Scripted actions for Azure Runbooks

Azure Runbooks are scripts that run outside the context of a specific VM to simplify complex or repeated configuration processes. They run directly in your Azure environment through an Azure Automation Account that is created and managed by the Nerdio Manager App in the security context of the Nerdio Manager service principal. Azure Runbooks scripted actions are run via an Automation Account in Azure. This allows Azure Runbooks to be used to automate the configuration of a broad range of Azure environment resources, including individual VMs, storage, Key Vault, and networking.

Scripted actions in Nerdio Manager further simplify the process of managing your environment with Azure Runbooks by allowing you to create a modular library of actions. You can combine and order multiple actions to be compiled into a single runbook at run time, and reuse a single scripted action in multiple runbooks.

Enable and configure scripted actions for Azure Runbooks

Azure Runbooks are disabled by default in Nerdio Manager and must be enabled before you can use them.

To enable and configure the Azure Runbooks settings:

1. Navigate to Settings > Environment, and then select the Nerdio tab.

2. Scroll down to the Azure Runbooks Scripted Actions section, and select the down-arrow to expand the section.

3. In the Current status section, select Configure. This section also displays the current status as to whether Azure Runbooks scripted actions is currently disabled or enabled.

4. Enter the following information:

   • Use Azure Automation Runbooks?: Toggle this option on or off.

     • Off: The Automation Account is deleted when you disable this feature.

     • On: You can select an Azure region where an Automation Account is created to run this runbook.

   • Automation Account Name: Type the account name. This is a unique name and is only used to run these Azure Runbooks.

   • Hybrid Worker Group: Optionally, from the drop-down list, select a hybrid worker group to use with the Automation Account.

   • Runbook Execution Mode: Select from the following options:

     • Storage account: Sends Azure Automation a link to the script stored in the connected Azure Storage account. Recommended for standard (non-security hardened) accounts.

     • Inline Script: Encodes and sends the text of the entire script to Azure Automation. Recommended for security hardened environments where Azure Automation does not have access to the Azure Storage account.

       Note: Scripts larger than 500KB may fail in Inline Script mode. If you will use scripts of this size in your security-hardened environment, we recommend that you instead use a hybrid worker to allow you to use runbooks.

5. Once you have entered the desired information, select OK.

Configure a hybrid worker VM

Nerdio Manager allows you to integrate Azure Automation accounts with security-hardened environments that require private endpoints. The recommended method for using Azure Runbooks with private endpoints is to configure the Runbook Execution Mode setting to Inline Script (see above). However, this method may not work correctly with very large scripts (>500KB). If you will use scripts of this size in your security-hardened environment, we recommend that you instead use a hybrid worker to allow you to use runbooks.

Hybrid worker VMs are connected directly to a VNet, and allow scripted actions to be used in Storage account mode when Key Vault and other Nerdio Manager components are only accessible via private endpoints.

Before you can implement hybrid workers in Nerdio Manager, you must do the following:

• Create an extension-based hybrid worker .See the Microsoft Learn article Deploy an extension-based Windows or Linux User Hybrid Runbook Worker in Azure Automation for details.

• Install the Run As account certificate on the hybrid worker. See below for details.

Install the Run As account certificate on the hybrid worker:

1. Find the Azure Key vault associated with the Nerdio installation. It begins with nmw-app-kv-.

2. In the Key Vault, select Certificates.

3. Select the certificate called nmw-scripted-action-cert.

4. Select Download in PFX/PEM format.

   Note: In order to download the certificate, your user account needs permission to list/get certificates AND secrets from the key vault. See this Microsoft article for more information.

5. Install the downloaded certificate on the hybrid worker VM.

Renew the Azure Runbooks Scripted Actions automation certificate

Nerdio Manager allows you to renew the Azure Runbook scripted actions automation certificate.

To renew the certificate:

1. Navigate to Settings > Environment, and then select the Nerdio tab.

2. Scroll down to the Azure Runbooks Scripted Actions section, and select the down-arrow to expand the section.

3. In the Certificate section, select Renew.

4. In the Certificate Validity (Months)box, enter the desired number of months you want the certificate to be valid for.

   Note: The default value of 120 months is recommended.

5. Once you have entered the desired information, select OK.

   Note: This task may take some time to run. You can follow its progress in the Settings Tasks window.

6. After you renew the certificate, be sure to connect the subscriptions.

   • In the Azure Runbooks Scripted Actions tile, select Connect for each subscription that is not connected.

   • Follow the on-screen instructions to connect each subscription.

Manage Azure Runbooks module versions

Nerdio Manager allows you to manage the Azure Runbooks scripted actions modules versions.

To manage module versions:

1. Navigate to Settings > Environment, and then select the Nerdio tab.

2. Scroll down to the Azure Runbooks Scripted Actions section, and select the down-arrow to expand the section.

3. In the Module versions section, select Configure.

4. In the Manage Module Versions dialog box, locate the module you want to update, and from the Available Versions drop-down list, select the version you want to upgrade to.

5. Select Update.

6. Select OK once you have completed the updates.

Create, edit, group, and apply scripted actions for Azure Runbooks

• For detailed instructions on creating, viewing, editing, cloning, and applying scripted actions, see Scripted actions overview.

• For instructions on combining multiple scripted actions to run as a single Azure runbook, see Scripted Actions Groups.

Runbook Execution Mode - Inline Script

You can enable Parameter Execution or Inline Script execution for Azure Runbooks. This feature allows you to use Azure Runbooks in hardened environments where storage accounts are locked down without the complexity of deploying or managing hybrid runbook worker VMs.

To enable Parameter Execution or Inline Script execution for Azure Runbooks:

1. Navigate to Settings > Environment, and then select the Nerdio tab.

2. Scroll down to the Azure Runbooks Scripted Actions section, and select the down-arrow to expand the section.

3. In the Current statussection, select .

4. Turn On the Enable Parameter Execution option.

5. Select OK.

Related Topics

Scripted actions overview

Scripted Actions for Windows Scripts

Considerations for Scripted Actions