Merge pull request #313793 from craigshoemaker/sre/http

v-regandowner · web-flow · commit ad926538fab6 · 2026-03-27T13:28:17.000-04:00
[SRE Agent] New: Http Trigger
diff --git a/articles/sre-agent/create-http-trigger.md b/articles/sre-agent/create-http-trigger.md
@@ -0,0 +1,153 @@
+---
+title: "Tutorial: Create an HTTP trigger in Azure SRE Agent"
+description: Set up an HTTP trigger in Azure SRE Agent that runs a compliance check when called from a CI/CD pipeline or any HTTP client.
+author: craigshoemaker
+ms.author: cshoe
+ms.reviewer: cshoe
+ms.date: 03/25/2026
+ms.topic: tutorial
+ms.service: azure-sre-agent
+ai-usage: ai-assisted
+#customer intent: As an SRE, I want to create an HTTP trigger so that external systems can invoke my agent automatically.
+---
+
+# Tutorial: Create an HTTP trigger in Azure SRE Agent
+
+In this tutorial, you create an HTTP trigger that runs a compliance check on a container app. You test it from the portal and the command line, and then integrate it into a CI/CD pipeline.
+
+**Estimated time**: 10 minutes
+
+In this tutorial, you:
+
+> [!div class="checklist"]
+>
+> - Create an HTTP trigger with a compliance check prompt
+> - Test the trigger from the portal by using Run Now
+> - Call the trigger from the command line with a JSON payload
+> - Integrate the trigger into a CI/CD pipeline
+
+## Prerequisites
+
+- An agent in **Running** state with at least one Azure subscription configured
+- Azure CLI installed (`az` command) for testing the webhook call
+
+## Scenario
+
+Your team deploys container app revisions multiple times a day. Each deployment should meet compliance standards for resource limits, health probes, ingress configuration, and scaling rules. Instead of checking manually, you create an HTTP trigger that your CI/CD pipeline calls after each deployment so the agent runs the compliance check automatically.
+
+## Create the trigger
+
+1. Go to your agent, and select **Builder** > **HTTP triggers**.
+
+    The page loads with summary cards (Active triggers, Total triggers, Total runs) and an empty trigger list.
+
+1. Select **Create trigger** in the toolbar. The **Create HTTP trigger** dialog opens.
+
+1. Fill in the form:
+
+    | Field | Value |
+    | --- | --- |
+    | **Trigger name** | Container App Compliance Check |
+    | **Trigger details** | A new container app revision was deployed. Run a compliance check on the app: verify resource limits (CPU/memory), health probes, ingress configuration, and scaling rules. Report any issues. App: `{payload.app_name}` in resource group `{payload.resource_group}`. Revision: `{payload.revision_name}`. |
+    | **Agent autonomy level** | Autonomous (Default) |
+    | **Message grouping for updates** | New chat thread for each run |
+
+    Leave **Response subagent** at its default unless you want a specific subagent to handle the check.
+
+1. Select **Create Trigger**.
+
+The trigger appears in the list with status **On**. The summary cards update to show one active trigger.
+
+## Copy the trigger URL
+
+1. Select the trigger name **Container App Compliance Check** to open the detail view.
+
+    The detail view shows the **Trigger URL**, **Status**, **Last called**, and **Message grouping** fields.
+
+1. Select the copy button next to the **Trigger URL**. Save the URL for later steps.
+
+    The URL looks like: `https://<your-agent>.sre.azure.com/api/v1/httptriggers/trigger/<TRIGGER_ID>`
+
+## Test with Run Now
+
+1. Select **Run trigger now** in the toolbar. This action runs the trigger right away without an external call.
+
+1. Wait a few seconds, then select **Update list** to refresh the execution history.
+
+The execution history shows a new row with a timestamp, a linked thread, and a success status. Select the thread link to see the agent's compliance check plan and results.
+
+## Call the trigger from the command line
+
+Test the trigger the way your CI/CD pipeline would, by using a JSON payload.
+
+Open a terminal and run the following commands:
+
+```azurecli
+# Get an ARM token (use the SRE Agent app ID as the resource)
+TOKEN=$(az account get-access-token --resource 59f0a04a-b322-4310-adc9-39ac41e9631e --query accessToken -o tsv)
+
+# Call the trigger with container app deployment details
+curl -X POST \
+  "<YOUR_TRIGGER_URL>" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "app_name": "checkout-api",
+    "resource_group": "rg-production",
+    "revision_name": "checkout-api--v3",
+    "deployed_by": "github-actions",
+    "image": "myregistry.azurecr.io/checkout-api:v3.2.1"
+  }'
+```
+
+Replace `<YOUR_TRIGGER_URL>` with the URL you copied earlier.
+
+> [!NOTE]
+> The agent receives your prompt with `{payload.app_name}`, `{payload.resource_group}`, and `{payload.revision_name}` replaced with the actual values from the JSON body. Fields that don't match a placeholder (like `deployed_by` and `image`) are appended as raw JSON context.
+
+The response returns immediately with HTTP 202:
+
+```json
+{
+  "message": "HTTP trigger execution initiated",
+  "executionTime": "2026-03-24T10:30:00Z",
+  "threadId": "thread-abc123",
+  "success": true
+}
+```
+
+Go back to the portal and select **Update list** in the detail view. A second execution appears in the history from the external call.
+
+## Integrate with your pipeline
+
+Add the trigger call to your CI/CD pipeline's post-deployment step. The following example shows a GitHub Actions workflow step:
+
+```yaml
+- name: Trigger SRE Agent compliance check
+  if: success()
+  run: |
+    TOKEN=$(az account get-access-token --resource 59f0a04a-b322-4310-adc9-39ac41e9631e --query accessToken -o tsv)
+    curl -s -X POST "${{ secrets.SRE_TRIGGER_URL }}" \
+      -H "Authorization: Bearer $TOKEN" \
+      -H "Content-Type: application/json" \
+      -d '{
+        "app_name": "${{ env.APP_NAME }}",
+        "resource_group": "${{ env.RESOURCE_GROUP }}",
+        "revision_name": "${{ env.REVISION_NAME }}",
+        "deployed_by": "${{ github.actor }}",
+        "commit": "${{ github.sha }}"
+      }'
+```
+
+Store your trigger URL as a GitHub secret (`SRE_TRIGGER_URL`). Don't hardcode it in your workflow file.
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Learn about HTTP triggers](http-triggers.md)
+
+## Related content
+
+- [HTTP triggers](http-triggers.md)
+- [Scheduled tasks](scheduled-tasks.md)
+- [Workflow automation](workflow-automation.md)
diff --git a/articles/sre-agent/http-triggers.md b/articles/sre-agent/http-triggers.md
@@ -0,0 +1,186 @@
+---
+title: HTTP triggers in Azure SRE Agent
+description: Learn how HTTP triggers in Azure SRE Agent let you invoke agent actions from CI/CD pipelines, alerting tools, and any HTTP client.
+author: craigshoemaker
+ms.author: cshoe
+ms.reviewer: cshoe
+ms.date: 03/25/2026
+ms.topic: concept-article
+ms.service: azure-sre-agent
+ai-usage: ai-assisted
+---
+
+# HTTP triggers in Azure SRE Agent
+
+HTTP triggers in Azure SRE Agent are webhook endpoints that external systems use to invoke your agent on demand. When a CI/CD pipeline fails, an alerting tool detects an anomaly, or any HTTP client sends a POST request, the agent receives the event context and starts working immediately.
+
+## How HTTP triggers work
+
+Each trigger is a named webhook endpoint on your agent with a unique URL. When an external system calls that URL through an HTTP POST, the agent executes the trigger's configured prompt. If the request includes a JSON body, the data becomes part of the agent's prompt so the agent has full context about the event.
+
+| Concept | Description |
+|---|---|
+| **Trigger** | A named endpoint with a prompt, an assigned agent (default or subagent), and an autonomy level (autonomous or review). |
+| **Trigger URL** | The unique webhook URL generated when you create a trigger. External tools call this URL. |
+| **JSON context** | Optional JSON body sent with the POST request. The data becomes part of the agent's prompt. |
+| **Execution history** | Every invocation is logged with a timestamp, thread link, and success or failure status. |
+| **Enable/disable** | Toggle triggers on or off without deleting them. Disabled triggers return 404. |
+
+## Invoke a trigger
+
+Call the trigger URL with an HTTP POST request:
+
+```bash
+curl -X POST \
+  https://your-agent.sre.azure.com/api/v1/httptriggers/trigger/<TRIGGER_ID> \
+  -H "Authorization: Bearer <ARM_TOKEN>" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "source": "datadog",
+    "alert_title": "High error rate on checkout-api",
+    "severity": "critical",
+    "service": "checkout-api",
+    "region": "eastus2",
+    "metric": "error_rate",
+    "value": "8.2%",
+    "threshold": "5%"
+  }'
+```
+
+The following table describes each part of the request:
+
+| Part | Description |
+|---|---|
+| **URL** | The trigger's unique webhook endpoint. Find it in the trigger detail view under **Trigger URL**. |
+| **Authorization** | An Azure ARM Bearer token. See [Authentication](#authentication). |
+| **Content-Type** | Must be `application/json` if you're sending a JSON body. |
+| **JSON body** (optional) | Any JSON data you want the agent to receive as part of its prompt. |
+
+The JSON body is optional. If you call the trigger without a body, the agent runs with just the trigger's configured prompt. With a body, the agent sees both the prompt and the data you sent.
+
+The trigger returns HTTP 202 (Accepted) immediately. The agent processes the request asynchronously.
+
+## Authentication
+
+The trigger endpoint requires an Azure ARM Bearer token in the `Authorization: Bearer <TOKEN>` header. The caller needs `Microsoft.App/agents/threads/write` permission on the agent resource.
+
+The following table describes how to obtain a token:
+
+| Method | Best for | Details |
+|---|---|---|
+| [Service principal](/entra/identity-platform/howto-create-service-principal-portal) | CI/CD pipelines, automated systems | Create an app registration, assign the role on the agent resource, and use client credentials flow to get a token. |
+| [Managed identity](/entra/identity/managed-identities-azure-resources/overview) | Azure-hosted services (Azure Functions, VMs, Container Apps) | No secrets to manage. The Azure resource authenticates automatically. |
+| Azure CLI | Testing and development | Run `az account get-access-token --resource 59f0a04a-b322-4310-adc9-39ac41e9631e --query accessToken -o tsv`. |
+
+### Connect external tools that don't support Azure auth
+
+Tools like Datadog, Dynatrace, Jira, and Splunk send webhooks with their own auth formats, not Azure ARM tokens. To bridge the gap, use one of the following intermediaries:
+
+| Intermediary | How it works |
+|---|---|
+| [Azure Function](/azure/azure-functions/functions-bindings-http-webhook-trigger) | Receives the webhook, acquires an ARM token using its managed identity, and forwards the call to the trigger URL. |
+| [Logic App](/azure/logic-apps/logic-apps-overview) | No-code workflow that receives webhooks from any source and calls Azure APIs with built-in ARM authentication. |
+| [Azure API Management](/azure/api-management/authentication-authorization-overview) | Sits in front of the trigger URL and handles token validation and transformation via policies. |
+
+## Use cases
+
+The following examples show common scenarios for HTTP triggers.
+
+### CI/CD pipeline integration
+
+When a deployment pipeline fails, invoke the agent to analyze the failure:
+
+```bash
+# In your pipeline's failure handler
+curl -X POST "$AGENT_TRIGGER_URL" \
+  -H "Authorization: Bearer $ARM_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"pipeline\": \"$PIPELINE_NAME\", \"run_id\": \"$RUN_ID\", \"error\": \"$ERROR_MESSAGE\"}"
+```
+
+### Alert-driven investigation
+
+Connect your alerting system to trigger automated investigation when critical alerts fire. The following example shows a sample JSON payload:
+
+```json
+{
+  "alert_name": "Error rate > 5%",
+  "severity": "P1",
+  "service": "checkout-api",
+  "region": "eastus2",
+  "start_time": "2026-03-13T10:15:00Z"
+}
+```
+
+### Deployment compliance checks
+
+After a deployment completes, trigger a compliance review:
+
+```bash
+curl -X POST "$AGENT_TRIGGER_URL" \
+  -H "Authorization: Bearer $ARM_TOKEN" \
+  -d '{"deployment_id": "deploy-456", "environment": "production", "changes": ["config update", "image bump"]}'
+```
+
+## Scheduled tasks vs. HTTP triggers
+
+The following table compares scheduled tasks with HTTP triggers:
+
+| Scheduled tasks | HTTP triggers |
+|---|---|
+| Time-based (cron schedule) | Event-driven (on-demand) |
+| Runs whether or not something happened | Runs only when called |
+| No external input per execution | Payload data included in each invocation |
+| Best for recurring checks | Best for event-driven reactions |
+
+Use both together. Scheduled tasks handle proactive monitoring, and HTTP triggers handle reactive event handling.
+
+## API reference
+
+The following table lists the available HTTP trigger endpoints:
+
+| Endpoint | Method | Description |
+|---|---|---|
+| `/api/v1/httptriggers` | GET | List all triggers |
+| `/api/v1/httptriggers/create` | POST | Create a new trigger |
+| `/api/v1/httptriggers/{id}` | GET | Get trigger details |
+| `/api/v1/httptriggers/{id}` | PUT | Update trigger properties |
+| `/api/v1/httptriggers/{id}` | DELETE | Delete a trigger |
+| `/api/v1/httptriggers/{id}/enable` | POST | Enable a trigger |
+| `/api/v1/httptriggers/{id}/disable` | POST | Disable a trigger |
+| `/api/v1/httptriggers/{id}/execute` | POST | Run trigger manually |
+| `/api/v1/httptriggers/{id}/executions` | GET | Get execution history |
+| `/api/v1/httptriggers/trigger/{id}` | POST | External webhook endpoint |
+
+## Troubleshooting
+
+**Trigger returns 404**
+
+- Verify the trigger is **enabled**. Disabled triggers return 404.
+- Check that the trigger ID in the URL is correct.
+
+**401 Unauthorized**
+
+- The token audience must match the SRE Agent app ID, not `https://management.azure.com`.
+- To get a token for testing, run: `az account get-access-token --resource 59f0a04a-b322-4310-adc9-39ac41e9631e --query accessToken -o tsv`.
+
+**Trigger executes but agent doesn't act**
+
+- Check the agent prompt. An empty prompt might not produce useful output.
+- Verify the chosen subagent has the tools needed for the task.
+- Check execution history for error details.
+
+## Limits
+
+| Resource | Limit |
+|---|---|
+| Triggers per agent | No hard limit |
+| Max turns per execution | 250 turns |
+| Authentication | Bearer token required for each trigger URL |
+
+## Related content
+
+- [Create and test an HTTP trigger](create-http-trigger.md)
+- [Scheduled tasks](scheduled-tasks.md)
+- [Workflow automation](workflow-automation.md)
+- [Workflow automation](workflow-automation.md)—multi-step automated workflows that HTTP triggers can start
diff --git a/articles/sre-agent/toc.yml b/articles/sre-agent/toc.yml
@@ -88,6 +88,8 @@ items:
             href: workflow-automation.md
           - name: Scheduled tasks
             href: scheduled-tasks.md
+          - name: HTTP triggers
+            href: http-triggers.md
           - name: Send notifications
             href: send-notifications.md
       - name: Extend
@@ -158,6 +160,8 @@ items:
         items:
           - name: Create scheduled tasks
             href: create-scheduled-task.md
+          - name: Create an HTTP trigger
+            href: create-http-trigger.md
       - name: Extend
         items:
           - name: Configure agent hooks
