Add a bicep deployment script

Make it easy to give correct credentials and run a container

deployment/deployment.bicep

@@ -0,0 +1,158 @@
+@description('The resource group of the media account')
+param mediaAccountRG string
+
+@description('Azure Media Services account name')
+param mediaAccountName string
+
+@description('The storage account where the migrated data is written')
+param storageAccountName string
+
+@description('The resource group of storage account where the migrated data is written')
+param storageAccountRG string
+
+@description('The region where the Azure media services account is present')
+param location string = resourceGroup().location
+
+@description('Set to true if you need to encrypt the content')
+param encrypt bool = true
+
+@description('The key vault to store the envcryption keys')
+param keyvaultname string
+
+@description('The resource group where key vault is present.')
+param keyvaultRG string
+
+@description('Additional command line arguments to pass')
+param arguments array = []
+
+var tags = {
+  name: 'azure-media-migration'
+}
+
+// The identity to create and the roles to assign.
+var identifier = 'azure-media-migration'
+var mediaRoleName =  'Media Services Media Operator'
+var storageRoleName = 'Storage Blob Data Contributor'
+var keyVaultRoleName = 'Key Vault Secrets Officer'
+
+// Parameters for the container creation.
+var cpus = 4
+var memoryInGB = 16
+var image = 'ghcr.io/azure/azure-media-migration:main'
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name:  'azure-media-migration-identity'
+  location: location
+  tags: tags
+}
+
+resource mediaAccount 'Microsoft.Media/mediaservices@2023-01-01' existing = {
+  scope: resourceGroup(mediaAccountRG)
+  name: mediaAccountName
+}
+
+module mediaRoleAssignment 'roleassignment.bicep' = {
+  scope: resourceGroup(mediaAccountRG)
+  name: 'mediaRoleAssignement'
+  params: {
+    resourceName: mediaAccountName
+    principalId: managedIdentity.properties.principalId
+    roleName: mediaRoleName
+    storage: false
+    assignGroupRole: true    
+  }
+}
+
+var storageAccountIds = map(mediaAccount.properties.storageAccounts, arg => arg.id)
+module storageRoleAssignments 'storageaccounts.bicep' = {
+  name: 'storageRoleAssignements'
+  params: {
+    storageAccounts: storageAccountIds
+    principalId: managedIdentity.properties.principalId
+    storageRoleName: storageRoleName
+  }
+}
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {
+  name: storageAccountName
+  scope: resourceGroup(storageAccountRG)
+}
+
+module storageRoleAssignment 'roleassignment.bicep' = {
+  scope: resourceGroup(storageAccountRG)
+  name: 'storageRoleAssignment'
+  params: {
+    resourceName: storageAccountName
+    principalId: managedIdentity.properties.principalId
+    roleName: storageRoleName
+    storage: true
+  }
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (encrypt) {
+  name: keyvaultname
+  scope: resourceGroup(keyvaultRG)
+}
+module keyVaultRoleAssignment 'roleassignment.bicep' = if (encrypt) {
+  scope: resourceGroup(keyvaultRG)
+  name: 'keyVaultRoleAssignment'
+  params: {
+    resourceName: keyvaultname
+    principalId: managedIdentity.properties.principalId
+    roleName: keyVaultRoleName
+    storage: true
+  }
+}
+
+// Default argumetns to the migration tool.
+var defaultArguments = [
+  'dotnet'
+  'MediaMigrate.dll'
+  'assets'
+  '-s'
+  subscription().subscriptionId
+  '-g'
+  mediaAccountRG
+  '-n'
+  mediaAccountName
+  '-o'
+  storageAccount.properties.primaryEndpoints.blob
+]
+
+var encryptionArguments = [
+  '--encrypt-content'
+  '--key-vault-uri'
+]
+
+resource container 'Microsoft.ContainerInstance/containerGroups@2023-05-01' = {
+  name: identifier
+  tags: tags
+  location: location
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${managedIdentity.id}' : {}
+    }
+  }
+  properties: {
+    containers: [
+      {
+        name: 'amsmigrate'
+        properties: {
+          image: image
+          resources: {
+            requests: {
+              cpu: cpus
+              memoryInGB: memoryInGB
+            }
+          }
+          command: concat(defaultArguments, arguments, encrypt ? encryptionArguments : [], encrypt ? [ keyVault.properties.vaultUri ] : [])
+        }
+      }
+    ]
+    osType: 'Linux'
+    restartPolicy: 'Never'
+  }
+}
+
+output follow string =  'az container logs -g ${resourceGroup().name} -n ${identifier} --follow'

deployment/deployment.md

@@ -0,0 +1,25 @@
+# Deploying the tool to the cloud.
+
+## Create a Resource Group
+Create it in the same region as the media services account being migrated.
+
+```bash
+az group create --location location --name migration
+```
+
+## Update the parameters.
+The parameters for the deplyment are in the file [parameters.bicepparam](parameters.bicepparam).
+```bicep
+// The media account being migrated.
+param mediaAccountName = 'accountname'
+param mediaAccountRG = 'resourcegroup'
+
+// Thes storage account details where the migrated data is written.
+param storageAccountName = 'storeagaccountname'
+param storageAccountRG = 'storageresourcegroup'
+```
+
+## Deploy the resource.
+```bash
+az deployment group create --template-file deployment.bicep --resource-group migration --parameters parameters.bicepparam
+```

deployment/parameters.bicepparam

@@ -0,0 +1,22 @@
+using './deployment.bicep'
+
+// The media serivces account being migrated.
+param mediaAccountName = 'provenanceuswc'
+param mediaAccountRG = 'provenance'
+
+// The storage account where migrated data is written.
+param storageAccountName = 'amsencodermsitest'
+param storageAccountRG = 'amsmediacore'
+
+// setting to turn encryption on or off.
+
+param encrypt = false
+// The key vault to store encryption keys if encryption is turned on.
+param keyvaultname = 'mpprovenance'
+param keyvaultRG = 'provenance'
+
+//additional arguments.
+param arguments = [
+  '-t'
+  '$web/deployment/\${AssetName}'
+]

deployment/roleassignment.bicep

@@ -0,0 +1,64 @@
+@description('The name of the resource to assign role')
+param resourceName string
+
+@description('The role to assign to the resource')
+param roleName string
+
+@description('The service principal to add the role assignment')
+param principalId string
+
+@description('true if the resource is storage else false')
+param storage bool = false
+
+@description('The role to assign  to the resource group of the resource.')
+param resourceGroupRoleName string = 'Reader'
+
+@description('Assigna a role to the resoucr group.')
+param assignGroupRole bool = false
+
+var roles = {
+  Contributor: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
+  Reader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'
+  'Storage Blob Data Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+  'Media Services Media Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c'
+  'Key Vault Secrets Officer':'/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7'  
+}
+
+resource mediaAccount 'Microsoft.Media/mediaservices@2023-01-01' existing = if(!storage) {
+  name: resourceName
+}
+
+resource resourceGroupRoleNameAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (assignGroupRole) {
+  name: guid(resourceGroup().id, principalId)
+  scope: resourceGroup()
+  properties: {
+    roleDefinitionId: roles[resourceGroupRoleName]
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+resource mediaRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!storage) {
+  name: guid(mediaAccount.id, principalId)
+  scope: mediaAccount
+  properties: {
+    roleDefinitionId: roles[roleName]
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' existing = if(storage) {
+  name: resourceName
+}
+
+resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if(storage) {
+  name: guid(storageAccount.id, principalId)
+  scope: storageAccount
+  properties: {
+    roleDefinitionId: roles[roleName]
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+

deployment/storageaccounts.bicep

@@ -0,0 +1,20 @@
+@description('The service principal to add the role assignment')
+param principalId string
+
+@description('Storage role name')
+param storageRoleName string = 'Storage Blob Data Contributor'
+
+@description('The storage accounts associated with the media account')
+param storageAccounts array
+
+module storageRoleAssignments './roleassignment.bicep' = [for storage in storageAccounts: {
+  name: 'storageRoleAssignment-${split(storage, '/')[8]}'
+  scope: resourceGroup(split(storage, '/')[4])
+  params: {
+    resourceName: split(storage, '/')[8]
+    roleName: storageRoleName
+    principalId: principalId
+    storage: true
+  }
+}]
+