Invoke-AzContainerInstanceCommand -PassThru returns nothing when called from ARM deployment script #22453
Description
Description
Invoke-AzContainerInstanceCommand -PassThru is supposed to return the output of the remotely executed command, but this does not happen when it's called from an ARM deployment script. NULL is returned instead of the command's output.
Steps to reproduce
- Create resource group
- Create managed identity and assign it access to resource group
- Create container instance in resource group
- Run ARM deployment script that executes a command in container instance using managed identity
Save ARM template file to template.json:
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"identity": {
"type": "string"
},
"utcValue": {
"type": "string",
"defaultValue": "[utcNow()]"
}
},
"resources": [
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2020-10-01",
"name": "script",
"location": "[resourceGroup().location]",
"kind": "AzurePowerShell",
"identity": {
"type": "userAssigned",
"userAssignedIdentities": {
"[parameters('identity')]": {}
}
},
"properties": {
"forceUpdateTag": "[parameters('utcValue')]",
"scriptContent":"
$DebugPreference='Continue'
Connect-AzAccount -Identity
$output_name = (Get-AzContainerGroup -Name myapp -ResourceGroupName MyResourceGroup).Name
$output_invokecommand = (Invoke-AzContainerInstanceCommand -ContainerGroupName myapp -ContainerName myapp -ResourceGroupName MyResourceGroup -PassThru -Command hostname)
$DeploymentScriptOutputs = @{}
$DeploymentScriptOutputs['psversion'] = $PSVersionTable
$DeploymentScriptOutputs['azmodule'] = (Get-Module Az*)
$DeploymentScriptOutputs['name'] = [string]::IsNullOrEmpty($output_name) ? 'None' : $output_name
$DeploymentScriptOutputs['invokecommand'] = [string]::IsNullOrEmpty($output_invokecommand) ? 'None' : $output_invokecommand
",
"azPowerShellVersion":"10.1.0",
"retentionInterval": "P1D"
}
}
],
"outputs": {
"psversion": {
"value": "[reference('script').outputs.psversion]",
"type": "object"
},
"azmodule": {
"value": "[reference('script').outputs.azmodule]",
"type": "array"
},
"name": {
"value": "[reference('script').outputs.name]",
"type": "string"
},
"invokecommand": {
"value": "[reference('script').outputs.invokecommand]",
"type": "string"
}
}
}
Run az cli scripts:
# Create Resource Group
RESOURCE_GROUP_ID=$(az group create --name MyResourceGroup --location eastus2 --query id -o tsv)
# Create Managed User Identity
IDENTITY_PRINCIPAL_ID=$(az identity create --name MyIdentity --resource-group MyResourceGroup --query principalId -o tsv)
IDENTITY_ID=$(az identity show --name MyIdentity --resource-group MyResourceGroup --query id -o tsv)
# Assign it as Owner of resource group
az role assignment create --role Owner --assignee-object-id $IDENTITY_PRINCIPAL_ID --assignee-principal-type ServicePrincipal --scope $RESOURCE_GROUP_ID > /dev/null
# Create some container
az container create -g MyResourceGroup --name myapp --image ubuntu/nginx --cpu 1 --memory 1 > /dev/null
# Execute deployment script that runs Invoke-AzContainerInstanceCommand
az deployment group create -g MyResourceGroup --template-file template.json --parameters identity=$IDENTITY_ID --query properties.outputs
Execution result:
{
"invokecommand": {
"type": "String",
"value": "None"
},
"name": {
"type": "String",
"value": "myapp"
}
}
invokecommand is None and this is not correct.
Expected behavior
The expected behavior can be achieved using the same Powershell script run from another container.
# Create a Powershell container
az container create -g MyResourceGroup --name mypowershellapp --image mcr.microsoft.com/azure-powershell:latest --cpu 1 --memory 1 --assign-identity $IDENTITY_ID --command-line "tail -f /dev/null" > /dev/null
# Run Powershell shell
az container exec --name mypowershellapp -g MyResourceGroup --exec-command pwsh
When inside Powershell shell, execute this script:
Connect-AzAccount -Identity
$output_name = (Get-AzContainerGroup -Name myapp -ResourceGroupName MyResourceGroup).Name
$output_invokecommand = (Invoke-AzContainerInstanceCommand -ContainerGroupName myapp -ContainerName myapp -ResourceGroupName MyResourceGroup -PassThru -Command hostname)
$DeploymentScriptOutputs = @{}
$DeploymentScriptOutputs['name'] = [string]::IsNullOrEmpty($output_name) ? 'None' : $output_name
$DeploymentScriptOutputs['invokecommand'] = [string]::IsNullOrEmpty($output_invokecommand) ? 'None' : $output_invokecommand
$DeploymentScriptOutputs | ConvertTo-JsonResult:
{
"invokecommand": "SandboxHost-638264819553872363",
"name": "myapp"
}
invokecommand is SandboxHost-638264819553872363 and this is correct.
Issue script & Debug output
No access to debug output in ARM template runtime.Environment data
{
"GitCommitId": "7.2.11",
"OS": "Linux 5.10.102.2-microsoft-standard #1 SMP Mon Mar 7 17:36:34 UTC 2022",
"PSCompatibleVersions": [
"1.0",
"2.0",
"3.0",
"4.0",
"5.0",
"5.1.10032.0",
"6.0.0",
"6.1.0",
"6.2.0",
"7.0.0",
"7.1.0",
"7.2.11"
],
"PSEdition": "Core",
"PSRemotingProtocolVersion": {
"Build": -1,
"Major": 2,
"MajorRevision": -1,
"Minor": 3,
"MinorRevision": -1,
"Revision": -1
},
"PSVersion": {
"BuildLabel": null,
"Major": 7,
"Minor": 2,
"Patch": 11,
"PreReleaseLabel": null
},
"Platform": "Unix",
"SerializationVersion": {
"Build": 0,
"Major": 1,
"MajorRevision": 0,
"Minor": 1,
"MinorRevision": 1,
"Revision": 1
},
"WSManStackVersion": {
"Build": -1,
"Major": 3,
"MajorRevision": -1,
"Minor": 0,
"MinorRevision": -1,
"Revision": -1
}
}Module versions
"Name": "Az.Accounts"
"Version": "2.12.4"
"Name": "Az.ContainerInstance"
"Version": "3.2.0"Error output
No response