Skip to content

Commit 056b9d7

Browse files
Merge pull request #9 from jonathanscholtes/dev
Update deployment guides
2 parents f12fcb8 + 1ceccb5 commit 056b9d7

7 files changed

Lines changed: 91 additions & 31 deletions

File tree

LICENSE.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
## __The MIT License (MIT)__
2-
Copyright © 2024 Jonathan Scholtes
2+
Copyright © 2024–2026 Jonathan Scholtes
33

44
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
55

README.md

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@
22

33
> Automated incident detection and remediation with Azure SRE Agent + GitHub Copilot
44
5+
For background and architecture context, see the companion article:
6+
[Beyond the Alert: Building Self-Healing Pipelines with Azure SRE Agent and GitHub Copilot](https://stochasticcoder.com/2026/04/29/beyond-the-alert-building-self-healing-pipelines-with-azure-sre-agent-and-github-copilot/)
7+
58
![Self-Healing Application Pipeline](media/self-healing-pipeline.png)
69

710
---
@@ -20,7 +23,7 @@ This demo collapses that loop. [**Azure SRE Agent**](https://learn.microsoft.com
2023
|------|------|-------------|
2124
| 1 | Container Apps + Load Generator | Synthetic traffic hits a deliberately broken API |
2225
| 2 | Application Insights / Log Analytics | Exception rate spike and failure metrics detected |
23-
| 3 | Azure SRE Agent | Root-cause analysis; files an ADO WorkItem to track the incident |
26+
| 3 | Azure SRE Agent | Root-cause analysis; files an Azure DevOps work item to track the incident |
2427
| 4 | Azure SRE Agent | Creates a GitHub Issue with diagnostic context; assigns the Copilot coding agent |
2528
| 5 | GitHub Copilot Coding Agent | Reads the GitHub Issue, opens a fix PR on a new branch |
2629
| 6 | Human reviewer | Reviews the PR and merges — the human gate |
@@ -35,7 +38,7 @@ flowchart TD
3538
ACA["Azure Container Apps\n+ Load Generator Job\n(5-min cron, synthetic traffic)"]
3639
AI["Application Insights\nLog Analytics"]
3740
SRE["Azure SRE Agent\n(investigates, deduplicates)"]
38-
ADO["Azure DevOps\nWorkItem\n(tracks incident)"]
41+
ADO["Azure DevOps\nWork Item\n(tracks incident)"]
3942
GHI["GitHub Issue\n(assigned to Copilot)"]
4043
COP["GitHub Copilot Agent\n(creates branch + fix PR)"]
4144
HUM["Human Review + Merge\n— the human gate —"]
@@ -73,9 +76,9 @@ az login
7376
.\deploy.ps1 -Subscription "<subscription-name-or-id>" -SetupGitHub
7477
```
7578

76-
[Full deployment guide](docs/deployment.md) — infrastructure, GitHub OIDC, SRE Agent portal configuration, and branch protection setup.
79+
[Full deployment guide](docs/deployment.md) — infrastructure, GitHub OIDC, SRE Agent portal configuration, branch protection setup, and troubleshooting tips.
7780

78-
[Walkthrough](docs/walkthrough.md)injecting bugs, walkthrough, and reset instructions.
81+
[Walkthrough](docs/walkthrough.md)bug injection, live demo flow, and reset instructions.
7982

8083
---
8184

docs/deployment.md

Lines changed: 62 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ Step-by-step instructions for deploying the Azure SRE Agent closed-loop demo.
1313
| [PowerShell](https://learn.microsoft.com/powershell/scripting/install/installing-powershell) | >= 7 | |
1414
| [GitHub CLI](https://cli.github.com/) | latest | Required for OIDC setup |
1515
| Azure subscription | | Contributor + User Access Administrator |
16-
| Azure DevOps organization | | Required for SRE Agent WorkItem filing |
16+
| Azure DevOps organization | | Required for SRE Agent work item filing |
1717
| GitHub Copilot Enterprise | | Required for coding agent PR creation |
1818

1919
> **Region constraint**: The SRE Agent resource (`Microsoft.App/agents`) is currently available only in `eastus2`, `swedencentral` and `australiaeast`. Set `location` in `terraform.tfvars` accordingly.
@@ -48,7 +48,7 @@ The script runs four phases automatically:
4848
Subsequent runs skip the bootstrap step:
4949

5050
```powershell
51-
.\deploy.ps1 -SkipBootstrap
51+
.\deploy.ps1 -Subscription "<subscription-name-or-id>" -SkipBootstrap
5252
```
5353

5454
---
@@ -58,7 +58,7 @@ Subsequent runs skip the bootstrap step:
5858
Wire up OIDC federated credentials and GitHub repository secrets:
5959

6060
```powershell
61-
.\deploy.ps1 -SetupGitHub
61+
.\deploy.ps1 -Subscription "<subscription-name-or-id>" -SetupGitHub
6262
# or standalone:
6363
.\scripts\New-GitHubOidc.ps1
6464
```
@@ -78,40 +78,70 @@ TF_STATE_STORAGE_ACCOUNT = <storage account name printed by deploy.ps1 phase 0>
7878

7979
---
8080

81-
## Step 4 — Connect SRE Agent to Azure DevOps (Azure portal)
81+
## Step 4 — Configure incident platform and response plan (Azure portal)
82+
83+
In the SRE Agent resource, configure inbound incident routing from Azure Monitor:
84+
85+
1. Open the SRE Agent resource in the Azure portal
86+
2. Go to **Builder → Incident Platform**
87+
3. Select **Azure Monitor** as the incident platform and complete the connection
88+
4. Go to **Builder → Incident response plans** and create (or customize) a plan for this demo
89+
5. Set plan filters (for example severity/service/title) and set run mode to **Autonomous** for this demo
90+
6. Save and enable the plan
91+
92+
Azure SRE leverages **Memories**, for resolution, tracking and routing intent (for example: create an Azure DevOps **Issue** and route code-fix work to **GitHub Copilot**). This helps keep behavior consistent across incidents.
93+
94+
> You can use the built-in SRE Agent chat to refine investigation and routing behavior **Memories**, then update the response plan configuration based on those results.
95+
96+
When incidents match the enabled response plan filters, the agent runs automatically from that incident context.
97+
98+
> References:
99+
> - [Incident platforms](https://learn.microsoft.com/en-us/azure/sre-agent/incident-platforms)
100+
> - [Automate incident response](https://learn.microsoft.com/en-us/azure/sre-agent/incident-response)
101+
> - [Incident response plans](https://learn.microsoft.com/en-us/azure/sre-agent/incident-response-plans)
102+
> - [Workflow automation](https://learn.microsoft.com/en-us/azure/sre-agent/workflow-automation)
103+
> - [User memories](https://learn.microsoft.com/en-us/azure/sre-agent/memory#user-memories)
104+
105+
---
106+
107+
## Step 5 — Add Azure DevOps as an automated destination
82108

83109
After `terraform apply` completes:
84110

85111
1. Open the SRE Agent resource in the Azure portal
86-
2. Go to **Workflows** → add a new workflow
87-
3. Set the **trigger**: Log Analytics workspace connected to Application Insights — the agent queries exception rates and failure metrics
88-
4. Set the **destination**: your ADO organization, project, and board; work item type **Issue**
89-
5. Save — the agent will now create an ADO WorkItem automatically when an anomaly is detected, including the exception type, stack trace, and telemetry deep-links
112+
2. Go to **Builder → Connectors** and create an **Azure DevOps connector** (org, project, board, auth)
113+
3. Select the target Azure DevOps project/repository context for this demo
114+
4. Save — when incidents match the enabled response plan, the agent automatically creates/updates Azure DevOps work items using this connector
90115

91116
---
92117

93-
## Step 5Connect SRE Agent to GitHub Issues (Azure portal)
118+
## Step 6Add GitHub Issues as an automated destination
94119

95120
In the same or a parallel workflow in the SRE Agent portal:
96121

97-
1. Add a **GitHub** destination
98-
2. Authenticate and select this repository
99-
3. Set the assignee to **GitHub Copilot** (the coding agent)
100-
4. Save — the agent will now open a GitHub Issue with diagnostic context and assign Copilot to resolve it
122+
1. Go to **Builder → Connectors** and create a **GitHub connector** for this repository
123+
2. Select this repository in the connector configuration
124+
3. Save — for each matching incident, the agent automatically opens a GitHub Issue with diagnostic context and assigns GitHub Copilot to complete the fix
125+
126+
127+
128+
> Connector reference: [Azure SRE Agent connectors documentation](https://learn.microsoft.com/en-us/azure/sre-agent/connectors)
129+
130+
> Both the Azure DevOps work item and the GitHub Issue come from the same SRE Agent investigation. Azure DevOps tracks the incident operationally; the GitHub Issue is the work item Copilot acts on.
131+
101132

102-
> Both the ADO WorkItem and the GitHub Issue come from the same SRE Agent investigation. ADO tracks the incident operationally; the GitHub Issue is the work item Copilot acts on.
103133

104134
---
105135

106-
## Step 6 — Enable branch protection on `main`
136+
## Step 7 — Enable branch protection on `main`
107137

108138
This enforces the human gate — Copilot's fix PR cannot merge without a review.
109139

110140
1. Go to **Settings → Branches → Add branch ruleset**
111141
2. Target: `main`
112142
3. Enable:
113143
- **Require a pull request before merging** (1 required approval)
114-
- **Require status checks to pass** → add `Validate` (from `validate.yml`)
144+
- **Require status checks to pass** → add the check run from `.github/workflows/validate.yml` (typically `Lint`)
115145
- **Block force pushes**
116146

117147
---
@@ -127,8 +157,10 @@ Copy `infra/terraform.tfvars.example` to `infra/terraform.tfvars` and fill in yo
127157
| `project_name` | Yes | Used in resource naming |
128158
| `location` | Yes | Azure region — see region constraint above |
129159
| `resource_token` | No | Unique suffix; auto-generated if empty |
130-
| `enable_sre_agent` | No | Defaults to `true` |
131-
| `sre_agent_access_level` | No | `High` (Reader + Contributor) or `Low` (Reader only) |
160+
| `enable_sre_agent` | No | Deploy the SRE Agent resource (default: `false`) |
161+
| `sre_agent_name` | No | Name of the SRE Agent resource (default: `sre-agent`) |
162+
| `sre_agent_access_level` | No | `High` (Reader + Contributor) or `Low` (Reader only; default: `High`) |
163+
| `sre_agent_target_resource_groups` | No | Additional resource groups for the agent to monitor |
132164

133165
---
134166

@@ -139,3 +171,15 @@ Copy `infra/terraform.tfvars.example` to `infra/terraform.tfvars` and fill in yo
139171
```
140172

141173
> The Terraform remote state storage account is in a separate resource group (`rg-tfstate-sre`) and is **not** deleted by the above command. Delete it manually when no longer needed.
174+
175+
---
176+
177+
## Troubleshooting
178+
179+
| Symptom | Likely cause | Fix |
180+
|---------|--------------|-----|
181+
| `deploy.ps1` fails before Terraform | Not authenticated to the correct subscription | Run `az login`, then rerun with `-Subscription` |
182+
| GitHub OIDC setup fails on `gh secret set` | GitHub CLI is not authenticated | Run `gh auth login` and retry Step 3 |
183+
| SRE Agent does not create incidents from alerts | Azure Monitor incident platform or response plan is not enabled | Recheck Step 4 and confirm the response plan is turned on |
184+
| SRE Agent does not create work items/issues | Azure DevOps/GitHub connector project or repository mapping is not configured correctly | Recheck Steps 5 and 6 and verify connector scope |
185+
| Branch rule blocks merge unexpectedly | Required check name mismatch | Use the check run generated by `.github/workflows/validate.yml` |

docs/walkthrough.md

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@
22

33
Instructions for injecting a failure, generating errors, and observing the self-healing pipeline end to end.
44

5+
This guide is written as a companion reference for the article:
6+
[Beyond the Alert: Building Self-Healing Pipelines with Azure SRE Agent and GitHub Copilot](https://stochasticcoder.com/2026/04/29/beyond-the-alert-building-self-healing-pipelines-with-azure-sre-agent-and-github-copilot/)
7+
58
---
69

710
## Step 1 — Inject the bug and generate errors
@@ -10,7 +13,7 @@ Instructions for injecting a failure, generating errors, and observing the self-
1013
.\tools\Start-SreDemo.ps1
1114
```
1215

13-
This patches a realistic bug into the order management API, rebuilds and redeploys the container image via ACR, waits for the new revision to become healthy, then fires a burst of 20 orders to flood Application Insights with errors. Direct portal deep-links are printed for every presenter step.
16+
This patches a realistic bug into the order-management API, rebuilds and redeploys the container image via ACR, waits for the new revision to become healthy, then fires a burst of 20 orders to flood Application Insights with errors. Direct portal deep-links are printed for each validation step.
1417

1518
```powershell
1619
# Inject a specific bug type with a larger load burst
@@ -30,22 +33,30 @@ This patches a realistic bug into the order management API, rebuilds and redeplo
3033

3134
> **`-SkipDeploy`** patches the source file and writes `.chaos-state` but skips the ACR build. Commit and push to trigger the GitHub Actions workflow — useful for demonstrating the full CI/CD path.
3235
36+
Typical timeline after load starts:
37+
38+
- Application Insights failures appear in about 1-2 minutes
39+
- SRE Agent investigation and ticketing usually follow shortly after
40+
- Copilot PR timing depends on repository activity and queue depth
41+
3342
---
3443

35-
## Step 2 — Walkthrough
44+
## Step 2 — Verify the closed-loop flow
45+
46+
Use this sequence to verify that each stage of the closed-loop flow is working correctly.
3647

37-
| Step | Where to look | What to show |
48+
| Step | Where to look | Expected signal |
3849
|------|---------------|-------------|
3950
| 1 | Application Insights → **Failures** blade | Error rate spike, exception type, stack trace |
4051
| 2 | [Azure SRE Agent](https://learn.microsoft.com/en-us/azure/sre-agent/overview?tabs=task) portal | Agent investigating the anomaly in real time |
41-
| 3 | Azure DevOps Boards | ADO WorkItem auto-created with telemetry deep-link |
52+
| 3 | Azure DevOps Boards | Azure DevOps work item auto-created with telemetry deep-link |
4253
| 4 | GitHub Issues | Issue created by SRE Agent, assigned to GitHub Copilot |
4354
| 5 | GitHub Pull Requests | Copilot's fix PR on a new branch |
4455
| 6 | Merge the PR | CI/CD pipeline triggers; error rate returns to zero |
4556

4657
---
4758

48-
## Step 3 — Reset after the demo
59+
## Step 3 — Reset the environment
4960

5061
```powershell
5162
.\tools\Invoke-ChaosBug.ps1 -Revert `

infra/README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,7 @@ Copy-Item infra/terraform.tfvars.example infra/terraform.tfvars
5959
| `environment_name` | Yes | e.g. `dev`, `prod` — used in resource naming |
6060
| `project_name` | Yes | Short identifier used in resource naming |
6161
| `resource_token` | No | Unique suffix (auto-generated if omitted) |
62-
| `location` | Yes | Azure region — SRE Agent requires `eastus2`, `swedencentral`, `uksouth`, or `australiaeast` |
62+
| `location` | Yes | Azure region — SRE Agent requires `eastus2`, `swedencentral`, or `australiaeast` |
6363
| `enable_sre_agent` | No | Deploy the SRE Agent resource (default: `false`) |
6464
| `sre_agent_name` | No | Name of the SRE Agent resource (default: `sre-agent`) |
6565
| `sre_agent_access_level` | No | `High` or `Low` — controls RBAC granted to the agent (default: `High`) |
@@ -86,6 +86,8 @@ terraform apply tfplan
8686

8787
To enable the SRE Agent, add `-var="enable_sre_agent=true"` to the plan command, or set `enable_sre_agent = true` in `terraform.tfvars`.
8888

89+
When `enable_sre_agent = true`, use a supported region (`eastus2`, `swedencentral`, or `australiaeast`).
90+
8991
## Outputs
9092

9193
| Output | Description |

infra/terraform.tfvars.example

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ environment_name = "dev" # Environment: dev,
77
project_name = "sre" # Project name (used in resource naming)
88
resource_token = "" # Unique suffix — leave empty to auto-generate
99
location = "eastus2" # Azure region
10-
# SRE Agent requires: eastus2, swedencentral, uksouth, australiaeast
10+
# SRE Agent requires: eastus2, swedencentral, australiaeast
1111

1212
# SRE Agent (set to true to deploy the Azure SRE Agent)
1313
enable_sre_agent = true

infra/variables.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ variable "location" {
3939
# ── SRE Agent ────────────────────────────────────────────────────────────────
4040

4141
variable "enable_sre_agent" {
42-
description = "Deploy the Azure SRE Agent. Requires a location supported by the preview: eastus2, swedencentral, uksouth, australiaeast."
42+
description = "Deploy the Azure SRE Agent. Requires a location supported by the preview: eastus2, swedencentral, australiaeast."
4343
type = bool
4444
default = false
4545
}

0 commit comments

Comments
 (0)