• Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Network Infrastructure Automation
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHubTerraform Cloud
Download

    Terraform Cloud and Enterprise

  • Overview
  • Plans and Features
  • Getting Started
    • API Docs template
    • Overview
    • Account
    • Agent Pools
    • Agent Tokens
    • Applies
    • Audit Trails
    • Assessment Results
    • Comments
    • Configuration Versions
    • Cost Estimates
    • Feature Sets
    • Invoices
    • IP Ranges
    • Notification Configurations
    • OAuth Clients
    • OAuth Tokens
    • Organizations
    • Organization Memberships
    • Organization Tags
    • Organization Tokens
    • Plan Exports
    • Plans
    • Policies
    • Policy Checks
    • Policy Sets
    • Policy Set Parameters
      • Modules
      • Providers
      • Private Provider Versions and Platforms
      • GPG Keys
    • Runs
      • Run Tasks
      • Stages and Results
      • Custom Integration
    • Run Triggers
    • SSH Keys
    • State Versions
    • State Version Outputs
    • Subscriptions
    • Team Access
    • Team Membership
    • Team Tokens
    • Teams
    • User Tokens
    • Users
    • Variables
    • VCS Events
    • Workspaces
    • Workspace-Specific Variables
    • Workspace Resources
    • Variable Sets
      • Overview
      • Module Sharing
      • Organizations
      • Runs
      • Settings
      • Terraform Versions
      • Users
      • Workspaces
    • Changelog
    • Stability Policy
    • Overview
    • Creating Workspaces
    • Naming
    • Terraform Configurations
      • Overview
      • Managing Variables
      • Overview
      • VCS Connections
      • Access
      • Drift Detection
      • Notifications
      • SSH Keys for Modules
      • Run Triggers
      • Run Tasks
    • Terraform State
    • JSON Filtering
    • Remote Operations
    • Viewing and Managing Runs
    • Run States and Stages
    • Run Modes and Options
    • UI/VCS-driven Runs
    • API-driven Runs
    • CLI-driven Runs
    • The Run Environment
    • Installing Software
    • Users
    • Teams
    • Organizations
    • Permissions
    • Two-factor Authentication
    • API Tokens
      • Overview
      • Microsoft Azure AD
      • Okta
      • SAML
      • Linking a User Account
      • Testing
    • Overview
    • GitHub.com
    • GitHub.com (OAuth)
    • GitHub Enterprise
    • GitLab.com
    • GitLab EE and CE
    • Bitbucket Cloud
    • Bitbucket Server and Data Center
    • Azure DevOps Services
    • Azure DevOps Server
    • Troubleshooting
    • Overview
    • Adding Public Providers and Modules
    • Publishing Private Providers
    • Publishing Private Modules
    • Using Providers and Modules
    • Configuration Designer
  • Migrating to Terraform Cloud
    • Overview
    • Using Sentinel with Terraform 0.12
    • Manage Policies
    • Enforce and Override Policies
    • Mocking Terraform Sentinel Data
    • Working With JSON Result Data
      • Overview
      • tfconfig
      • tfconfig/v2
      • tfplan
      • tfplan/v2
      • tfstate
      • tfstate/v2
      • tfrun
    • Example Policies
    • Overview
    • AWS
    • GCP
    • Azure
      • Overview
      • Service Catalog
      • Admin Guide
      • Developer Reference
      • Example Customizations
      • V1 Setup Instructions
    • Splunk Integration
    • Kubernetes Integration
    • Run Tasks Integration
    • Overview
    • IP Ranges
    • Data Security
    • Security Model
    • Overview
    • Part 1: Overview of Our Recommended Workflow
    • Part 2: Evaluating Your Current Provisioning Practices
    • Part 3: How to Evolve Your Provisioning Practices
    • Part 3.1: From Manual Changes to Semi-Automation
    • Part 3.2: From Semi-Automation to Infrastructure as Code
    • Part 3.3: From Infrastructure as Code to Collaborative Infrastructure as Code
    • Part 3.4: Advanced Workflow Improvements

  • Terraform Cloud Agents

  • Terraform Enterprise Admin

  • Other Docs

  • Intro to Terraform
  • Configuration Language
  • Terraform CLI
  • Terraform Cloud
  • Terraform Enterprise
  • Provider Use
  • Plugin Development
  • Registry Publishing
  • Integration Program
  • Terraform Tools
  • CDK for Terraform
  • Glossary
Type '/' to Search

»Configuring Azure DevOps Services Access

These instructions are for using dev.azure.com for Terraform Cloud's VCS features. Other supported VCS providers have separate instructions.

This page explains the four main steps required to connect Terraform Cloud to your Azure DevOps Services VCS:

  1. Create a new connection in Terraform Cloud and get the callback URL.
  2. On your VCS, register your Terraform Cloud organization as a new application. Provide the callback URL and get the application ID and key.
  3. Provide Terraform Cloud with the application ID and key. Then, request VCS access.
  4. On your VCS, approve the access request from Terraform Cloud.

Important: Terraform Cloud only supports Azure DevOps connections that use the dev.azure.com domain. If your Azure DevOps project uses the older visualstudio.com domain, you must migrate using the steps in the Microsoft documentation.

»Requirements

Configuring a new VCS provider requires permission to manage VCS settings for the organization.

Before you begin, enable Third-party application access via OAuth in Azure DevOps Services settings.

  1. Log in to Azure DevOps Services.

  2. Click Organization settings in the bottom of the sidebar.

  3. Click Policies in the sidebar under Security.

  4. Enable the Third-party application access via OAuth setting.

    Azure DevOps Services Screenshot: Polcies Third-party application access via Oauth

»Step 1: On Terraform Cloud, Begin Adding a New VCS Provider

  1. Log in to Terraform Cloud and navigate to the organization where you want to add a VCS connection.
  2. Click Settings in the menu bar and then click Providers under Version control in the sidebar.
  3. Click Add VCS a Provider. The Add a VCS Provider page appears.
  4. Open the Azure DevOps menu and then select Azure DevOps Services. The Set up provider page appears.

Leave this page open in a browser tab. You will copy values from this page into Azure DevOps in the next step, and in later steps you will continue configuring Terraform Cloud.

»Step 2: From your Azure DevOps Services Profile, Create a New Application

  1. In a new browser tab, open your Azure DevOps Services Profile, and log in to your Azure DevOps Services account if necessary. A page with a list of your organizations appears.

    Important: The Azure DevOps Services account you use for connecting Terraform Cloud must have Project Collection Administrator access to any projects containing repositories of Terraform configurations, since creating webhooks requires admin permissions. It is not possible to create custom access roles with lower levels of privilege, as Microsoft does not currently allow delegation of this capability. If you're unable to load the link above, you can create a new application for the next step at one of the following links: https://aex.dev.azure.com/app/register?mkt=en-US or https://app.vsaex.visualstudio.com/app/register?mkt=en-US.

  2. Go into your preferred organization.

  3. Click your user icon in the top right, and then click the ellipses (...) and select User settings.

  4. From the User settings menu, click Profile. Your profile page appears.

  5. In the left sidebar, click Authorizations. The Authorized OAuth Apps page appears.

  6. Click the link to register a new app. A form appears asking for your company and application information.

  7. Fill out the fields and checkboxes with the corresponding values currently displayed in your Terraform Cloud browser tab. Terraform Cloud lists the values in the order they appear and includes controls for copying values to your clipboard. Here is an example:

    Field nameValue
    Company nameHashiCorp
    Application NameTerraform Cloud (<YOUR ORGANIZATION NAME>)
    Application websitehttps://app.terraform.io (or the URL of your Terraform Enterprise instance)
    Authorization callback URLhttps://app.terraform.io/<YOUR CALLBACK URL>

    Azure DevOps Services Screenshot: Creating a new application in your Azure DevOps Services Profile

    In the Authorized scopes section, select only Code (read) and Code (status) and then click Create Application.

    Azure DevOps Services Screenshot: Required permissions when creating a new application in your Azure DevOps Services Profile

    Important: Do not add any additional scopes beyond Code (read) and Code (status), as this can prevent Terraform Cloud from connecting. Note that these authorized scopes cannot be updated after the application is created; to fix incorrect scopes you must delete and re-create the application.

  8. After creating the application, the next page displays its details. Leave this page open in a browser tab. In the next step, you will copy and paste the unique App ID and Client Secret from this page.

    If you accidentally close this details page and need to find it later, you can reach it from the Applications and Services links at the bottom left of your profile.

»Step 3: On Terraform Cloud, Set up Your Provider

  1. (Optional) Enter a Name for this VCS connection.

  2. Enter your Azure DevOps Services application's App ID and Client Secret. These can be found in the application's details, which should still be open in the browser tab from Step 2.

    Terraform Cloud screenshot: the ssh key screen

  3. Click Connect and continue. This takes you to a page on Azure DevOps Services, asking whether you want to authorize the app. Click the Accept button and you'll be redirected back to Terraform Cloud.

    Azure DevOps Services Screenshot: Accepting the terms of use for connecting Terraform Cloud and Azure DevOps Services

    Note: If you receive a 404 error from Azure DevOps Services, it likely means your callback URL has not been configured correctly.

»Step 4: On Terraform Cloud, Set Up SSH Keypair (Optional)

Most organizations will not need to add an SSH private key. However, if the organization repositories include Git submodules that can only be accessed via SSH, an SSH key can be added along with the OAuth credentials. You can add or update the SSH private key at a later time.

»Important Notes

  • SSH will only be used to clone Git submodules. All other Git operations will still use HTTPS.
  • Do not use your personal SSH key to connect Terraform Cloud and Azure DevOps Services; generate a new one or use an existing key reserved for service access.
  • In the following steps, you must provide Terraform Cloud with the private key. Although Terraform Cloud does not display the text of the key to users after it is entered, it retains it and will use it for authenticating to Azure DevOps Services.
  • Protect this private key carefully. It can push code to the repositories you use to manage your infrastructure. Take note of your organization's policies for protecting important credentials and be sure to follow them.

»If You Don't Need an SSH Keypair:

  1. Click the Skip and Finish button. This returns you to Terraform Cloud's VCS Providers page, which now includes your new Azure DevOps Services client.

»If You Do Need an SSH Keypair:

  1. On a secure workstation, create an SSH keypair that Terraform Cloud can use to connect to Azure DevOps Services.com. The exact command depends on your OS, but is usually something like: ssh-keygen -t rsa -m PEM -f "/Users/<NAME>/.ssh/service_terraform" -C "service_terraform_enterprise" This creates a service_terraform file with the private key, and a service_terraform.pub file with the public key. This SSH key must have an empty passphrase. Terraform Cloud cannot use SSH keys that require a passphrase.

  2. While logged into the Azure DevOps Services account you want Terraform Cloud to act as, navigate to the SSH Keys settings page, add a new SSH key and paste the value of the SSH public key you just created.

  3. In Terraform Cloud's Add VCS Provider page, paste the text of the SSH private key you just created, and click the Add SSH Key button.

    Terraform Cloud screenshot: the ssh key screen

»Finished

At this point, Azure DevOps Services access for Terraform Cloud is fully configured, and you can create Terraform workspaces based on your organization's repositories.

github logoEdit this page
  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager