How to use a variable group in a Azure Pipelines yml template?

T

2

6

So I'm working on a bunch of pipelines and I've set everything up using yml templates. However I struggle with getting protected variable expanded inside of my template steps. I've tried passing in the protected variables by normal means, but they seem to not get expanded. Then I tried using a variable group, which I supposedly can directly reference inside of templates. I say supposedly, because Microsoft says so on their website https://learn.microsoft.com/en-us/azure/devops/pipelines/library/variable-groups?view=azure-devops&tabs=yaml:

"You can also reference a variable group in a template. In the template variables.yml, the group my-variable-group is referenced. The variable group includes a variable named myhello."

variables:
- group: my-variable-group

However, whenever I include a variables section into my template code, Azure DevOps immediately complains about it when parsing the yml, before running the pipeline. It spits out the following message:

/ymls/my-template@my-repo (Line: 1, Col: 1): Unexpected value 'variables'

I don't insist on using variable groups, I just want to have my protected variables expanded in my yml template. Does anybody know how to do that???

Any help greatly appreciated!

Tushy answered 11/4, 2022 at 7:15 Comment(1)

I found few more detailed here – Olivares 19/10, 2022 at 5:19

T

7

Finally figured it out. Thanks to @GeralexGR. Turns out, when you reference a variable group in the main pipeline yml, you automatically have access to it in the template yml. But for normal script steps you still have to pass it in explicitly.

It then looks s.th. like this:

main-pipeline.yml:

variables:
- group: my-variable-group
...
jobs:
- job: my-job
  steps:
  - template: ymls/my-template.yml@my-repo
  # no need to pass in the variable group s parameter

my-template.yml:

steps:
- task: ShellScript@2
  inputs:
    scriptPath: 'my-script.sh'
    args: '$(my-secret-variable)'

Tushy answered 11/4, 2022 at 9:0 Comment(2)

Thank you for sharing this @DanDan, regarding the in the first code block, you mentioned @ repo, may i know the reason? Are you referencing the Azure DevOps repos dynamically within the pipeline? – Melaniemelanin 3/11, 2023 at 3:6

@SunilN yes, I am referencing a Git repo within the same Azure DevOps instance. But specifically a different(!) repo than the repo where the current pipeline's yml file is located. This line means that the file structure ymls/my-template.yml exists within the Git repo my-repo. – Tushy 4/11, 2023 at 11:17

T

15

You should define your variable group on your main pipeline and not in the template. Then you can call your template and use the variable that you defined.

For example lets say that you have your main.yml which calls template.yml

You should define the below variable group on main.yml

variables:
- group: my-variable-group

And call the variable on your template.yml

$(MY_VARIABLE)

https://thomasthornton.cloud/2021/09/02/referencing-variable-groups-in-azure-devops-pipeline-templates/

Twila answered 11/4, 2022 at 7:25 Comment(1)

Thanks for the post, this works perfectly fine except for secret variables, which is my main problem. What the guy in the post is doing is a little different from what I am doing. He is using an AzureCLI@2 step, which can take an inline script and from there he can appearantly directly reference his secret variable. But for normal script steps you have to pass in secret variables, which also works for me, except for secret variables. – Tushy 11/4, 2022 at 8:7

T

7