = $hash \| ConvertTo-Json

	@"
	variable "projects" {
	default = $terraformProjectsData
	}
	"@ \| Out-File "variables.tf" -Force
	terraform {
	required_providers {
	azuredevops = {
	source = "microsoft/azuredevops"
	}
	azuread = {}
	}
	}

	variable "projects" {
	default = {
	"sk-test-1" : {
	description = "Test Project Description 1"
	}
	"sk-test-2" : {
	description = "Test Project Description 2"
	}
	}
	}

	# create DevOps Project
	resource "azuredevops_project" "project" {
	for_each = var.projects
	name = each.key
	description = each.value.description
	visibility = "private"
	version_control = "Git"
	work_item_template = "Agile"

	features = {
	"testplans" = "disabled"
	"artifacts" = "disabled"
	}
	}

	# Create Reader AAD Group
	resource "azuread_group" "aad_group_readers" {
	for_each = var.projects
	display_name = "devops-${each.key}-readers"
	security_enabled = true
	}

	# Create Contributor AAD Group
	resource "azuread_group" "aad_group_contributors" {
	for_each = var.projects
	display_name = "devops-${each.key}-contributors"
	security_enabled = true
	}

	# Create Reader DevOps Group (background system)
	resource "azuredevops_group" "aad_group_readers" {
	for_each = var.projects
	origin_id = azuread_group.aad_group_readers[each.key].object_id
	description = "${each.key}_aad_group_readers"
	depends_on = [
	azuread_group.aad_group_readers
	]
	}

	# Create Contributor DevOps Group (background system)
	resource "azuredevops_group" "aad_group_contributors" {
	for_each = var.projects
	origin_id = azuread_group.aad_group_contributors[each.key].object_id
	description = "${each.key}_aad_group_contributors"
	depends_on = [
	azuread_group.aad_group_contributors
	]
	}

	# Get built-in readers group
	data "azuredevops_group" "built_in_readers" {
	for_each = var.projects
	project_id = azuredevops_project.project[each.key].id
	name = "Readers"
	}

	# Get built-in contributors group
	data "azuredevops_group" "built_in_contributors" {
	for_each = var.projects
	project_id = azuredevops_project.project[each.key].id
	name = "Contributors"
	}

	# Add AAD Group membership to built-in readers group
	resource "azuredevops_group_membership" "readers" {
	for_each = var.projects
	group = data.azuredevops_group.built_in_readers[each.key].descriptor
	members = [
	azuredevops_group.aad_group_readers[each.key].descriptor
	]
	}

	# Add AAD Group membership to built-in contributors group
	resource "azuredevops_group_membership" "contributors" {
	for_each = var.projects
	group = data.azuredevops_group.built_in_contributors[each.key].descriptor
	members = [
	azuredevops_group.aad_group_contributors[each.key].descriptor
	]
	}
	$allUsers = az devops user list \| ConvertFrom-Json
	$allADUsers = az ad user list \| ConvertFrom-Json
	$date = get-date

	$oldUsers = ($allUsers.items \| where { $_.lastAccessedDate -lt ($date.AddMonths(-2)) })

	$data = foreach ($user in $oldUsers) {
	$adUser = $allADUsers \| where mail -eq $user.user.mailAddress
	[PSCustomObject]@{
	id = $user.id
	devopsPrincipalName = $user.user.principalName
	aadPrincipalName = $adUser.userPrincipalName
	loginSinceDays = (($date - (Get-Date $user.lastAccessedDate)).totalDays -as [int])
	}
	# az devops user remove --user $user.id --yes
	# az ad user delete --id $adUser.userPrincipalName
	}

	$data \| Sort-Object loginSinceDays \| select devopsPrincipalName