How to create VCS for Azure DevOps and a PAT

Introduction

While the standard UI-based process for creating a VCS connection for Azure DevOps using a Personal Access Token (PAT) is available in the Creating a VCS Connection for Azure DevOps documentation, this guide provides alternative methods.

This article describes how to perform the same configuration programmatically using the Terraform Enterprise API and the tfe provider, including the required values for each method.

Expected Outcome

You will successfully create a VCS connection for Azure DevOps with a PAT using either the tfe provider or the Terraform Enterprise API.

Prerequisites

Before you begin, ensure you have the following:

1. An Azure DevOps Personal Access Token (PAT) as described in the official documentation. The token must have the following permissions:
   • Code: read and status scopes.
   • Access: All accessible organizations.
2. A Terraform Enterprise user or team token with permissions to create VCS connections in your organization.

Procedure

You can use one of the following two methods to create the VCS connection.

Method 1: Using the Terraform Enterprise Provider

To create the VCS connection using the tfe provider, use the tfe_oauth_client resource.

1. Define the provider and resource in a Terraform configuration file.

   provider "tfe" {
     hostname = "<TFE_FQDN>"               ## Fully Qualified Domain Name of your Terraform Enterprise environment
     token    = "<TFE_TOKEN>"              ## A TFE token with permissions to create a VCS connection
   }
   
   resource "tfe_oauth_client" "ado_pat_connection" {
     name                 = "Azure DevOps using PAT"   ## The name of the VCS connection in the TFE UI
     organization         = "<YOUR_ORGANIZATION>"    ## Your TFE organization name
     api_url              = "https://dev.azure.com"  ## This value is required for Azure DevOps
     http_url             = "https://dev.azure.com"  ## This value is required for Azure DevOps
     oauth_token          = "<YOUR_PAT_AZURE_DEVOPS>"## Your Azure DevOps PAT value
     service_provider     = "ado_services"
     organization_scoped  = true
   }

2. Run terraform apply to create the VCS connection.

Method 2: Using the Terraform Enterprise API

To create the VCS connection using the TFE API, you will first create a payload file and then use curl to submit the request to the Create an OAuth Client endpoint.

1. Create a file named payload.json with the following content.

   {
     "data": {
       "type": "oauth-clients",
       "attributes": {
         "service-provider": "ado_services",
         "name": "Azure DevOps using PAT",
         "http-url": "https://dev.azure.com",
         "api-url": "https://dev.azure.com",
         "oauth-token-string": "<YOUR_PAT_AZURE_DEVOPS>"
       }
     }
   }

2. Execute the following curl command, replacing the placeholder values with your information.

   $ export TOKEN="<TFE_TOKEN>"
   $ curl \
     --header "Authorization: Bearer $TOKEN" \
     --header "Content-Type: application/vnd.api+json" \
     --request POST \
     --data @payload.json \
     https://<TFE_FQDN>/api/v2/organizations/<YOUR_ORGANIZATION>/oauth-clients

Additional Information

• Terraform Enterprise API: OAuth Clients
• Terraform Provider for TFE: tfe_oauth_client resource
• Documentation: Connect to Azure DevOps Services with a PAT