Can not save variable group created by azuredevops_variable_group( using secret key from keyvault)

[thanhphong1995]

No description provided.

[thanhphong1995]

When I created variable group by using azuredevops_variable_group and I can not save it. When I press save button, it reports: Value cannot be null. Parameter name: variableGroupParameters

This is my code, "arm-client-id" already exist and

resource "azuredevops_variable_group" "variable_group_for_project_${azure_project}" {
  project_id   = data.azuredevops_project.project_${azure_project}.id
  name         = "technical-user-credentials"
  description  = "Contains API tokens of the project technical user"
  allow_access = true

  key_vault {
    name                = local.list_key_vault_name[0]
    service_endpoint_id = azuredevops_serviceendpoint_azurerm.azurerm_endpoint_${azure_project}.id
  }

  variable {
    name = "arm-client-id"
  }

# I can see the information of "arm-client-id" but can not see the value

            "variable": [
              {
                "content_type": "",
                "enabled": true,
                "expires": "2025-12-26 08:01:33 +0000 UTC",
                "is_secret": false,
                "name": "arm-client-id",
                "secret_value": "",
                "value": ""
              }
            ]
}

[xuzhang3]

@thanhphong1995 can you provide the error/trace log? Provider will verify the KV connection first but the error message shows that this is more like a normal KV creation not a KV group.

[thanhphong1995]

Hi @xuzhang3, I created keyvault first and update all the secret keys in the keyvault. Now I want to create variable group in azure devops and link all secret key from keyvault. I see terraform is running successfully. But when I check variable group in azure devlops project, I can not save it, it reports "Value cannot be null. Parameter name: variableGroupParameters".
Same with https://heartofcode.files.wordpress.com/2020/08/keyvault_vargroup_detail.png?w=768, save buttion it light

You can see log here:
resource "azuredevops_variable_group" "variable_group_for_project_sofa-test" {
+ allow_access = true
+ description = "Contains API tokens of the project technical user"
+ id = (known after apply)
+ name = "technical-user-credentials"
+ project_id = "25979795-9bab-4dec-a791-8d78460670dd"

  + key_vault {
      + name                = "sofa-ncww0odax4"
      + search_depth        = 20
      + service_endpoint_id = "65ae378e-6de6-478c-ba56-3e55cbace9fa"
    }

  + variable {
      # At least one attribute in this block is (or was) sensitive,
      # so its contents will not be displayed.
    }
  + variable {
      # At least one attribute in this block is (or was) sensitive,
      # so its contents will not be displayed.
    }
  + variable {
      # At least one attribute in this block is (or was) sensitive,
      # At least one attribute in this block is (or was) sensitive,
      # so its contents will not be displayed.
    }
}

Plan: 2 to add, 19 to change, 0 to destroy.
module.service_endpoint_sofa-test.azuredevops_serviceendpoint_artifactory.jfrog_artifactory_v2_sofa-test: Creating...
module.service_endpoint_sofa-test.azuredevops_variable_group.variable_group_for_project_sofa-test: Creating...
module.service_endpoint_sofa-test.azuredevops_variable_group.variable_group_for_project_sofa-test: Still creating... [10s elapsed]
module.service_endpoint_sofa-test.azuredevops_variable_group.variable_group_for_project_sofa-test: Creation complete after 16s [id=43]

For the keyvault, I used azurerm_key_vault for creation

[xuzhang3]

@thanhphong1995 This is not a ADO provider issue. The provider variable was managed by portal not ADO provider. One of the KV constraint is at least on variable should be connected , I think this is the issue. You can refresh the page and try again, sometime the browser cache will cause unexpected behavior.

[thanhphong1995]

The provider variable was managed by portal not ADO provider. One of the KV constraint is at least on variable should be connected , I think this is the issue. You can refresh the page and try again, sometime the browser cache will cause unexpected behavior.

Hi @xuzhang3, I used with azure keyvault (Usage With AzureRM Key Vault) and in my example, you can see I have 3 block for variable as my example . After I created variable group and check it, all variables from keyvault are linked but I can not save. I need to have one additional step, press add button and it will save sucessfully
Without using secret key from keyvault and use Example Usage, variable group can be created and saved.
I checked in tfstate file and value is empty, so I think it is maybe the issue
"variable": [ { "content_type": "", "enabled": true, "expires": "2025-12-26 08:01:33 +0000 UTC", "is_secret": false, "name": "arm-client-id", "secret_value": "", "value": "" } ]

#946: This issue is not relevant to my issue, could you check it again

[xuzhang3]

@thanhphong1995 Any sensitive data will not returned so the values will always empty. This seems to be the secret has been disabled. ADO should exclude the secret disabled. In the screen shot the secret status is disable.

[thanhphong1995]

@thanhphong1995 Any sensitive data will not returned so the values will always empty. This seems to be the secret has been disabled. ADO should exclude the secret disabled. In the screen shot the secret status is disable.

@xuzhang3 how to enable it? In document, Usage With AzureRM Key Vault), I see we only need to provide name of variable. I try to override is_secret to true, but it reports error

[xuzhang3]

@thanhphong1995 This was managed by Azure. ADO will enhance the check to exclude the disabled secrets.

[thanhphong1995]

This was managed by Azure. ADO will enhance the check to exclude the disabled secrets.

@xuzhang3: do you have any solution for this problem?

[xuzhang3]

@thanhphong1995 Remove the disabled secrets from azuredevops_variable_group

[thanhphong1995]

@thanhphong1995 Remove the disabled secrets from azuredevops_variable_group

@xuzhang3, can you provide attribute we need to set or currently, it is a bug of ADO provider

[xuzhang3]

@thanhphong1995 you need to remove the disabled secret from VG and apply again. This workaround should work.

[thanhphong1995]

@xuzhang3, I try with status is enabled but it is still not working.

[xuzhang3]

@thanhphong1995 can you be more specific of the operation steps?

[xuzhang3]

@xuzhang3, I try with status is enabled but it is still not working.

Have you removed all the secrets disabled and run terraform apply again?

[thanhphong1995]

can you be more specific of the operation steps?

@xuzhang3 I only keep one secret key in keyvault with status enable and used terraform apply again

[xuzhang3]

@thanhphong1995 This is a bug as the contentType is set to null which should be empty string.

[xuzhang3]

The API behavior has been changed but ADO not. Will be fixed in #947

[thanhphong1995]

Hi @xuzhang3, we tested locally with your change, it is working now. Could you merge it and release?

[xuzhang3]

@thanhphong1995 working on it

[xuzhang3]

@thanhphong1995 v0.11.0 is now available . https://registry.terraform.io/providers/microsoft/azuredevops/0.11.0