I'm having an issue with an inline deployment script in ARM, I'm trying to get an ObjectId from a script and it appears to work in powershell the script when it runs.
It retrieves the ObjectId no problems and then all I want it is to give me the output of the ObjectId in the Azure portal in deployment script/outputs section.
I have followed Microsoft's documentation deployment scripts to a tee so I think it must be something very small I am doing which is causing an issue. I thought someone experienced in here might be able to have a quick look and see the issue immediately. I'm still quite new to coding and also the azure devops space.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2020-10-01",
"name": "getUserObjectId",
"location": "[resourceGroup().location]",
"kind": "AzurePowerShell",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {}
},
"properties": {
"azPowerShellVersion": "",
"arguments": "",
"scriptContent": "
$output = (Get-AzADUser -UserPrincipalName 'user@email').Id
Write-Output $output
$DeploymentScriptOutputs = @{}
$DeploymentScriptOutputs['text'] = $output
",
"cleanupPreference": "OnSuccess",
"timeout": "PT1H",
"retentionInterval": "P1D"
}
}
],
"outputs": {
"objectId": {
"type": "string",
"value": "[reference('getUserObjectId').outputs.text]"
}
}
}
The script you provided is only missing a value for azPowershellVersion. Unfortunately you don't mention anything about any errors that you are encountering. I have a feeling that you get an error like this:
The template output 'objectId' is not validut JToken type : Template output JToken type is not valid. Expected 'String'. Actual 'Null'.Please see https://aka.ms/arm-syntax-outputs for usage details.
I believe you are not actually getting the UserId from AAD. Instead your script is failing silently. You should look at the script execution logs:
az deployment-scripts show-log -g myresourcegroup --name getUserObjectId
I made the managed identity a global administrator for testing and got the desired results. You probably want to give it more restricted permissions. A working script example will look like this:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2020-10-01",
"name": "getUserObjectId",
"location": "[resourceGroup().location]",
"kind": "AzurePowerShell",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"<managedidentityresourceId>": {}
}
},
"properties": {
"azPowerShellVersion": "8.3",
"arguments": "",
"scriptContent": "
$output = (Get-AzADUser -UserPrincipalName 'user@email').Id
#$output = (New-Guid).ToString()
Write-Output $output
$DeploymentScriptOutputs = @{}
$DeploymentScriptOutputs['text'] = $output
",
"cleanupPreference": "OnSuccess",
"timeout": "PT1H",
"retentionInterval": "P1D"
}
}
],
"outputs": {
"objectId": {
"type": "string",
"value": "[reference('getUserObjectId').outputs.text]"
}
}
}
You can also add $ErrorActionPreference = 'Stop' to the beginning of your deployment script to make sure the whole deployment is failing if the script encounters an error.