azure virtual-machine azure-rm-template sas-token kaspersky

Install applications or software on Azure VM with ARM Template

We're trying to install Kaspersky Network Agent on an Azure VM using ARM Template.

Also, we need to get the .exe or .msi file from VM storage using SAS token. I was searching for the Template examples to operate but couldn't come up with one that accomplishes the task. Do you know, if it's possible to do in this way?

If so, Can you share a template that does a similar task? Also, please explain how to modify the template for this case.

Thanks in advance

Solution

• Yes, you can successfully install an application using the custom script extension in an ARM template in an Azure VM as follows. Kindly check the ARM template file as deployed by me for this purpose. Also, I have used the SAS token to download the application package in the Azure VM during deployment itself and have also used a powershell script to invoke the silent install of the concerned application.

ARM Template: -

I am using the default quickstart template for deploying an Azure VM through ARM template as given in this link : - https://learn.microsoft.com/en-us/azure/virtual-machines/windows/quick-create-template?toc=/azure/azure-resource-manager/templates/toc.json

In this template, I have added the below custom script extension installation content in ‘resources’ section in the above ARM template. Please check the formatting of the ARM template code correctly, i.e., commas, curly brackets, square brackets, etc. Also, ensure to open HTTPS port 443 inbound also as below: -

"securityRules": [
      {
        "name": "default-allow-3389",
        "properties": {
          "priority": 1000,
          "access": "Allow",
          "direction": "Inbound",
          "destinationPortRange": "3389",
          "protocol": "Tcp",
          "sourcePortRange": "*",
          "sourceAddressPrefix": "*",
          "destinationAddressPrefix": "*"
        }
      },
      {
        "name": "AllowHTTPSInBound",
        "properties": {
          "priority": 1010,
          "access": "Allow",
          "direction": "Inbound",
          "destinationPortRange": "443",
          "protocol": "Tcp",
          "sourcePortRange": "*",
          "sourceAddressPrefix": "*",
          "destinationAddressPrefix": "*"
        }
      }
  ]

Custom Script VM extension: -

 {
          "type": "Microsoft.Compute/virtualMachines/extensions",
          "apiVersion": "2021-04-01",
          "name": "[concat(parameters('vmName'),'/', 'InstallWebServer')]",
          "location": "[parameters('location')]",
          "dependsOn": [
            "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'))]"
          ],
        "properties": {
        "publisher": "Microsoft.Compute",
        "type": "CustomScriptExtension",
        "typeHandlerVersion": "1.7",
        "autoUpgradeMinorVersion": true,
        "protectedSettings": {
          "storageAccountName": "techtrix",
          "storageAccountKey": "EN6iUzOfVe8Ht0xvyxnqK/iXEGTEunznASsumuz0FR4SCvc2mFFHUJfbMy1/GSK7gXk0MB38MMo7+AStoKxC/w==",
          "fileUris": [
            "https://techtrix.blob.core.windows.net/executable/Testdemo2.ps1"
          ],
          "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File Testdemo2.ps1"
        }
      }
    }

Also, please note that you need to provision a storage account container already for storing the powershell script and the application package in it so that you can use that storage account’s key, its name and the powershell script’s blob URI in place of the same as requested above. Also, please change the name of the powershell script to be executed through the extension in ‘commandToExecute’ section.

Once the above has been done, please ensure the successful execution of silent installation commands for the application package to be installed locally so that they can be accordingly modified in the powershell script. I have used installed ‘7-zip’ application here for demonstration purposes. Please find my powershell script as below. Ensure that this script and the application package is uploaded beforehand, and the access level of the container is set to ‘Anonymous and public access’: -

 Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
 Install-Module -Name Az.Storage -AllowClobber -Force
 Import-Module -Name Az.Storage -Force
 $StorageAccountName = "techtrix"
 $ContainerName = "executable"
 $Blob1Name = "7z2107-x64.exe"
 $TargetFolderPath = "C:\"
 $context = New-AzStorageContext -StorageAccountName $StorageAccountName -SASToken "sp=r&st=2022-02-10T08:40:34Z&se=2022-02-10T16:40:34Z&spr=https&sv=2020-08-04&sr=b&sig=DRDulljKTJiRbVPAXAJkTHi8QlnlbjPpVR3aueEf9xU%3D"
 Get-AzStorageBlobContent -Blob $Blob1Name -Container $ContainerName -Context $context -Destination $TargetFolderPath
 $arg="/S"
 Start-Process -FilePath "C:\7z2107-x64.exe" -ArgumentList $arg ’

Then edit the parameters file with the desired values in ‘adminUsername’, ‘adminPassword’ and ‘location’ and save it in the same location where template file is stored. Now, execute the commands below from powershell console with elevated privileges locally, i.e., through the path where these ARM template files are stored by browsing to that path in powershell itself.

 az login
 az deployment group create -n <name of the deployment> -g <name of the resource group> --template-file "azuredeployVM.json" --parameters "azuredeployVM.parameters.json" ’

After successful deployment, you will be able to see the application installed during the VM creation itself as below: -

In this way, you can install an '.exe' or '.msi' through the ARM template with custom script extension.