i'm pretty certain it wasn't ALWAYS like this, but i went back quite few versions (to 1.7) and observed the same behaviour.

azuredevops_variable_group is weird with it's secrets because when you GET the variable group secretes are returned as null. The provider to compensate for this has always ignored this diff silently and not complained about it. This meant you could change the value of the secret in the web UX and IaC wouldn't complate which was great cause most people don't want their IaC to know the real value. So we always set secret_value to r3pl@ac3m3 so the secret would be created, then updated in the web ux to the real value.

Recently we had a plan that showed no change to variables, just a pipeline auth change:

upon applying though all our secrets values were reverted back to r3pl@ac3m3

sniffing the http calls the provider makes, sure enough in this scenario it sends that as the value, and azdo is happy to update to that initial value.

BUT the azdo http service has always allowed you to send a null for a value of an existing secret and it would NOT update the value and leave it be. I swear at some point this provider did the same thing...sending null so it would never update a secret after initial create. but it doesn't anymore...it updates the value back to the base even though it doesn't show that it will do that in the plan which is SUPER surprising to anyone reviewing and then applying a plan.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

I tried this with all provider versions from 1.11.2 back to 1.7.0 because that was the last version before a lot of changes to variable groups

Affected Resource(s)

• azuredevops_variable_group

Terraform Configuration Files

resource "azuredevops_variable_group" "example" {
  project_id   = azuredevops_project.example.id
  name         = "Example Variable Group"
  description  = "Example Variable Group Description"
  allow_access = true

  variable {
    name         = "key2"
    secret_value = "r3pl@ac3m3"
    is_secret    = true
  }
}

Debug Output

Panic Output

Expected Behavior

i expected a plan that only showed changes to the pipeline permissions to only change that and leave secret values alone.

Actual Behavior

that plan once applied replaced all secret values that had been set

Steps to Reproduce

1. terraform apply

Important Factoids

the https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/variablegroups/update?view=azure-devops-rest-7.1 service when sending null for a secret value does no changes. it would be awesome if secret_value could just be null to support this very common use case....or if the privider when it realizes a secret already exists it sent null instead of hte value to comply with the plan.

what i hope we don't do is make it so the plan always shows a change for sercrets since the get is always null.

References

• #0000