ResourceModules icon indicating copy to clipboard operation
ResourceModules copied to clipboard

Published 20 hours ago verified publisher icon Azure

[Bug Report]: Configuration of CustomScriptExtension (Virtual Machines) is faulty

Open khaliddermoumi opened this issue 1 year ago • 0 comments

Describe the bug

According to the CustomScriptExtension docs, the property "fileUri" should be set in "protectedSettings" under certain conditions, but it can be specified in public settings too. It has to be set in either of those, otherwise there will be an error.

Now this is the bug: the current "CustomScriptExtension" code hardcodes the "fileUri" property to the public settings, meaning you can't set it in the protected settings.

Apart from this issue, the current code is IMHO much too restricting in how you can use this extension. The code should not be too restricting in how you can use the extension, because this keeps users from deploying useful and valid configurations. Please see the "Code snippet" box for the code I am referring to (file is: .../Microsoft.Compute/virtualMachines/deploy.bicep). In my opinion, the code should be just like the one from the preceding "DesiredStateConfiguration" Extension - here, the settings are handled this way:

    // ...
    settings: contains(extensionDSCConfig, 'settings') ? extensionDSCConfig.settings : {}
    protectedSettings: contains(extensionDSCConfig, 'protectedSettings') ? extensionDSCConfig.protectedSettings : {}
    // ...

So I believe the best implementation for the "CustomScriptExtension" would just be:

    // ...
    settings: contains(extensionCustomScriptConfig, 'settings') ? extensionCustomScriptConfig.settings : {}
    protectedSettings: contains(extensionCustomScriptConfig, 'protectedSettings') ? extensionCustomScriptConfig.protectedSettings : {}
    // ...

BTW: why does the extension depend on the "DesiredStateConfiguration" extension? there is a "depends_on". you may want to check this too, while you are at it! ;)

To reproduce

Just see current code: v0.10.0

Code snippet

module vm_customScriptExtension 'extensions/deploy.bicep' = if (extensionCustomScriptConfig.enabled) {
  name: '${uniqueString(deployment().name, location)}-VM-CustomScriptExtension'
  params: {
    virtualMachineName: vm.name
    name: 'CustomScriptExtension'
    // ...
    settings: {
      fileUris: [for fileData in extensionCustomScriptConfig.fileData: contains(fileData, 'storageAccountId') ? '${fileData.uri}?${listAccountSas(fileData.storageAccountId, '2019-04-01', accountSasProperties).accountSasToken}' : fileData.uri]
    }
    protectedSettings: extensionCustomScriptProtectedSetting
    // ...
  }
  dependsOn: [
    vm_desiredStateConfigurationExtension
  ]
}

Relevant log output

No response

khaliddermoumi avatar Apr 24 '23 13:04 khaliddermoumi