Add: AWS Fargate to Azure Container Apps migration skill#1534
Add: AWS Fargate to Azure Container Apps migration skill#1534deepganguly wants to merge 3 commits intomicrosoft:mainfrom
Conversation
- Add aws-fargate-to-container-apps skill for migrating ECS/EKS Fargate workloads to Azure Container Apps - Comprehensive assessment guide with ECS task definition analysis, IAM role mapping, and VPC configuration review - Deployment guide with ECR to ACR image migration, Secrets Manager to Key Vault migration, and Bicep templates - Service mappings for 20+ AWS services (RDS, DynamoDB, S3, SQS, SNS, ElastiCache, etc.) to Azure equivalents - Configuration conversion examples (task definitions to Container Apps YAML) - Shell scripts for image migration and secrets migration automation - Azure CLI commands and Bicep Infrastructure as Code templates - Troubleshooting guides and post-deployment validation checklists - Token count: SKILL.md ~1,900 tokens (well within 5000 limit) Migration workflow includes: 1. Discovery & Assessment - Analyze ECS/Fargate configuration 2. Service Mapping - Map AWS services to Azure equivalents 3. Configuration Conversion - Convert task definitions to Container Apps 4. Pre-Migration Preparation - Migrate images and set up Azure resources 5. Deployment - Deploy to Azure Container Apps with scaling 6. Optimization - Cost analysis and performance tuning Trigger phrases: migrate Fargate to Azure, migrate AWS containers to Azure, Fargate to Container Apps, assess AWS ECS migration
There was a problem hiding this comment.
Pull request overview
Adds a new agent skill under plugin/skills/ to guide migrations from AWS Fargate (ECS/EKS) to Azure Container Apps, including assessment and deployment reference material.
Changes:
- Introduces the
aws-fargate-to-container-appsskill with workflow, guardrails, and error-handling guidance. - Adds reference docs for assessment and deployment, including CLI/Bicep examples and migration checklists.
- Adds an MIT license file for the new skill.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| plugin/skills/aws-fargate-to-container-apps/SKILL.md | New skill definition with migration phases, inputs, guardrails, MCP tools, and error handling. |
| plugin/skills/aws-fargate-to-container-apps/references/assessment-guide.md | Assessment checklist + mapping templates and service dependency mapping guidance. |
| plugin/skills/aws-fargate-to-container-apps/references/deployment-guide.md | Step-by-step deployment guide with registry migration, infra setup, secrets, scaling, validation, and troubleshooting. |
| plugin/skills/aws-fargate-to-container-apps/LICENSE.txt | MIT license for the newly added skill content. |
| version: 1.0.0 | ||
| author: GitHub Copilot for Azure |
There was a problem hiding this comment.
In SKILL frontmatter, metadata.author is set to GitHub Copilot for Azure, but the other skills in this repo consistently use Microsoft as the author. For consistency and attribution, update metadata.author to Microsoft.
| version: 1.0.0 | |
| author: GitHub Copilot for Azure | |
| version: 1.0.1 | |
| author: Microsoft |
| description: Migrate containerized workloads from AWS Fargate to Azure Container Apps with assessment reports and deployment guidance. WHEN: migrate Fargate to Azure, migrate AWS containers to Azure, Fargate to Container Apps, assess AWS ECS migration, convert AWS Fargate to Azure, cross-cloud container migration from AWS, migrate ECS tasks to Azure Container Apps. | ||
| license: MIT | ||
| metadata: | ||
| version: 1.0.0 |
There was a problem hiding this comment.
Frontmatter values like description and metadata.version should be quoted strings (this repo’s other SKILL.md files use quotes), which avoids YAML edge-cases and keeps metadata formatting consistent. Please change description to a quoted string and metadata.version to "1.0.0".
| description: Migrate containerized workloads from AWS Fargate to Azure Container Apps with assessment reports and deployment guidance. WHEN: migrate Fargate to Azure, migrate AWS containers to Azure, Fargate to Container Apps, assess AWS ECS migration, convert AWS Fargate to Azure, cross-cloud container migration from AWS, migrate ECS tasks to Azure Container Apps. | |
| license: MIT | |
| metadata: | |
| version: 1.0.0 | |
| description: "Migrate containerized workloads from AWS Fargate to Azure Container Apps with assessment reports and deployment guidance. WHEN: migrate Fargate to Azure, migrate AWS containers to Azure, Fargate to Container Apps, assess AWS ECS migration, convert AWS Fargate to Azure, cross-cloud container migration from AWS, migrate ECS tasks to Azure Container Apps." | |
| license: MIT | |
| metadata: | |
| version: "1.0.0" |
| @@ -0,0 +1,21 @@ | |||
| MIT License | |||
|
|
|||
| Copyright (c) 2026 GitHub Copilot for Azure | |||
There was a problem hiding this comment.
The LICENSE copyright line differs from the convention used in other skill LICENSE files (e.g., "Copyright (c) Microsoft Corporation."). Please align the copyright holder/format with the rest of the repo’s skill licenses.
| Copyright (c) 2026 GitHub Copilot for Azure | |
| Copyright 2026 (c) Microsoft Corporation. |
| # Create Container Apps environment with VNet | ||
| az containerapp env create \ | ||
| --name myapp-env \ | ||
| --resource-group myapp-rg \ | ||
| --location eastus \ | ||
| --logs-workspace-id $LOG_WORKSPACE_ID \ | ||
| --logs-workspace-key $LOG_WORKSPACE_KEY \ | ||
| --infrastructure-subnet-resource-id $SUBNET_ID | ||
| ``` |
There was a problem hiding this comment.
This “Optional” VNet section re-runs az containerapp env create using the same environment name created earlier, which will fail if a reader follows the guide top-to-bottom. Please restructure this to be either/or (create env with VNet vs without VNet), or change the second command to an update workflow if supported.
| # Verify Key Vault access policy | ||
| az keyvault show-policy \ | ||
| --name myapp-kv \ | ||
| --object-id $PRINCIPAL_ID | ||
|
|
||
| # Test secret access |
There was a problem hiding this comment.
az keyvault show-policy is not a valid Azure CLI command (Key Vault policy management uses set-policy/delete-policy and you can inspect the vault with az keyvault show). Please replace this with a working command sequence for verifying the identity’s permissions (and consider noting the RBAC-vs-access-policy distinction).
| # Verify Key Vault access policy | |
| az keyvault show-policy \ | |
| --name myapp-kv \ | |
| --object-id $PRINCIPAL_ID | |
| # Test secret access | |
| # Verify Key Vault access policy (for vaults using access policies) | |
| az keyvault show \ | |
| --name myapp-kv \ | |
| --query "properties.accessPolicies[?objectId=='$PRINCIPAL_ID']" \ | |
| -o table | |
| # If the vault uses RBAC instead of access policies, verify role assignments | |
| VAULT_ID=$(az keyvault show --name myapp-kv --query id -o tsv) | |
| az role assignment list \ | |
| --assignee $PRINCIPAL_ID \ | |
| --scope $VAULT_ID \ | |
| --query "[].{role:roleDefinitionName, scope:scope}" \ | |
| -o table | |
| # Test secret access (requires correct access policy or RBAC role) |
| # Get secret value from AWS | ||
| SECRET_VALUE=$(aws secretsmanager get-secret-value \ | ||
| --secret-id my-secret \ | ||
| --region us-east-1 \ | ||
| --query SecretString \ | ||
| --output text) | ||
|
|
||
| # Store in Azure Key Vault | ||
| az keyvault secret set \ | ||
| --vault-name myapp-kv \ | ||
| --name my-secret \ | ||
| --value "$SECRET_VALUE" |
There was a problem hiding this comment.
The secrets migration example pulls the secret into a shell variable and then passes it via --value, which can leak the secret via process listings, shell history/logging, or accidental set -x usage. Please adjust the guidance to avoid putting secret material on the command line (e.g., use az keyvault secret set --file with a secure temp file, or provide a warning + safer pattern).
| # Get secret value from AWS | |
| SECRET_VALUE=$(aws secretsmanager get-secret-value \ | |
| --secret-id my-secret \ | |
| --region us-east-1 \ | |
| --query SecretString \ | |
| --output text) | |
| # Store in Azure Key Vault | |
| az keyvault secret set \ | |
| --vault-name myapp-kv \ | |
| --name my-secret \ | |
| --value "$SECRET_VALUE" | |
| # Get secret value from AWS into a secure temporary file | |
| SECRET_FILE=$(mktemp) | |
| aws secretsmanager get-secret-value \ | |
| --secret-id my-secret \ | |
| --region us-east-1 \ | |
| --query SecretString \ | |
| --output text > "$SECRET_FILE" | |
| # Store in Azure Key Vault without putting the secret on the command line | |
| az keyvault secret set \ | |
| --vault-name myapp-kv \ | |
| --name my-secret \ | |
| --file "$SECRET_FILE" | |
| # Securely clean up the temporary file | |
| shred -u "$SECRET_FILE" 2>/dev/null || rm -f "$SECRET_FILE" |
| ```yaml | ||
| # Example Task Definition to Container Apps mapping | ||
|
|
||
| # AWS ECS Task Definition | ||
| { |
There was a problem hiding this comment.
This code block is labeled as yaml but includes a raw JSON task definition fragment, making the snippet invalid as either YAML or JSON and harder to copy/paste. Please split it into two separate code blocks with correct language tags (json for ECS task definition, yaml for Container Apps) so readers can reuse them reliably.
- Add reference link to assessment-guide.md in Phase 1 - Add reference link to deployment-guide.md in Phase 5 - Resolves markdown reference validation errors
…s, update author to Microsoft, fix copyright, fix VNet duplicate command, secure secrets migration, fix invalid keyvault show-policy, split JSON/YAML code blocks
| AWS_ACCOUNT_ID="123456789012" | ||
| AWS_REGION="us-east-1" | ||
| ECR_REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" | ||
| ACR_NAME="myregistry" |
There was a problem hiding this comment.
The migrate-images.sh example hardcodes values that look like real identifiers (AWS account ID, region, ACR name). Since the guidelines prefer clearly marked placeholders, please switch these to <placeholder> values or environment-variable-driven defaults to reduce copy/paste accidents.
| AWS_ACCOUNT_ID="123456789012" | |
| AWS_REGION="us-east-1" | |
| ECR_REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" | |
| ACR_NAME="myregistry" | |
| AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-<aws-account-id>}" | |
| AWS_REGION="${AWS_REGION:-<aws-region>}" | |
| ECR_REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" | |
| ACR_NAME="${ACR_NAME:-<acr-name>}" |
| # If you haven't created the environment yet, include --infrastructure-subnet-resource-id in Step 2 | ||
| # Otherwise, you'll need to delete and recreate the environment with VNet support: | ||
| az containerapp env delete --name myapp-env --resource-group myapp-rg --yes | ||
|
|
||
| az containerapp env create \ | ||
| --name myapp-env \ | ||
| --resource-group myapp-rg \ | ||
| --location eastus \ | ||
| --logs-workspace-id $LOG_WORKSPACE_ID \ | ||
| --logs-workspace-key $LOG_WORKSPACE_KEY \ | ||
| --infrastructure-subnet-resource-id $SUBNET_ID |
There was a problem hiding this comment.
This section recommends deleting and recreating the Container Apps environment to add VNet integration. Deleting an environment can remove all apps/revisions associated with it, which is a high-impact operation. Please add an explicit warning + confirmation step and call out safer alternatives (e.g., create a new environment with subnet integration and redeploy apps).
| secrets: | ||
| - name: db-password | ||
| keyVaultUrl: https://myapp-kv.vault.azure.net/secrets/db-password | ||
| registries: | ||
| - server: myregistry.azurecr.io | ||
| identity: /subscriptions/.../resourceGroups/myapp-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myapp-identity | ||
| template: |
There was a problem hiding this comment.
In the converted Container Apps YAML, the Key Vault-backed secret includes keyVaultUrl but omits the identity field. In this repo’s Container Apps examples, Key Vault references include an identity so the platform knows which managed identity to use to fetch the secret. Please add the identity to this YAML example (or clarify the intended identity behavior).
| transport: http | ||
| secrets: | ||
| - name: db-password | ||
| keyVaultUrl: https://myvault.vault.azure.net/secrets/db-password |
There was a problem hiding this comment.
In the Container Apps YAML example, the Key Vault-backed secret includes keyVaultUrl but does not specify an identity. Container Apps Key Vault references typically require an identity so the platform can retrieve the secret. Please update the example to include the managed identity (or add a note explaining which identity is used).
| keyVaultUrl: https://myvault.vault.azure.net/secrets/db-password | |
| keyVaultUrl: https://myvault.vault.azure.net/secrets/db-password | |
| identity: userAssigned |
|
|
||
| 📋 **See detailed assessment checklist**: [references/assessment-guide.md](references/assessment-guide.md) | ||
|
|
||
| ### Phase 2: Service Mapping | ||
|
|
There was a problem hiding this comment.
This SKILL.md includes decorative emoji (e.g., 📋 and 🚀). The repo’s skill authoring guidelines specify emoji should only be used as status indicators (✅/❌/
| - Performance comparison | ||
|
|
||
| 🚀 **See detailed deployment instructions**: [references/deployment-guide.md](references/deployment-guide.md) | ||
|
|
||
| ### Phase 6: Optimization |
There was a problem hiding this comment.
This SKILL.md includes decorative emoji (🚀). The repo’s skill authoring guidelines specify emoji should only be used as status indicators (✅/❌/
|
|
||
| ```bash | ||
| #!/bin/bash | ||
| set -e |
There was a problem hiding this comment.
The example migrate-images.sh only uses set -e. Elsewhere in this repo, bash script templates use set -euo pipefail to fail fast on unset variables and pipeline errors. Consider updating the example to match that pattern for safer automation.
| set -e | |
| set -euo pipefail |
Migration workflow includes:
Trigger phrases: migrate Fargate to Azure, migrate AWS containers to Azure, Fargate to Container Apps, assess AWS ECS migration