| layout | page_title | description |
|---|---|---|
azuredevops |
AzureDevops: azuredevops_variable_group |
Manages variable groups within Azure DevOps project. |
Manages variable groups within Azure DevOps.
~> Note If Variable Group is linked to a Key Vault, only top 500 secrets will be read by default. Key Vault does not support filter the secret by name, we can only read the secrets and do filter in Terraform.
resource "azuredevops_project" "example" {
name = "Example Project"
work_item_template = "Agile"
version_control = "Git"
visibility = "private"
description = "Managed by Terraform"
}
resource "azuredevops_variable_group" "example" {
project_id = azuredevops_project.example.id
name = "Example Variable Group"
description = "Example Variable Group Description"
allow_access = true
variable {
name = "key1"
value = "val1"
}
variable {
name = "key2"
secret_value = "val2"
is_secret = true
}
}resource "azuredevops_project" "example" {
name = "Example Project"
work_item_template = "Agile"
version_control = "Git"
visibility = "private"
description = "Managed by Terraform"
}
resource "azuredevops_serviceendpoint_azurerm" "example" {
project_id = azuredevops_project.example.id
service_endpoint_name = "Example AzureRM"
description = "Managed by Terraform"
credentials {
serviceprincipalid = "00000000-0000-0000-0000-000000000000"
serviceprincipalkey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
azurerm_spn_tenantid = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_id = "00000000-0000-0000-0000-000000000000"
azurerm_subscription_name = "Example Subscription Name"
}
resource "azuredevops_variable_group" "example" {
project_id = azuredevops_project.example.id
name = "Example Variable Group"
description = "Example Variable Group Description"
allow_access = true
key_vault {
name = "example-kv"
service_endpoint_id = azuredevops_serviceendpoint_azurerm.example.id
}
variable {
name = "key1"
}
variable {
name = "key2"
}
}The following arguments are supported:
project_id- (Required) The ID of the project.name- (Required) The name of the Variable Group.description- (Optional) The description of the Variable Group.allow_access- (Required) Boolean that indicate if this variable group is shared by all pipelines of this project.variable- (Optional) One or morevariableblocks as documented below.key_vault-(Optional) A list ofkey_vaultblocks as documented below.
A variable block supports the following:
name- (Required) The key value used for the variable. Must be unique within the Variable Group.value- (Optional) The value of the variable. If omitted, it will default to empty string.secret_value- (Optional) The secret value of the variable. If omitted, it will default to empty string. Used whenis_secretset totrue.is_secret- (Optional) A boolean flag describing if the variable value is sensitive. Defaults tofalse.
A key_vault block supports the following:
name- The name of the Azure key vault to link secrets from as variables.service_endpoint_id- The id of the Azure subscription endpoint to access the key vault.search_depth- Set the Azure Key Vault Secret search depth. Defaults to20.
In addition to all arguments above, the following attributes are exported:
id- The ID of the Variable Group returned after creation in Azure DevOps.
- Azure DevOps Service REST API 7.0 - Variable Groups
- Azure DevOps Service REST API 7.0 - Authorized Resources
Variable groups containing secret values cannot be imported.
Azure DevOps Variable groups can be imported using the project name/variable group ID or by the project Guid/variable group ID, e.g.
terraform import azuredevops_variable_group.example "Example Project/10"or
terraform import azuredevops_variable_group.example 00000000-0000-0000-0000-000000000000/0Note that for secret variables, the import command retrieve blank value in the tfstate.
- Variable Groups: Read, Create, & Manage
- Build: Read & execute
- Project and Team: Read
- Token Administration: Read & manage
- Tokens: Read & manage
- Work Items: Read