Implement project pulling from Azure DevOps using Service Principals

[puiterwijk]

SUMMARY

This adds support for syncing a project from Azure DevOps using an Azure Service Principal.

ISSUE TYPE

• New or Enhanced Feature

COMPONENT NAME

• API
• UI
• Other

ADDITIONAL INFORMATION

In order to use this feature, create an Azure Resource Manager type secret, and assign this to the project (this PR allows attaching either an scm or azure_rm secret to projects).
The associated service principal must have Basic level access to the DevOps organization, and at least Reader level access to the Project.

Note that the current implementation uses ansible.builtin.uri to retrieve an access token.
I have submitted ansible-collections/azure#1318 to implement this as a separate Ansible module, after which this could be replaced by:

azure.azcollection.azure_rm_access_token:
  subscription_id: "{{ azure_subscription_id }}"
  client_id: "{{ azure_client_id }}"
  secret: "{{ azure_client_secret }}"
  tenant: "{{ azure_tenant }}"
  scopes:
    - 499b84ac-1321-427f-aa17-267ca6975798/.default

[AlanCoding]

I was trying to do something similar in #14190, just to link it.

[thedoubl3j]

@AlanCoding is there way for us to test this or is there anything we would need integration wise? I think once the collection PR merges it would be good to move to that implementation @puiterwijk. The collection is already part of the awx-ee so it is already included in base installs.

[puiterwijk]

@thedoubl3j Yeah, I had seen that that collection is already in the EE, that's why I even put in the effort to add support for it there :).
I just updated my PR on the collection to fix the remarks (has been a busy week!), so let's hope that progresses.

Regarding testing this PR: it'll require an Azure account with DevOps and a service principal that has access (see the instructions in my commit message/github summary).

[TheRealHaoLiu]

cc @CFSNM

[ryankwilliams]

Hey @puiterwijk!

While I was testing out these changes and creating new automated tests for this. I noticed when trying to create a project with the credential for the azure service principal, the project ends up having the credential be empty (when using awxkit).

I was going through the awxkit code that our tests repository use and in order for the tests I added to work with this credential and project creation. I had to add the following to the conditional:

                if credential.ds.credential_type.namespace not in ('scm', 'insights', 'azure_rm'):

https://github.com/ansible/awx/blob/devel/awxkit/awxkit/api/pages/projects.py#L52

Would you be able to make this change within this PR?

[puiterwijk]

@ryankwilliams Hi, sorry for the delayed reply, but I just pushed the change!

[ryankwilliams]

@ryankwilliams Hi, sorry for the delayed reply, but I just pushed the change!

@puiterwijk Thank you for making the change!

[puiterwijk]

@thedoubl3j @ryankwilliams I've updated this PR to use the collection version for token retrieval.
I also filed ansible/awx-ee#229 to make sure that version 2.1 or later of the collection is used in awx-ee (although it's already in the :latest tag, so that might not be required?).

[dmzoneill]

@puiterwijk is this ready for merging?

[puiterwijk]

@puiterwijk is this ready for merging?

@dmzoneill I think it is, yes. I've been waiting for review and someone to merge it or provide feedback.

[chadmf]

LGTM!

[chadmf]

LGTM!

[TheRealHaoLiu]

Reverting this PR due to test failure, please open the PR again.