Setting Azure DevOps policies programatically

posted on 2019-09-19

Azure devops has branch policies you probably want to set, but there is no way to set a default for new policies yet. As soon as you have a larger set of repositories, rolling out new policies becomes boring.

The azure-cli is here to help. First start a docker if you have not installed the tool locally:

docker run -it microsoft/azure-cli                                                             ✭

Login the tool

az login

The output will redirect you to https://microsoft.com/devicelogin to log in and match the device code.

Now we need the devops extension to work with repos and policies, so first install the extension:

az extension add --name azure-devops

After that, all the extension commands will become available.

By setting the project and the organization as defaults, we don't have to repeat them:

az devops configure --defaults organization=https://dev.azure.com/your-base-url-name/
az devops configure --defaults project=my_project

We should be able to get a list of all the repositories in the project:

az repos list

each repository has an UUID which you need for most changes, so let's extract those:

az repos list --query [].[name,id]

The query part of the above command is a JMESPath selecting two attributes (name and id). For most things, we want to apply a command per repository-id, so I choose to use xargs for that. To get a list of only project ids without json formatting, we use:

az repos list --query [].id --output tsv

You can write the list to a file, edit that file and then load. But because it's a good default, let's set a review comments have to be resolved policy on all projects for the master branch:

az repos list --query [].id --output tsv |xargs -n1 az repos policy comment-required create --blocking true --branch master --enabled true --repository-id

If the policy is already set, you will get an error message saying The update is rejected by policy., but as we just want a policy to be there in the first place we can safely ignore these errors.

We can do the same for requiring at least 1 reviewer to approve the PR:

az repos list --query [].id --output tsv |xargs -n1 az repos policy approver-count create --blocking true --branch master --creator-vote-counts false --enabled true --minimum-approver-count 1 --reset-on-source-push false --allow-downvotes false --repository-id

Same trick. Make sure you always experiment on a single repository before applying it to all repositories, but you should be able to use the above code to apply a policy across all the repositories your project contains.

Other useful commands

  • Checking policies on a repository:

     az repos policy list --repository-id repo-uuid --branch master --query [].type

  • Getting a list of all repository ids, then check their policies for the master branch az repos list --query [].id --output tsv > allrepos.txt cat allrepos.txt | xargs -n1 az repos policy list --branch master --query [].type.displayName --repository-id

  • Install vim command in the alpine docker apk update apk add vim