It is easy to create variables in the Azure Pipelines and they make the pipelines more generic in nature. Therefore, we can customize the release steps as per the context of the stage used. Same goes for the build definitions. Now sometimes, it may happen that the variables are common across multiple build and release definitions. In such a case, instead of defining them again and again, we can use a variable group. A variable group allows us to store values that we want to make available across multiple build and release pipelines. It also prevent duplication of values, making it easier to update all occurrences as one operation.
Define a Variable Group
Variable groups are defined and managed in the Library tab of the Pipelines hub. So let’s click library tab and then click ‘+Variable group’:
We now need to provide a name and description for the group. After this we can enter the name and value for each variable we want to include in the group, choosing + Add for each one. If we need to encrypt and securely store the value, choose the “lock” icon at the end of the row. Once done, click Save:
Link secrets from an Azure key vault inside Variable Group
We can not only define variable directly in the variable group, we can also define secrets associated with the Azure Key Vault inside variable group. Doing this also allows to keep variables more secure, since they are not stored inside VSTS but fetched at run time from Azure Key Vault.
To do this, we just have to enable toggle for ‘Link secrets from an Azure key vault as variables’ while defining group and then provide the details about Azure Key Vault and associated Azure Subscription.
Like earlier, any changes made to existing secrets in the key vault, such as a change in the value of a secret, will be made available automatically to all the definitions.
Do note that when new secrets are added to the vault, or a secret is deleted from the vault, the associated variable groups are not updated automatically. In this case, the secrets included in the variable group must be explicitly updated in order for the definitions.
Use a Variable Group
We can access the value of the variables in a linked variable group in exactly the same way as variables you define within the pipeline itself. For example, to access the value of a variable named customer in a variable group linked to the pipeline, use $(var01) in a task parameter or a script. However, secret variables (encrypted variables and key vault variables) cannot be accessed directly in scripts – instead they must be passed as arguments to a task.
To illustrate further, let’s consider the previous snap posted above. We defined two variables, namely var01 and var02 out of which latter is a secret and therefore masked. Let’s create a release definition named variablegroupsdemo01 and we first need to link to variable group by clicking on the ‘Link variable group’:
While linking, we can select the variable group and the scope of the variable group for the given pipeline:
Or we can also use YAML like below:
– group: myVarsGroup
Once linking is done, let’s add a PowerShell task and define couple of lines as below:
If we run our definition, we should see something like below in the logs:
This confirms that variables defined in the Variable Group can be fetched and used in the same way as normal variables.
Override a variable from Variable Group
If for some reason, we need to override a variable already defined in the variable group, we need to create a variable with the same name within the build or release pipeline. A variable in the pipeline overrides a variable with the same name in the variable group.