feat: add-recipe tooling, deployment guard recipe, VNet/skipRBAC support, TF+PS parity#218
Merged
Merged
Conversation
- New recipe: law-dynatrace-httptrigger LAW + Dynatrace MCP + GitHub repo + HTTP trigger + deployment guard Skills: deployment-guard-analysis, investigate-app-errors Subagents: deployment-guard, error-investigator Includes sample GitHub Actions workflow for PR webhooks - New lab: deployment-guard End-to-end walkthrough using contoso-trading as target app Step 0: deploy app (prod + staging) Step 1-4: deploy agent, wire webhook, test with risky PR Demo script, prereqs check, setup automation - Blog post: Shift Left with Azure SRE Agent - Fix: macOS paste compatibility in new-agent.sh (affects all recipes) - Dry-run test script for new recipe
- Dry-run: 27/31 passed (4 pre-existing/false-positive) - E2E bicep-bash: create→deploy→verify→update→clone→verify all pass - Fix: deployment-guard-analysis skill tools list (was empty) - Test results recorded in E2E-RESULTS-law-dt-httptrigger.md
Bicep-bash: 5/5 core ✅ (verify 20/20, clone 16/16) Bicep-ps: 6/7 ✅ (verify 20/20, clone 16/16) TF-bash: 5/7 ✅ (verify passes after update, clone 16/16) TF-ps: 0/7 ❌ (pre-existing Deploy-Tf.ps1 P0 bug) AZD-bash: 3/7 (exit codes off, agents created + verified 16/16) 10 agents deployed and verified across 4 working backends.
- apply-extras.sh: catch non-JSON response from Github/config API before piping to jq - New-Agent.ps1: use -Recurse with Get-ChildItem -Include (fixes Count on null) - e2e tests: add 15s sleep before first verify for data-plane propagation
…k; deploy prints webhook setup instructions
…nt without GitHub connected)
- bin/add-recipe.sh: new script to augment existing agents with recipes - bin/ps/Add-Recipe.ps1: PowerShell port of add-recipe.sh - terraform: VNet subnet/egress/sandbox vars + skipRoleAssignments on all RBAC - Deploy-Agent.ps1: VNet subnet auto-create + skipRBAC auto-detect - bicep: VNet integration + skipRoleAssignments support - recipes: dynatrace-servicenow recipe, PR deployment guard prompt fix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the
add-recipecommand (bash + PowerShell) for augmenting existing agents with recipe components, plus VNet integration and skipRoleAssignments support across all IaC backends.New:
add-recipetoolingbin/add-recipe.sh— Additive merge of a recipe into an existing agent directory. Auto-detects DT tenant, LAW ID, GitHub repo, and DT token from the existing agent config. Copies skills, subagents, hooks, automations (skip-if-exists). Merges toggles and connectors (skip duplicates by name). Replaces placeholders and writes secrets.bin/ps/Add-Recipe.ps1— Full PowerShell port with identical behavior, following New-Agent.ps1 conventions (CmdletBinding, Invoke-Jq, Check-Prerequisites).New: Deployment Guard recipe
recipes/law-dynatrace-github-httptrigger-prvalidation— PR deployment guard with HTTP trigger, deployment-guard-analysis skill, and GitHub webhook integration.recipes/dynatrace-servicenow— Dynatrace + ServiceNow incident response recipe with skills, subagents, hooks, and connector config.VNet integration + skipRoleAssignments
agent-core.bicep,main.bicep): VNet subnet ID, egress mode, sandbox configuration parameters.skipRoleAssignmentsparameter on all RBAC blocks.variables.tf,main.tf): Matching VNet/sandbox/egress variables.count/for_eachconditionals withskip_role_assignmentson all role assignment resources.Deploy-Agent.ps1): Auto-creates VNet subnet withMicrosoft.App/environmentsdelegation if missing. Auto-detects existing agent → setsskipRoleAssignments=trueon redeploy.Fixes
apply-extras.sh: jq parse error when GitHub auth returns HTMLassemble-agent.sh: Dynatrace tools wired to skills, skills connected to subagents via allowedSkills