diff --git a/windows-rdp/main.tf b/windows-rdp/main.tf
index 9de4783..cd52c67 100644
--- a/windows-rdp/main.tf
+++ b/windows-rdp/main.tf
@@ -34,99 +34,12 @@ resource "coder_script" "windows-rdp" {
   agent_id     = var.agent_id
   display_name = "windows-rdp"
   icon         = "https://svgur.com/i/158F.svg" # TODO: add to Coder icons
-  script = <<EOF
-  function Set-AdminPassword {
-      param (
-          [string]$adminPassword
-      )
-      # Set admin password
-      Get-LocalUser -Name "${var.admin_username}" | Set-LocalUser -Password (ConvertTo-SecureString -AsPlainText $adminPassword -Force)
-      # Enable admin user
-      Get-LocalUser -Name "${var.admin_username}" | Enable-LocalUser
-  }
-
-  function Configure-RDP {
-      # Enable RDP
-      New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0 -PropertyType DWORD -Force
-      # Disable NLA
-      New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 0 -PropertyType DWORD -Force
-      New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "SecurityLayer" -Value 1 -PropertyType DWORD -Force
-      # Enable RDP through Windows Firewall
-      Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
-  }
-
-  function Install-DevolutionsGateway {
-    # Define the module name and version
-    $moduleName = "DevolutionsGateway"
-    $moduleVersion = "2024.1.5"
-
-    # Install the module with the specified version for all users
-    # This requires administrator privileges
-    try {
-      # Install-PackageProvider is required for AWS. Need to set command to
-      # terminate on failure so that try/catch actually triggers
-      Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -ErrorAction Stop
-      Install-Module -Name $moduleName -RequiredVersion $moduleVersion -Force
-    }
-    catch {
-      # If the first command failed, assume that we're on GCP and run
-      # Install-Module only
-      Install-Module -Name $moduleName -RequiredVersion $moduleVersion -Force
-    }
-
-    # Construct the module path for system-wide installation
-    $moduleBasePath = "C:\Windows\system32\config\systemprofile\Documents\PowerShell\Modules\$moduleName\$moduleVersion"
-    $modulePath = Join-Path -Path $moduleBasePath -ChildPath "$moduleName.psd1"
-
-    # Import the module using the full path
-    Import-Module $modulePath
-    Install-DGatewayPackage
-
-    # Configure Devolutions Gateway
-    $Hostname = "localhost"
-    $HttpListener = New-DGatewayListener 'http://*:7171' 'http://*:7171'
-    $WebApp = New-DGatewayWebAppConfig -Enabled $true -Authentication None
-    $ConfigParams = @{
-      Hostname = $Hostname
-      Listeners = @($HttpListener)
-      WebApp = $WebApp
-    }
-    Set-DGatewayConfig @ConfigParams
-    New-DGatewayProvisionerKeyPair -Force
-
-    # Configure and start the Windows service
-    Set-Service 'DevolutionsGateway' -StartupType 'Automatic'
-    Start-Service 'DevolutionsGateway'
-  }
-
-  function Patch-Devolutions-HTML {
-    $root = "C:\Program Files\Devolutions\Gateway\webapp\client"
-    $devolutionsHtml = "$root\index.html"
-    $patch = '<script defer id="coder-patch" src="coder.js"></script>'
-    
-    # Always copy the file in case we change it.
-    @'
-${templatefile("${path.module}/devolutions-patch.js", {
-  CODER_USERNAME : var.admin_username,
-  CODER_PASSWORD : var.admin_password,
-})}
-'@ | Set-Content "$root\coder.js"
-
-    # Only inject the src if we have not before.
-    $isPatched = Select-String -Path "$devolutionsHtml" -Pattern "$patch" -SimpleMatch
-    if ($isPatched -eq $null) {
-      (Get-Content $devolutionsHtml).Replace('</app-root>', "</app-root>$patch") | Set-Content $devolutionsHtml
-    }
-  }
-
-  Set-AdminPassword -adminPassword "${var.admin_password}"
-  Configure-RDP
-  Install-DevolutionsGateway
-  Patch-Devolutions-HTML
-
-  EOF
+  script = templatefile("./windows-installation.tftpl", {
+    CODER_USERNAME : var.admin_username,
+    CODER_PASSWORD : var.admin_password,
+  })
 
-run_on_start = true
+  run_on_start = true
 }
 
 resource "coder_app" "windows-rdp" {
diff --git a/windows-rdp/windows-installation.tftpl b/windows-rdp/windows-installation.tftpl
new file mode 100644
index 0000000..fc0404a
--- /dev/null
+++ b/windows-rdp/windows-installation.tftpl
@@ -0,0 +1,88 @@
+function Set-AdminPassword {
+    param (
+        [string]$adminPassword
+    )
+    # Set admin password
+    Get-LocalUser -Name "${var.admin_username}" | Set-LocalUser -Password (ConvertTo-SecureString -AsPlainText $adminPassword -Force)
+    # Enable admin user
+    Get-LocalUser -Name "${var.admin_username}" | Enable-LocalUser
+}
+
+function Configure-RDP {
+    # Enable RDP
+    New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0 -PropertyType DWORD -Force
+    # Disable NLA
+    New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "UserAuthentication" -Value 0 -PropertyType DWORD -Force
+    New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "SecurityLayer" -Value 1 -PropertyType DWORD -Force
+    # Enable RDP through Windows Firewall
+    Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
+}
+
+function Install-DevolutionsGateway {
+# Define the module name and version
+$moduleName = "DevolutionsGateway"
+$moduleVersion = "2024.1.5"
+
+# Install the module with the specified version for all users
+# This requires administrator privileges
+try {
+    # Install-PackageProvider is required for AWS. Need to set command to
+    # terminate on failure so that try/catch actually triggers
+    Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -ErrorAction Stop
+    Install-Module -Name $moduleName -RequiredVersion $moduleVersion -Force
+}
+catch {
+    # If the first command failed, assume that we're on GCP and run
+    # Install-Module only
+    Install-Module -Name $moduleName -RequiredVersion $moduleVersion -Force
+}
+
+# Construct the module path for system-wide installation
+$moduleBasePath = "C:\Windows\system32\config\systemprofile\Documents\PowerShell\Modules\$moduleName\$moduleVersion"
+$modulePath = Join-Path -Path $moduleBasePath -ChildPath "$moduleName.psd1"
+
+# Import the module using the full path
+Import-Module $modulePath
+Install-DGatewayPackage
+
+# Configure Devolutions Gateway
+$Hostname = "localhost"
+$HttpListener = New-DGatewayListener 'http://*:7171' 'http://*:7171'
+$WebApp = New-DGatewayWebAppConfig -Enabled $true -Authentication None
+$ConfigParams = @{
+    Hostname = $Hostname
+    Listeners = @($HttpListener)
+    WebApp = $WebApp
+}
+Set-DGatewayConfig @ConfigParams
+New-DGatewayProvisionerKeyPair -Force
+
+# Configure and start the Windows service
+Set-Service 'DevolutionsGateway' -StartupType 'Automatic'
+Start-Service 'DevolutionsGateway'
+}
+
+function Patch-Devolutions-HTML {
+$root = "C:\Program Files\Devolutions\Gateway\webapp\client"
+$devolutionsHtml = "$root\index.html"
+$patch = '<script defer id="coder-patch" src="coder.js"></script>'
+
+# Always copy the file in case we change it.
+@'
+${templatefile("${path.module}/devolutions-patch.js", {
+CODER_USERNAME : var.admin_username,
+CODER_PASSWORD : var.admin_password,
+})}
+'@ | Set-Content "$root\coder.js"
+
+# Only inject the src if we have not before.
+$isPatched = Select-String -Path "$devolutionsHtml" -Pattern "$patch" -SimpleMatch
+if ($isPatched -eq $null) {
+    (Get-Content $devolutionsHtml).Replace('</app-root>', "</app-root>$patch") | Set-Content $devolutionsHtml
+}
+}
+
+Set-AdminPassword -adminPassword "${var.admin_password}"
+Configure-RDP
+Install-DevolutionsGateway
+Patch-Devolutions-HTML