Azure DevOps Variable Groups

See exactly which variables changed—metadata visible, secret values protected.

azuredevops

When Azure DevOps variable groups change, Terraform shows "At least one attribute in this block is (or was) sensitive" for all variables—even non-secret ones. This makes it impossible to review changes. tfplan2md's specialized template displays all variable metadata clearly while protecting actual secret values.

❌ Without tfplan2md

Raw Terraform Output 
~ azuredevops_variable_group.example will be updated in-place
~ resource "azuredevops_variable_group" "example" {
    id          = "123"
    name        = "example-variables"
    # (3 unchanged attributes hidden)

  - variable {
      # At least one attribute in this block is (or was) sensitive,
      # so its contents will not be displayed.
    }
  - variable {
      # At least one attribute in this block is (or was) sensitive,
      # so its contents will not be displayed.
    }
  + variable {
      # At least one attribute in this block is (or was) sensitive,
      # so its contents will not be displayed.
    }
  + variable {
      # At least one attribute in this block is (or was) sensitive,
      # so its contents will not be displayed.
    }
}

Which variables changed? What are their names? Completely opaque.

✅ With tfplan2md

Variable Group Output

🔄 azuredevops_variable_group.example

Variable Group: example-variables

Description: Variables for CI/CD pipeline

Variables

Change Name Value Enabled
ENV Production -
🔄 APP_VERSION - 1.0.0
+ 2.0.0		 true
🔄 API_KEY (sensitive / hidden) - true
+ false
LEGACY_URL https://old.example.com false 
### 🔄 azuredevops_variable_group.example

**Variable Group:** `example-variables`

**Description:** `Variables for CI/CD pipeline`

#### Variables

| Change | Name | Value | Enabled |
| ------ | ---- | ----- | ------- |
| ➕ | `ENV` | `Production` | - |
| 🔄 | `APP_VERSION` | <code style="display:block; white-space:normal; padding:0; margin:0;"><span style="background-color: #fff5f5; border-left: 3px solid #d73a49; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">- 1.0.0</span><br><span style="background-color: #f0fff4; border-left: 3px solid #28a745; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">+ 2.0.0</span></code> | `true` |
| 🔄 | `API_KEY` | `(sensitive / hidden)` | <code style="display:block; white-space:normal; padding:0; margin:0;"><span style="background-color: #fff5f5; border-left: 3px solid #d73a49; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">- true</span><br><span style="background-color: #f0fff4; border-left: 3px solid #28a745; color: #24292e; display: inline-block; padding-left: 8px; margin-left: 0;">+ false</span></code> |
| ❌ | `LEGACY_URL` | `https://old.example.com` | `false` |

Clear semantic diff: added ENV, updated APP_VERSION, API_KEY enabled changed, removed LEGACY_URL.

Key Features

🔐

Secret Value Protection

Secret variable values display as "(sensitive / hidden)" while showing all metadata: name, enabled status, content type, and expiration. Security maintained, visibility restored.

🔄

Semantic Diffing

Variables matched by name across before/after states. Changes categorized as Added (➕), Modified (🔄), Removed (❌), or Unchanged (⏺️). See exactly what changed.

📊

Unified Display

Regular and secret variables merged into single table. No need to mentally combine separate arrays. All variables visible in one clear, scannable format.

📝

Complete Metadata

Shows variable group name, description, project reference, and Key Vault integration details. Every attribute visible for informed decision-making.

Operation Examples

How variable groups appear for different Terraform operations

Create Operation

➕ azuredevops_variable_group.app_config

Variable Group: app-config-prod

Description: Production app configuration

Variables

Name Value Enabled
APP_NAME MyApp -
ENVIRONMENT Production -
DB_HOST prod-db.example.com true
DB_PASSWORD (sensitive / hidden) true
API_KEY (sensitive / hidden) true 
### ➕ azuredevops_variable_group.app_config

**Variable Group:** `app-config-prod`

**Description:** `Production app configuration`

#### Variables

| Name | Value | Enabled |
| ---- | ----- | ------- |
| `APP_NAME` | `MyApp` | - |
| `ENVIRONMENT` | `Production` | - |
| `DB_HOST` | `prod-db.example.com` | `true` |
| `DB_PASSWORD` | `(sensitive / hidden)` | `true` |
| `API_KEY` | `(sensitive / hidden)` | `true` |

Simple table for new variable groups. Secret values protected from the start.

Update Operation

🔄 azuredevops_variable_group.app_config

Variable Group: app-config-prod

Variables

Change Name Value Enabled
🔄 APP_VERSION - 2.1.0
+ 2.2.0 		true
🔄 FEATURE_FLAGS - alpha,beta
+ beta,gamma 		true
🔄 API_KEY (sensitive / hidden) - true
+ false
⏺️ ENVIRONMENT Production - 
### 🔄 azuredevops_variable_group.app_config

**Variable Group:** `app-config-prod`

#### Variables

| Change | Name | Value | Enabled |
| ------ | ---- | ----- | ------- |
| 🔄 | `APP_VERSION` | - `2.1.0`
+ `2.2.0` | `true` |
| 🔄 | `FEATURE_FLAGS` | - `alpha,beta`
+ `beta,gamma` | `true` |
| 🔄 | `API_KEY` | `(sensitive / hidden)` | - `true`
+ `false` |
| ⏺️ | `ENVIRONMENT` | `Production` | - |

Before/after values with change indicators. Unchanged variables marked with ⏺️.

Delete Operation

❌ azuredevops_variable_group.legacy_config

Variable Group: legacy-config

Variables (being deleted)

Name Value Enabled
OLD_API_URL https://legacy.example.com false
DEPRECATED_KEY (sensitive / hidden) false
TEMP_SETTING temporary false 
### ❌ azuredevops_variable_group.legacy_config

**Variable Group:** `legacy-config`

#### Variables (being deleted)

| Name | Value | Enabled |
| ---- | ----- | ------- |
| `OLD_API_URL` | `https://legacy.example.com` | `false` |
| `DEPRECATED_KEY` | `(sensitive / hidden)` | `false` |
| `TEMP_SETTING` | `temporary` | `false` |

Clear view of what's being removed. Audit trail for cleanup operations.

Key Vault Integration

When variable groups are linked to Azure Key Vault, tfplan2md displays the Key Vault block metadata in a separate table showing the connection details.

➕ azuredevops_variable_group.keyvault_secrets

Variable Group: keyvault-secrets

Description: Secrets from Azure Key Vault

Key Vault Integration

Name Service Endpoint ID Search Depth
kv-myapp-prod 12345678-1234-1234-1234-123456789012 1

Variables

(No variables configured - all values retrieved from Key Vault)

### ➕ azuredevops_variable_group.keyvault_secrets

**Variable Group:** `keyvault-secrets`

**Description:** `Secrets from Azure Key Vault`

#### Key Vault Integration

| Name | Service Endpoint ID | Search Depth |
| ---- | ------------------- | ------------ |
| `kv-myapp-prod` | `12345678-1234-1234-1234-123456789012` | `1` |

#### Variables

(No variables configured - all values retrieved from Key Vault)

Technical Details

Resource Type

azuredevops_variable_group

Implementation

ViewModel pattern with C# Factory for semantic diffing. Merges variable and secret_variable arrays by name.

Large Values

Values >100 characters or multi-line moved to collapsible large values section with inline diff highlighting.

Security

Secret variable value attribute always displayed as "(sensitive / hidden)". All other metadata (name, enabled, etc.) visible.

Ready to see clear variable group diffs?

No more guessing what changed in your Azure DevOps variable groups. Get the visibility you need for confident deployments.

Get Started View More Examples