Deployment Scripts for ARM Templates is now Generally Available

Published Dec 15 2020 09:24 AM 26.8K Views
Microsoft

TL;DR – Deployment Scripts is now Generally Available, and as part of this release we’ve made deployment scripts more reliable and easier to use with an improved permissions model.

 

Why do I need Deployment Scripts?

 

Often during an ARM Template deployment, there is an operation that needs to be performed that cannot be done natively in the template – either because there is no explicit support or because the operation takes place outside of Azure. For example, you may need to populate data in a database, deploy a Kubernetes manifest, or get a new IP address from an IPAM system. Customers will often fill this gap by running a script in a release pipeline or manually performing the task before or after the deployment occurs.

 

Deployment Scripts allow you to complete these “last mile” scenarios as part of your ARM Template deployments by running your bash or PowerShell script in a native Deployment Scripts resource. Deployment Scripts has been available in public preview for a few months, and today we are making Deployment Scripts generally available.

 

What’s new for GA?

 

With our GA release we are adding the following features and capabilities:

  • You are no longer required to provide a User-assigned Managed Identity for the script to be executed. This is for use cases that do not require authentication to Azure, such as a data transformation or communication with a non-Azure API or if you’d rather use a service principal to authenticate to Azure instead of a Managed Identity. This makes executing deployment scripts much lower friction with less prerequisites.
  • The underlying resources that are required for a deployment script to execute (Azure Container Instance and Storage Account) will no longer be created with the Managed Identity. Instead, we use the permissions of the AAD principal that created the deployment to create them. For a principal to create a deploymentScript they will now need the following permissions:

 

"Microsoft.Resources/deploymentScripts/*",
"Microsoft.ContainerInstance/containerGroups/*",
"Microsoft.Storage/storageAccounts/*"

 

 

We will use the permissions of the AAD principal executing the deployment to create these resources and register the underlying ContainerInstance Resource Provider. As a result of this change, the permissions granted to the managed identity can be more limited as it only requires what the script needs to run successfully.

 

  • Better error handling for RBAC replication issues. You should now be able to reliably assign permissions to the Managed Identity in the same template that creates the deployment script without any authentication issues. This makes it easier to create a “self-contained” template deployment script template. During the preview, we noticed issues to do replication delays that prevented from working well.

 

How do I get started?

 

If you are already familiar with ARM Templates, getting started with Deployment Scripts is easy. Simply add a resource of type Microsoft.Resources/deploymentScripts to your ARM template:

 

    {
      "type": "Microsoft.Resources/deploymentScripts",
      "apiVersion": "2020-10-01",
      "kind": "AzurePowerShell",
      "name": "[parameters('dsName')]",
      "location": "[parameters('location')]",
      "properties": {
        "azPowerShellVersion": "3.0",
        "scriptContent": "
          $DeploymentScriptOutputs['test'] = 'test this output'
          Write-Host 'I am a deployment script'
        ",
        "forceUpdateTag": "[parameters('timestamp')]", // utcNow()
        "retentionInterval": "PT4H"
      }
    }

 

 

 

Once the script has executed I can view the details of the script execution in PowerShell, CLI, or in the Azure Portal

adotfrank_1-1608045619519.png

 

 

For more details, take a look at the below guides and examples.

 

We have seen a lot of awesome use cases be developed for deployment scripts during the public preview and we are looking forward to hearing how these new GA capabilities improve the experience even further. As always, if you have any questions or problems with deployment scripts, don’t hesitate to reach out at alfran@microsoft.com, on twitter or on GitHub.

 

 

Happy Deployment Scripting!

%3CLINGO-SUB%20id%3D%22lingo-sub-1989172%22%20slang%3D%22en-US%22%3EDeployment%20Scripts%20for%20ARM%20Templates%20is%20now%20Generally%20Available%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1989172%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3ETL%3BDR%3C%2FSTRONG%3E%20%E2%80%93%20Deployment%20Scripts%20is%20now%20Generally%20Available%2C%20and%20as%20part%20of%20this%20release%20we%E2%80%99ve%20made%20deployment%20scripts%20more%20reliable%20and%20easier%20to%20use%20with%20an%20improved%20permissions%20model.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1179775709%22%20id%3D%22toc-hId--1179769038%22%3EWhy%20do%20I%20need%20Deployment%20Scripts%3F%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOften%20during%20an%20ARM%20Template%20deployment%2C%20there%20is%20an%20operation%20that%20needs%20to%20be%20performed%20that%20cannot%20be%20done%20natively%20in%20the%20template%20%E2%80%93%20either%20because%20there%20is%20no%20explicit%20support%20or%20because%20the%20operation%20takes%20place%20outside%20of%20Azure.%20For%20example%2C%20you%20may%20need%20to%20populate%20data%20in%20a%20database%2C%20deploy%20a%20Kubernetes%20manifest%2C%20or%20get%20a%20new%20IP%20address%20from%20an%20IPAM%20system.%20Customers%20will%20often%20fill%20this%20gap%20by%20running%20a%20script%20in%20a%20release%20pipeline%20or%20manually%20performing%20the%20task%20before%20or%20after%20the%20deployment%20occurs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDeployment%20Scripts%20allow%20you%20to%20complete%20these%20%E2%80%9Clast%20mile%E2%80%9D%20scenarios%20as%20%3CSTRONG%3Epart%20of%3C%2FSTRONG%3E%20your%20ARM%20Template%20deployments%20by%20running%20your%20bash%20or%20PowerShell%20script%20in%20a%20native%20Deployment%20Scripts%20resource.%20Deployment%20Scripts%20has%20been%20available%20in%20public%20preview%20for%20a%20few%20months%2C%20and%20today%20we%20are%20making%20Deployment%20Scripts%20generally%20available.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1307737124%22%20id%3D%22toc-hId-1307743795%22%3EWhat%E2%80%99s%20new%20for%20GA%3F%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20our%20GA%20release%20we%20are%20adding%20the%20following%20features%20and%20capabilities%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EYou%20are%20no%20longer%20required%20to%20provide%20a%20User-assigned%20Managed%20Identity%20for%20the%20script%20to%20be%20executed.%3C%2FSTRONG%3E%20This%20is%20for%20use%20cases%20that%20do%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20require%20authentication%20to%20Azure%2C%20such%20as%20a%20data%20transformation%20or%20communication%20with%20a%20non-Azure%20API%20or%20if%20you%E2%80%99d%20rather%20use%20a%20service%20principal%20to%20authenticate%20to%20Azure%20instead%20of%20a%20Managed%20Identity.%20This%20makes%20executing%20deployment%20scripts%20much%20lower%20friction%20with%20less%20prerequisites.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EThe%20underlying%20resources%20that%20are%20required%20for%20a%20deployment%20script%20to%20execute%20(Azure%20Container%20Instance%20and%20Storage%20Account)%20will%20no%20longer%20be%20created%20with%20the%20Managed%20Identity.%3C%2FSTRONG%3E%20Instead%2C%20we%20use%20the%20permissions%20of%20the%20AAD%20principal%20that%20created%20the%20deployment%20to%20create%20them.%20For%20a%20principal%20to%20create%20a%20deploymentScript%20they%20will%20now%20need%20the%20following%20permissions%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%22Microsoft.Resources%2FdeploymentScripts%2F*%22%2C%0A%22Microsoft.ContainerInstance%2FcontainerGroups%2F*%22%2C%0A%22Microsoft.Storage%2FstorageAccounts%2F*%22%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EWe%20will%20use%20the%20permissions%20of%20the%20AAD%20principal%20executing%20the%20deployment%20to%20create%20these%20resources%20and%20register%20the%20underlying%20ContainerInstance%20Resource%20Provider.%20As%20a%20result%20of%20this%20change%2C%20%3CSTRONG%3Ethe%20permissions%20granted%20to%20the%20managed%20identity%20can%20be%20more%20limited%3C%2FSTRONG%3E%20as%20it%20only%20requires%20what%20the%20script%20needs%20to%20run%20successfully.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EBetter%20error%20handling%20for%20RBAC%20replication%20issues.%3C%2FSTRONG%3E%20You%20should%20now%20be%20able%20to%20reliably%20assign%20permissions%20to%20the%20Managed%20Identity%20in%20the%20same%20template%20that%20creates%20the%20deployment%20script%20without%20any%20authentication%20issues.%20This%20makes%20it%20easier%20to%20create%20a%20%E2%80%9Cself-contained%E2%80%9D%20template%20deployment%20script%20template.%20During%20the%20preview%2C%20we%20noticed%20issues%20to%20do%20replication%20delays%20that%20prevented%20from%20working%20well.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--499717339%22%20id%3D%22toc-hId--499710668%22%3EHow%20do%20I%20get%20started%3F%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20already%20familiar%20with%20ARM%20Templates%2C%20getting%20started%20with%20Deployment%20Scripts%20is%20easy.%20Simply%20add%20a%20resource%20of%20type%20Microsoft.Resources%2FdeploymentScripts%20to%20your%20ARM%20template%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%20%20%20%20%7B%0A%20%20%20%20%20%20%22type%22%3A%20%22Microsoft.Resources%2FdeploymentScripts%22%2C%0A%20%20%20%20%20%20%22apiVersion%22%3A%20%222020-10-01%22%2C%0A%20%20%20%20%20%20%22kind%22%3A%20%22AzurePowerShell%22%2C%0A%20%20%20%20%20%20%22name%22%3A%20%22%5Bparameters('dsName')%5D%22%2C%0A%20%20%20%20%20%20%22location%22%3A%20%22%5Bparameters('location')%5D%22%2C%0A%20%20%20%20%20%20%22properties%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22azPowerShellVersion%22%3A%20%223.0%22%2C%0A%20%20%20%20%20%20%20%20%22scriptContent%22%3A%20%22%0A%20%20%20%20%20%20%20%20%20%20%24DeploymentScriptOutputs%5B'test'%5D%20%3D%20'test%20this%20output'%0A%20%20%20%20%20%20%20%20%20%20Write-Host%20'I%20am%20a%20deployment%20script'%0A%20%20%20%20%20%20%20%20%22%2C%0A%20%20%20%20%20%20%20%20%22forceUpdateTag%22%3A%20%22%5Bparameters('timestamp')%5D%22%2C%20%2F%2F%20utcNow()%0A%20%20%20%20%20%20%20%20%22retentionInterval%22%3A%20%22PT4H%22%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20the%20script%20has%20executed%20I%20can%20view%20the%20details%20of%20the%20script%20execution%20in%20PowerShell%2C%20CLI%2C%20or%20in%20the%20Azure%20Portal%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22adotfrank_1-1608045619519.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F240693iEA08E583328E6E94%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22adotfrank_1-1608045619519.png%22%20alt%3D%22adotfrank_1-1608045619519.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20details%2C%20take%20a%20look%20at%20the%20below%20guides%20and%20examples.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fazure-resource-manager%2Ftemplates%2Fdeployment-script-template%3Ftabs%3DCLI%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHow%20to%3A%20Deployment%20Scripts%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAdditional%20samples%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-quickstart-templates%2Ftree%2Fmaster%2F201-deployment-script-ssh-key-gen%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20QuickStart%20template%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fbicep%2Ftree%2Fmain%2Fdocs%2Fexamples%2F101%2Fdeployment-script-no-auth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EBicep%20example%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20seen%20a%20lot%20of%20awesome%20use%20cases%20be%20developed%20for%20deployment%20scripts%20during%20the%20public%20preview%20and%20we%20are%20looking%20forward%20to%20hearing%20how%20these%20new%20GA%20capabilities%20improve%20the%20experience%20even%20further.%20As%20always%2C%20if%20you%20have%20any%20questions%20or%20problems%20with%20deployment%20scripts%2C%20don%E2%80%99t%20hesitate%20to%20reach%20out%20at%20%3CA%20href%3D%22mailto%3Aalfran%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ealfran%40microsoft.com%3C%2FA%3E%2C%20on%20%3CA%20href%3D%22http%3A%2F%2Ftwitter.com%2Fadotfrank%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Etwitter%3C%2FA%3E%26nbsp%3Bor%20on%20%3CA%20href%3D%22http%3A%2F%2Fgithub.com%2Falex-frankel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGitHub%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHappy%20Deployment%20Scripting!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1989172%22%20slang%3D%22en-US%22%3E%3CP%3EDeployment%20Scripts%20is%20now%20Generally%20Available%2C%20and%20as%20part%20of%20this%20release%20we%E2%80%99ve%20made%20deployment%20scripts%20more%20reliable%20and%20easier%20to%20use%20with%20an%20improved%20permissions%20model.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Version history
Last update:
‎Dec 15 2020 09:24 AM
Updated by: