Azure · jaredfholgate · Dec 19, 2025 · Dec 19, 2025 · Dec 19, 2025
diff --git a/alz/azuredevops/main.tf b/alz/azuredevops/main.tf
@@ -95,6 +95,7 @@ module "azure_devops" {
   agent_pool_name                              = local.resource_names.version_control_system_agent_pool
   use_self_hosted_agents                       = var.use_self_hosted_agents
   create_branch_policies                       = var.create_branch_policies
+  create_variable_group                        = var.iac_type == "terraform"
 }
 
 module "file_manipulation" {

diff --git a/alz/azuredevops/pipelines/bicep-classic/templates/cd-template.yaml b/alz/azuredevops/pipelines/bicep-classic/templates/cd-template.yaml
@@ -17,7 +17,6 @@ stages:
     displayName: What If
     condition: eq($${{ parameters.skipWhatIf }}, false)
     variables:
-      - group: ${variable_group_name}
       - name: parametersFileName
         value: parameters.json
 
@@ -75,7 +74,6 @@ stages:
     dependsOn: whatif
     condition: not(or(failed(), canceled()))
     variables:
-      - group: ${variable_group_name}
       - name: parametersFileName
         value: parameters.json
 

diff --git a/alz/azuredevops/pipelines/bicep-classic/templates/ci-template.yaml b/alz/azuredevops/pipelines/bicep-classic/templates/ci-template.yaml
@@ -3,7 +3,6 @@ stages:
   - stage: validate
     displayName: Validation Bicep
     variables:
-      - group: ${variable_group_name}
       - name: parametersFileName
         value: parameters.json
 

diff --git a/alz/github/main.tf b/alz/github/main.tf
@@ -96,6 +96,7 @@ module "github" {
   default_runner_group_name                    = var.default_runner_group_name
   use_self_hosted_runners                      = var.use_self_hosted_runners
   create_branch_policies                       = var.create_branch_policies
+  create_storage_account_variables             = var.iac_type == "terraform"
 }
 
 module "file_manipulation" {

diff --git a/modules/azure_devops/variable_group.tf b/modules/azure_devops/variable_group.tf
@@ -1,4 +1,5 @@
-resource "azuredevops_variable_group" "example" {
+resource "azuredevops_variable_group" "alz" {
+  count        = var.create_variable_group ? 1 : 0
   project_id   = local.project_id
   name         = var.variable_group_name
   description  = var.variable_group_name
@@ -19,3 +20,8 @@ resource "azuredevops_variable_group" "example" {
     value = var.backend_azure_storage_account_container_name
   }
 }
+
+moved {
+  from = "azuredevops_variable_group.example"
+  to   = "azuredevops_variable_group.alz[0]"
+}
diff --git a/modules/azure_devops/variables.tf b/modules/azure_devops/variables.tf
@@ -288,3 +288,13 @@ variable "create_branch_policies" {
   EOT
   type        = bool
 }
+
+variable "create_variable_group" {
+  description = <<-EOT
+    **(Required)** Whether to create an Azure Pipelines variable group for shared configuration.
+
+    When true, creates a variable group containing backend and subscription details
+    used across multiple pipelines.
+  EOT
+  type        = bool
+}
diff --git a/modules/github/action_variables.tf b/modules/github/action_variables.tf
@@ -19,19 +19,37 @@ resource "github_actions_variable" "azure_tenant_id" {
 }
 
 resource "github_actions_variable" "backend_azure_resource_group_name" {
+  count         = var.create_storage_account_variables ? 1 : 0
   repository    = github_repository.alz.name
   variable_name = "BACKEND_AZURE_RESOURCE_GROUP_NAME"
   value         = var.backend_azure_resource_group_name
 }
 
 resource "github_actions_variable" "backend_azure_storage_account_name" {
+  count         = var.create_storage_account_variables ? 1 : 0
   repository    = github_repository.alz.name
   variable_name = "BACKEND_AZURE_STORAGE_ACCOUNT_NAME"
   value         = var.backend_azure_storage_account_name
 }
 
 resource "github_actions_variable" "backend_azure_storage_account_container_name" {
+  count         = var.create_storage_account_variables ? 1 : 0
   repository    = github_repository.alz.name
   variable_name = "BACKEND_AZURE_STORAGE_ACCOUNT_CONTAINER_NAME"
   value         = var.backend_azure_storage_account_container_name
 }
+
+moved {
+  from = "github_actions_variable.backend_azure_resource_group_name"
+  to   = "github_actions_variable.backend_azure_resource_group_name[0]"
+}
+
+moved {
+  from = "github_actions_variable.backend_azure_storage_account_name"
+  to   = "github_actions_variable.backend_azure_storage_account_name[0]"
+}
+
+moved {
+  from = "github_actions_variable.backend_azure_storage_account_container_name"
+  to   = "github_actions_variable.backend_azure_storage_account_container_name[0]"
+}
diff --git a/modules/github/variables.tf b/modules/github/variables.tf
@@ -270,3 +270,13 @@ variable "create_branch_policies" {
   EOT
   type        = bool
 }
+
+variable "create_storage_account_variables" {
+  description = <<-EOT
+    **(Required)** Whether to create GitHub Actions variables for Azure storage account details.
+
+    When true: Creates repository-level variables for backend storage configuration
+    When false: Assumes variables are managed externally
+  EOT
+  type        = bool
+}