Microsoft Azure CLI Extension for creating (or "baking") custom virtual machine (VM) images.
To install the Azure CLI Custom Image Helper extension, simply run the following command:
az extension add --source https://github.com/colbylwilliams/az-bake/releases/latest/download/bake-0.3.11-py3-none-any.whl -yTo update Azure CLI DevCenter Helper extension to the latest version:
az bake upgradeor for the latest pre-release version:
az bake upgrade --preYou'll have to install the Azure CLI if you haven't already
az ad sp create-for-rbac -n MyUniqueNameoutput:
{
"appId": "<GUID>",
"displayName": "MyUniqueName",
"password": "<STRING>",
"tenant": "<GUID>"
}3. Create three new GitHub repository secrets or DevOps secret variables with the values output above
AZURE_CLIENT_ID(appId)AZURE_CLIENT_SECRET(password)AZURE_TENANT_ID(tenant)
4. Install the az bake Azure CLI extension
5. Create a new sandbox, providing an Azure Compute Gallery and the Service Principal's ID (created above)
Important: The GUID passed in for the
--principalargument is the principal's Id NOT its AppId from the output above. To get the principal's ID, run:az ad sp show --id appId -o tsv --query id
az bake sandbox create --name MySandbox --gallery MyGallery --principal 00000000-0000-0000-0000-000000000000az bake repo setup --sandbox MySandbox --gallery MyGalleryThis will generate a GitHub workflow or a DevOps pipeline yaml file in your repo that will build your images on commit.
az bake image create --name MyImageThis will kick off a workflow/pipeline to build your custom images. Once it is is finished, you can continue to monitor the image builds:
az bake image logs --sandbox MySandbox --name MyImageIn the context of az bake, a sandbox is a collection of resources in a resource group that are used to create (or "bake") custom VM images. It's a secure, self-contained environment where Packer will be executed from Azure Container Instance in a private virtual network. A sandbox is required to use az bake. You can be create a new sandbox using the az bake sandbox create command.
Each sandbox includes a:
- Key Vault
- Storage Account
- Azure Container Instance (ACI) group for each custom image
- Virtual Network, with two subnets
- A
defaultsubnet to which the temporary VMs will be joined. This also hosts a private endpoint for the Key Vault. - A
builderssubnet to which the ACI containers will be joined. This subnet must be set up to delegate access to ACI, and must only contain ACI container groups.
- A
- User-assigned Managed Identity that is assigned to the ACI containers executing Packer and the temporary VMs. This identity will also require the Contributor role on the resource group that contains the Azure Compute Gallery where your custom images will be published.
This extension adds the following commands. Use az bake -h for more information.
| Command | Description |
|---|---|
az bake sandbox create |
Create a sandbox. |
az bake sandbox validate |
Validate a sandbox. |
az bake repo build |
Bake images defined in a repo (usually run in CI). |
az bake repo setup |
Setup a repo for baking. |
az bake repo validate |
Validate a repo. |
az bake image create |
Create an image. |
az bake image logs |
Get the logs for an image build. |
az bake image rebuild |
Rebuild an image that failed. |
az bake image bump |
Bump the version number of images. |
az bake yaml export |
Export a bake.yaml file. |
az bake validate sandbox |
Validate a sandbox. This is an alias for az bake sandbox validate. |
az bake validate repo |
Validate a repo. This is an alias for az bake repo validate. |
az bake version |
Show the version of the bake extension. |
az bake upgrade |
Update bake cli extension. |
Create a sandbox.
az bake sandbox create --name
[--gallery]
[--location]
[--principal]
[--sandbox]
[--tags]
[--local]
[--pre]
[--template-file]
[--templates-url]
[--version]
[--builders-prefix]
[--builders-subnet]
[--default-prefix]
[--default-subnet]
[--vnet-address-prefix]Create a sandbox.
az bake sandbox create -l eastus --name mySandbox \
--gallery myGallery --principal CI_SP_IDCreate a sandbox with an existing resource group.
az bake sandbox create -l eastus -g mySandbox --name my-sandbox \
--gallery myGallery --principal CI_SP_IDThe prefix to use in the name of all resources created in the build sandbox. For example if Contoso-Images is provided, the key vault, storage account, and vnet will be named Contoso-Images-kv, contosoimagesstorage, and contoso-images-vent respectively.
Name or ID of a Azure Compute Gallery. You can configure the default using az configure --defaults bake-gallery=<id>.
Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.
The principal id of a service principal used to run az bake from a CI pipeline. It will be given contributor role to sandbox resource group.
Name of the sandbox resource group. You can configure the default using az configure --defaults bake-sandbox=<name>.
Space-separated tags: key[=value] [key[=value] ...]. Use '' to clear existing tags.
Use local template file that was packaged with the cli instead of downloading from GitHub.
Deploy latest template prerelease version.
Path to custom sandbox arm/bicep template.
URL to custom templates.json file.
Sandbox template release version.
default value: latest stable
The CIDR prefix to use when creating the subnet for the ACI containers that execute Packer.
default value: 10.0.0.128/25
The name to use when creating the subnet for the ACI containers that execute Packer.
default value: builders
The CIDR prefix to use when creating the subnet for the temporary VMs and private endpoints.
default value: 10.0.0.0/25
The name to use when creating the subnet for the temporary VMs and private endpoints.
default value: default
The CIDR prefix to use when creating a new VNet.
default value: 10.0.0.0/24
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Validate a sandbox.
az bake sandbox validate --sandbox
[--gallery]Validate a sandbox.
az bake sandbox validate --sandbox mySandboxValidate a sandbox and ensure the correct permissions on a gallery.
az bake sandbox validate --sandbox mySandbox --gallery myGalleryName of the sandbox resource group. You can configure the default using az configure --defaults bake-sandbox=<name>.
Name or ID of a Azure Compute Gallery. You can configure the default using az configure --defaults bake-gallery=<id>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Bake images defined in a repo (usually run in CI).
az bake repo build --repo
[--images]
[--repo-revision]
[--repo-token]
[--repo-url]Build all the images in a repo.
az bake repo build --repo .Path to the locally cloned repository.
Space separated list of images to bake.
default value: all images in repository
Repository revision.
Repository token.
Repository url.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Setup a repo for baking.
az bake repo setup --gallery
[--sandbox]
[--repo]Setup a repo for baking.
az bake repo setup --sandbox mySandbox --gallery myGalleryName or ID of a Azure Compute Gallery. You can configure the default using az configure --defaults bake-gallery=<id>.
Name of the sandbox resource group. You can configure the default using az configure --defaults bake-sandbox=<name>.
Path to the locally cloned repository.
default value: ./
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Validate a repo.
az bake repo validate --repoValidate a repo.
az bake repo validate --repo .Path to the locally cloned repository.
default value: ./
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Create an image.
az bake image create --name
[--repo]Create an image.yml file.
az bake image create --name myImageName of the image to create.
Path to the locally cloned repository.
default value: ./
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Get the logs for an image build.
az bake image logs --name
--sandboxGet the logs for an image.
az bake image logs --sandbox mySandbox --name myImageName of the image.
Name of the sandbox resource group. You can configure the default using az configure --defaults bake-sandbox=<name>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Rebuild an image that failed.
az bake image rebuild --name
--sandbox
[--no-wait]Rebuild an image that failed.
az bake image rebuild --sandbox mySandbox --name myImageName of the image to rebuild.
Name of the sandbox resource group. You can configure the default using az configure --defaults bake-sandbox=<name>.
Do not wait for the long-running operation to finish.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Bump the version numbers of images.
az bake image bump [--images]
[--repo]
[--major]
[--minor]
Bump the patch version of all images.
az bake image bumpBump the minor version of all images.
az bake image bump --minorBump the major version of specific images.
az bake image bump --major --images myImage1 MyImage2Space separated list of images to bump.
default value: all images in repository
Path to the locally cloned repository.
Bump the major version.
Bump the minor version
default value: ./
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Export a bake.yaml file.
az bake yaml export --gallery
--sandbox
[--outdir]
[--outfile]
[--stdout]Export a bake.yaml file to a directory.
az bake yaml export --sandbox mySandbox --gallery myGallery --outdir ./myDirExport a bake.yaml file to a specific file.
az bake yaml export --sandbox mySandbox --gallery myGallery --outfile ./myDir/myFile.yamlPrint the bake.yaml file output to the console.
az bake yaml export --sandbox mySandbox --gallery myGallery --stdoutName or ID of a Azure Compute Gallery. You can configure the default using az configure --defaults bake-gallery=<id>.
Name of the sandbox resource group. You can configure the default using az configure --defaults bake-sandbox=<name>.
When set, saves the output at the specified directory.
When set, saves the output as the specified file path.
default value: ./bake.yml
When set, prints all output to stdout instead of corresponding files.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Validate a sandbox. This is an alias for az bake sandbox validate.
az bake validate sandbox --sandbox
[--gallery]Validate a sandbox.
az bake validate sandbox --sandbox mySandbox --gallery /My/Gallery/Resource/IDName of the sandbox resource group. You can configure the default using az configure --defaults bake-sandbox=<name>.
Name or ID of a Azure Compute Gallery. You can configure the default using az configure --defaults bake-gallery=<id>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Validate a repo. This is an alias for az bake repo validate.
az bake validate repo --repoValidate a repo.
az bake validate repo --repo .Path to the locally cloned repository.
default value: ./
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Show the version of the bake extension.
az bake versionIncrease logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Update bake cli extension.
az bake upgrade [-pre]
[--version]Update bake cli extension to the latest stable release.
az bake upgradeUpdate bake cli extension to the latest pre-release.
az bake upgrade --preUpdate bake cli extension a specific version.
az bake upgrade --version 0.1.0Update to the latest template prerelease version.
Version (tag). Default: latest stable.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format. Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
default value: json
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.