github oocx/tfplan2md v1.40.0
on GitHub

13 hours ago

Fix: Build Definition Variable Rendering

This release fixes a bug where secret azuredevops_build_definition variables caused all variable attributes (name, is_secret, allow_override) to be shown as (sensitive). It also connects the fully-implemented-but-unregistered tabular renderer for azuredevops_build_definition, giving pipeline variables, triggers, repository settings, and schedules the same structured table display that azuredevops_variable_group has had since Feature 027.

๐Ÿ› Bug Fixes

Secret variable attributes no longer bleed (sensitive)

Problem: When a build definition variable had is_secret = true, the entire variable block was treated as sensitive by the default renderer. Non-sensitive attributes โ€” name, allow_override, and is_secret itself โ€” were all shown as (sensitive).

Before (broken output): 

variable[0].allow_override    (sensitive)    (sensitive)
variable[0].is_secret         (sensitive)    (sensitive)
variable[0].name              (sensitive)    (sensitive)
variable[0].value             (sensitive)    (sensitive)

After (correct output):

Name Value Secret Allow Override
๐Ÿ†” API_KEY (sensitive / hidden) โœ… true โœ… true
๐Ÿ†” ENV production โŒ false โœ… true

Root cause: Terraform's AzureDevOps provider marks the entire variable[N] object as sensitive in after_sensitive / before_sensitive when any attribute within it is a secret. The default renderer's SensitivityHelper.IsSensitiveAttribute checked sensitivity hierarchically โ€” when variable[0] was marked sensitive as a whole block, all its child attributes inherited that sensitivity flag.

Fix: A dedicated BuildDefinitionRenderer now reads variable data directly from the before/after JSON via BuildDefinitionViewModelFactory, completely bypassing the hierarchical sensitivity check. Only the value/secret_value field is explicitly masked for secret variables; name, is_secret, and allow_override always display their actual values.

โœจ Features

Tabular rendering for azuredevops_build_definition

azuredevops_build_definition resources now render in structured tables โ€” variables, CI triggers, pull request triggers, schedules, repository settings, and jobs โ€” matching the rendering style of azuredevops_variable_group.

Background: Feature 094 implemented all the underlying infrastructure (BuildDefinitionViewModelFactory, BuildDefinitionFormatters, view models) but stopped short of registering a dedicated renderer. The AzureDevOpsDelegatingRenderer (generic fallback) was left in place. This issue completes Feature 094 by creating and registering BuildDefinitionRenderer.

Table columns โ€” create/delete operations:

Name Value Secret Allow Override
๐Ÿ†” BUILD_CONFIGURATION Release โŒ false โœ… true
๐Ÿ†” API_KEY (sensitive / hidden) โœ… true โŒ false

Table columns โ€” update/replace operations:

Change Name Value Secret Allow Override
โž• ๐Ÿ†” NEW_VAR new-value โŒ false โŒ false
๐Ÿ”„ ๐Ÿ†” CONFIG - debug
+ release 		โŒ false - true
+ false
โŒ ๐Ÿ†” OLD_VAR old-value โŒ false โŒ false

Additional sections (rendered when data is present):

  • CI Triggers โ€” Use YAML flag and branch filter overrides
  • Pull Request Triggers โ€” Use YAML, branch filters, fork support, comment requirement
  • Schedules โ€” Branch filters, days to build, start time, time zone, changes-only flag
  • Repository โ€” Type, repo ID, branch, YAML path, build status reporting, service connection
  • Jobs โ€” Job name, condition, timeout

๐Ÿ’ก Use Cases

  • Pipeline security review: Confirm secret variables (is_secret: true) are correctly configured without exposing their values
  • Change detection: See exactly which variables were added, modified, or removed when updating a build definition โ€” previously impossible because all content was masked as (sensitive)
  • Trigger configuration review: Understand which branches and schedules will trigger builds before applying changes
  • Repository configuration review: Verify the source repository, branch, and YAML file path

๐Ÿ”— Commits

See git log for commits on branch copilot/add-azuredevops-variable-rendering.

๐Ÿงช Test Coverage

  • AzureDevOpsSnapshotTests.Snapshot_AzureDevOps_BuildDefinitions_MatchesBaseline โ€” verifies full rendering output including secret masking, semantic variable diffing, CI triggers, PR triggers, schedules, and repository tables
  • ProviderResourceRenderersTests.ProviderRenderers_ExposeExpectedResourceTypes โ€” updated to reference BuildDefinitionRenderer directly
  • All existing BuildDefinitionViewModelFactoryTests.* continue to pass unchanged

๐Ÿ“š Related Documentation

  • Feature 094: Azure DevOps Build Definition Tables โ€” original infrastructure implementation
  • Issue 093: Sensitive Attribute Disclosure โ€” hierarchical sensitivity check that caused the bleed
  • docs/features.md ยง Azure DevOps Build Definitions โ€” updated to reflect correct column names and example output
Check out latest releases or
releases around oocx/tfplan2md v1.40.0

Don't miss a new tfplan2md release

NewReleases is sending notifications on new releases.

Get notifications