Azure DevOps Variable Groups

See exactly which variables changed-metadata visible, secret values protected.

azuredevops

When Azure DevOps variable groups change, Terraform shows opaque sensitive-block output for every variable. tfplan2md's specialized template displays variable metadata clearly while continuing to protect actual secret values.

❌ Without tfplan2md

Raw Terraform Output 
~ azuredevops_variable_group.example will be updated in-place
~ resource "azuredevops_variable_group" "example" {
    id   = "123"
    name = "example-variables"

  - variable {
      # At least one attribute in this block is (or was) sensitive,
      # so its contents will not be displayed.
    }
  + variable {
      # At least one attribute in this block is (or was) sensitive,
      # so its contents will not be displayed.
    }
}

Which variables changed? Which names were added or removed? The raw diff does not answer that.

βœ… With tfplan2md

Variable Group Output

πŸ”„ azuredevops_variable_group.example

Variable Group: example-variables

Description: Variables for CI/CD pipeline

Variables

Change Name Value Enabled
βž• ENV Production -
πŸ”„ APP_VERSION - 1.0.0
+ 2.0.0		 true
πŸ”„ API_KEY (sensitive / hidden) - true
+ false
❌ LEGACY_URL https://old.example.com false 
### πŸ”„ azuredevops_variable_group.example

**Variable Group:** `example-variables`

**Description:** `Variables for CI/CD pipeline`

#### Variables

| Change | Name | Value | Enabled |
| ------ | ---- | ----- | ------- |
| βž• | `ENV` | `Production` | - |
| πŸ”„ | `APP_VERSION` | <code style="display:block; white-space:normal; padding:0; margin:0;"><span style="background-color: #fff5f5; border-left: 3px solid #d73a49; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">- 1.0.0</span><br><span style="background-color: #f0fff4; border-left: 3px solid #28a745; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">+ 2.0.0</span></code> | `true` |
| πŸ”„ | `API_KEY` | `(sensitive / hidden)` | <code style="display:block; white-space:normal; padding:0; margin:0;"><span style="background-color: #fff5f5; border-left: 3px solid #d73a49; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">- true</span><br><span style="background-color: #f0fff4; border-left: 3px solid #28a745; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">+ false</span></code> |
| ❌ | `LEGACY_URL` | `https://old.example.com` | `false` |

Added, updated, removed, and unchanged variables are all labeled explicitly in one semantic diff.

Key Features

πŸ”

Secret Value Protection

Secret values are rendered as (sensitive / hidden), while names, enabled flags, content types, and expiration metadata remain visible.

πŸ”„

Semantic Diffing

Variables are matched by name across before and after states and categorized as added, modified, removed, or unchanged.

πŸ“Š

Unified Display

Regular and secret variables are presented together so reviewers do not need to mentally merge multiple arrays.

πŸ“

Complete Metadata

Group name, description, project references, and Key Vault integration details remain available for full review context.

Operation Examples

How variable groups appear for different Terraform operations.

Create Operation

Example 2

βž• azuredevops_variable_group.app_config

Variable Group: app-config-prod

Description: Production app configuration

Variables

Name Value Enabled
APP_NAME MyApp -
ENVIRONMENT Production -
DB_HOST prod-db.example.com true
DB_PASSWORD (sensitive / hidden) true
API_KEY (sensitive / hidden) true 
### βž• azuredevops_variable_group.app_config

**Variable Group:** `app-config-prod`

**Description:** `Production app configuration`

#### Variables

| Name | Value | Enabled |
| ---- | ----- | ------- |
| `APP_NAME` | `MyApp` | - |
| `ENVIRONMENT` | `Production` | - |
| `DB_HOST` | `prod-db.example.com` | `true` |
| `DB_PASSWORD` | `(sensitive / hidden)` | `true` |
| `API_KEY` | `(sensitive / hidden)` | `true` |

New variable groups render as a simple table, with secret values protected from the start.

Update Operation

Example 3

πŸ”„ azuredevops_variable_group.app_config

Variable Group: app-config-prod

Variables

Change Name Value Enabled
πŸ”„ APP_VERSION - 2.1.0
+ 2.2.0 		true
πŸ”„ FEATURE_FLAGS - alpha,beta
+ beta,gamma 		true
πŸ”„ API_KEY (sensitive / hidden) - true
+ false
⏺️ ENVIRONMENT Production - 
### πŸ”„ azuredevops_variable_group.app_config

**Variable Group:** `app-config-prod`

#### Variables

| Change | Name | Value | Enabled |
| ------ | ---- | ----- | ------- |
| πŸ”„ | `APP_VERSION` | - `2.1.0`
+ `2.2.0` | `true` |
| πŸ”„ | `FEATURE_FLAGS` | - `alpha,beta`
+ `beta,gamma` | `true` |
| πŸ”„ | `API_KEY` | `(sensitive / hidden)` | - `true`
+ `false` |
| ⏺️ | `ENVIRONMENT` | `Production` | - |

Before and after values are aligned with change indicators, and unchanged variables are still visible for context.

Delete Operation

Example 4

❌ azuredevops_variable_group.legacy_config

Variable Group: legacy-config

Variables (being deleted)

Name Value Enabled
OLD_API_URL https://legacy.example.com false
DEPRECATED_KEY (sensitive / hidden) false
TEMP_SETTING temporary false 
### ❌ azuredevops_variable_group.legacy_config

**Variable Group:** `legacy-config`

#### Variables (being deleted)

| Name | Value | Enabled |
| ---- | ----- | ------- |
| `OLD_API_URL` | `https://legacy.example.com` | `false` |
| `DEPRECATED_KEY` | `(sensitive / hidden)` | `false` |
| `TEMP_SETTING` | `temporary` | `false` |

Delete views make cleanup reviews auditable instead of hiding the removed variables behind sensitive blocks.

Key Vault Integration

When a variable group is linked to Azure Key Vault, tfplan2md renders the Key Vault connection details in a separate metadata table.

Example 5

βž• azuredevops_variable_group.keyvault_secrets

Variable Group: keyvault-secrets

Description: Secrets from Azure Key Vault

Key Vault Integration

Name Service Endpoint ID Search Depth
kv-myapp-prod 12345678-1234-1234-1234-123456789012 1

Variables

(No variables configured - all values retrieved from Key Vault)

### βž• azuredevops_variable_group.keyvault_secrets

**Variable Group:** `keyvault-secrets`

**Description:** `Secrets from Azure Key Vault`

#### Key Vault Integration

| Name | Service Endpoint ID | Search Depth |
| ---- | ------------------- | ------------ |
| `kv-myapp-prod` | `12345678-1234-1234-1234-123456789012` | `1` |

#### Variables

(No variables configured - all values retrieved from Key Vault)

Technical Details

Resource Type

azuredevops_variable_group

Implementation

View-model based semantic diffing merges variable and secret_variable arrays by name before rendering.

Large Values

Values longer than 100 characters or multi-line content are moved into the large-values section with inline diff support.

Security

Secret variable value is always rendered as hidden while the rest of the metadata remains visible.

Ready to see clear variable group diffs?

No more guessing what changed in Azure DevOps variable groups. Review metadata confidently without exposing secrets, then pair it with build definition tables for the full pipeline picture.

Get Started See Build Definitions