[Bug]: Migrating Azure DevOps Service Variable Group backed by Azure Key Vault

[Chryogenic]

Version

• I confirm that I am using the latest version

Source Version

Azure DevOps Service

Target Version

Azure DevOps Service

Relevant configuration

{
  "GitRepoMapping": null,
  "LogLevel": "Debug",
  "Processors": [
    {
      "$type": "AzureDevOpsPipelineProcessorOptions",
      "LogLevel": "Debug",
      "Enabled": true,
      "MigrateBuildPipelines": true,
      "MigrateReleasePipelines": true,
      "MigrateTaskGroups": true,
      "MigrateVariableGroups": true,
      "MigrateServiceConnections": false,
      "BuildPipelines": null,
      "ReleasePipelines": null,
      "RefName": null,
      "SourceName": "Source",
      "TargetName": "Target",
      "RepositoryNameMaps": { "AllDevOpsFeatures": "ben-test-migrations" }
    }
  ],
  "Version": "13.0",
  "Endpoints": {
    "AzureDevOpsEndpoints": [
      {
        "name": "Source",
        "$type": "AzureDevOpsEndpointOptions",
        "Organisation": "<redacted>",
        "Project": "AllDevOpsFeatures",
        "AuthenticationMode": "AccessToken",
        "AccessToken": "<Redacted>",
        "EndpointEnrichers": null
      },
      {
        "Name": "Target",
        "$type": "AzureDevOpsEndpointOptions",
        "Organisation": "redacted",
        "Project": "ben-test-migrations",
        "AuthenticationMode": "AccessToken",
        "AccessToken": "<redacted>",
        "EndpointEnrichers": null
      }
    ]
  }
}

Relevant log output

[09:53:55 ERR] Error migrating VariableGroups: kv. Please migrate it manually. 
Url: POST <redacted>//ben-test-migrations/_apis/distributedtask/variablegroups/
{"$id":"1","innerException":null,"message":"8385e02b-df7c-4325-a6d3-53d2fede6754 service connection used in variable group is not shared with project ben-test-migrations. A service connection Administrator should share it with project ben-test-migrations before sharing the variable group with project ben-test-migrations.","typeName":"Microsoft.TeamFoundation.DistributedTask.Server.Exceptions.InvalidRequestException, Microsoft.TeamFoundation.DistributedTask.Server","typeKey":"InvalidRequestException","errorCode":0,"eventId":3000}

What happened?

Unable to migrate variable group that has been backed by Azure Key Vault.

Service connections will be migrated manually with the same names & set up with correct RBAC access to Key Vault. (which is why I have set MigrateServiceConnections is set to false).

I'd expect that when the script sets up the variable group it would use the new service connection and be able to create the Key Vault backed Variable Group.

Debug in Visual Studio

• Visual Studio Debug

[MrHinsh]

As per the error you need to migrate the KeyVaut manually and then run again.