4 min read

Azure Arc Custom Script Extension for Windows

Azure Arc Custom Script Extension for Windows

In my previous post, I briefly talked about different Azure Arc for Servers Extensions and how to install Custom Script Extension for Windows. In this post, I focus only on the Custom Script Extension for Windows Extension and how to execute the script from different places.

I will show how to execute the scripts from:

  • Azure Blob Storage
  • Internal File Share
  • GitHub

In these different examples, we will download and install the 7-ZIP application using PowerShell. If you are going to do real scripts in a production environment, make sure to read the limitations and tips from Microsoft.

Requirements

All my examples are based on the Az.ConnectedMachine PowerShell module and you can download it from the PowerShell Script Gallery.

Supported Operating system

Windows

• Windows Server 2022
• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2

Linux

• CentOS Linux 8
• CentOS Linux 7
• CentOS Linux 6
• Debian 10
• Oracle Linux 8
• Oracle Linux 7
• Red Hat Enterprise Linux Server 8
• Red Hat Enterprise Linux Server 7
• SUSE Linux Enterprise Server 15
• SUSE Linux Enterprise Server 12
• Unbuntu 20.04 LTS
• Unbuntu 18.04 LTS

Script location

Your scripts can be in a different location and no need to upload the script to Azure Blob Storage but if needed, you can store all your management scripts in one place and then it will be easier for you to manage these.

• Azure Blob Storage
• GitHub
• Internal file server

Supported script properties

Please remember that all property names are case-sensitive.

Property

Optional or Required

Description

fileUris

Optional

Script URL. This can be Azure Blob Storage, GitHub, File server etc.

commandToExecute

Required

Command to execute. If the script is on the local file server, then fileUris property is not needed.

timestamp

Optional

Change this value only to trigger a rerun of the script. Any integer value is acceptable if it's different from the previous value.

storageAccountName

Optional

The name of storage account. If you specify storage credentials, all fileUris values must be URLs for Azure blobs.

storageAccountKey

Optional

The access key of the storage account.

managedIdentity

Optional

The managed identity for downloading files. This can be defined in the protected settings only

New-AzConnectedMachineExtension has ProtectedSetting and Setting parameters. If your script contains sensitive data or you have specified storageAccountName and storageAccountKey properties, then this information should be defined under the ProtectedSetting parameter. All data will be encrypted and then sent to the server.

Running script from GitHub

In this example, I have stored the Install-Arc7ZIP PowerShell script on my GitHub repository, and everyone can access it.

$Settings = @{
    fileUris = @("https://raw.githubusercontent.com/Kaidja/AzureArc/main/Install-Arc7ZIP.ps1")
    commandToExecute = "powershell -ExecutionPolicy Unrestricted -File Install-Arc7ZIP.ps1"
}

$CustomScriptProperties = @{
    MachineName = "ADFS01"
    Name = "CustomScriptExtension"
    ResourceGroupName = "RG-PROD-IT-ARC"
    Publisher = "Microsoft.Compute"
    ProtectedSetting = $Settings
    Location = "West Europe"
    ExtensionType = "CustomScriptExtension"
}

New-AzConnectedMachineExtension @CustomScriptProperties -Verbose 

From the C:\ProgramData\GuestConfig\extension_logs\Microsoft.Compute.CustomScriptExtension\CustomScriptHandler.log log file, we can see that the script was downloaded from my GitHub repository.

CustomScriptHandler.log log file

Running script from Azure Blob Storage using SAS (Shared Access Signature)

We have two options if you want to apply scripts from Azure Blob Storage. We can generate the SAS or add the storage account name and key. We generate the SAS token and apply the extension to our test server.

  1. Create storage account
  2. Create Container
  3. Select Container and choose Upload
  4. Browse your script and click Upload
  5. Select the script and choose Generate SAS
    StorageAccount
  6. Specify the date range, permissions etc. and click Generate SAS token and URL
    Install7ZIP
  7. Copy the Blob SAS URL value and assign it fileUris variable
$Settings = @{
    fileUris = @("https://XXXXX.blob.core.windows.net/myscriptcontainer/Install-Arc7ZIP.ps1 ?sp=r&st=MYSASTOKEN")
    commandToExecute = "powershell -ExecutionPolicy Unrestricted -File Install-Arc7ZIP.ps1"
}

$CustomScriptProperties = @{
    MachineName = "ADFS01"
    Name = "CustomScriptExtension"
    ResourceGroupName = "RG-PROD-IT-ARC"
    Publisher = "Microsoft.Compute"
    ProtectedSetting = $Settings
    Location = "West Europe"
    ExtensionType = "CustomScriptExtension"
}

New-AzConnectedMachineExtension @CustomScriptProperties -Verbose  

Running script from Azure Blob Storage using Storage Account Name and Key

Now we will apply the script using the storage account name and key. To do that, we need to gather data from the Azure Portal.

  1. Open your Azure Storage Account
  2. Select Access Key
  3. Copy the Storage account name and Key values
  4. Specify storageAccountName and storageAccountKey properties in your script
$Settings = @{
    fileUris = @("https://scriptskaido.blob.core.windows.net/managementscripts/Install-Arc7ZIP.ps1")
    commandToExecute = "powershell -ExecutionPolicy Unrestricted -File Install-Arc7ZIP.ps1"
    storageAccountName = "myscripts"
    storageAccountKey = "MY STORAG ACCOUNT KEY
}

$CustomScriptProperties = @{
    MachineName = "ADFS01"
    Name = "CustomScriptExtension"
    ResourceGroupName = "RG-PROD-IT-ARC"
    Publisher = "Microsoft.Compute"
    ProtectedSetting = $Settings
    Location = "West Europe"
    ExtensionType = "CustomScriptExtension"
}

New-AzConnectedMachineExtension @CustomScriptProperties -Verbose  

Running script from a local share

If you have your scripts on an internal file share, then you can use the script block below. In this example, I have removed the fileUris property and defined the location in the commandToExecute property.

$Settings = @{
    commandToExecute = "powershell -ExecutionPolicy Unrestricted -File \\SERVER01\Scripts\Install-Arc7ZIP.ps1"
}

$CustomScriptProperties = @{
    MachineName = "ADFS01"
    Name = "CustomScriptExtension"
    ResourceGroupName = "RG-PROD-IT-ARC"
    Publisher = "Microsoft.Compute"
    ProtectedSetting = $Settings
    Location = "West Europe"
    ExtensionType = "CustomScriptExtension"
}

New-AzConnectedMachineExtension @CustomScriptProperties -Verbose 

Summary

Azure Arc for Servers extensions is awesome. These extensions will make it much easier for us to manage our servers daily basis.

Need help with Azure Arc for Servers implementation, then let me know.