Skip to main content

Incident.io Integration

This guide will show you how to setup an integration Incident.io and Indent. Once complete, you'll be able to use Incident.io status as a way to escalate your access.

Components

note

This page assumes you completed the Indent Quickstart. (5 min setup)

Configuration

This guide uses GitHub Actions and Terraform to deploy an Incident.io + Indent integration. AWS S3 will be used to store Terraform state, and AWS Lambda will run the webhook.

1. Clone the repo

  • Click on the Use This Template button to clone the repo
  • In your new repo go to Settings → Secrets → Actions
  • Leave this tab open for adding secrets from the next steps

2. Create the S3 bucket

  • Go to AWS S3 and select an existing bucket or create a new one
    • Most of the default settings are good, but some recommended values are included here.
Recommended AWS S3 values
  • Name — easily identifiable name for the bucket, such as indent-deploy-state-123.
  • Region — where you plan to deploy the Lambda, like us-west-2.
  • Bucket versioning — if you want to have revisions of past deployments, otherwise pick disabled.
  • Default encryption — enable for server-side encryption for deployment files.
  • This integration currently assumes your region is us-west-2, and you want S3 encryption turned on. If you choose other settings, update your main.tf values accordingly.

3. Create AWS credentials

  • Go to AWS IAM → Add Users and create a new user for deploys, such as indent-terraform-deployer
  • Configure the service account's access:
    • Credential type — select Access key - Programmatic access
    • Permissions — click Attach existing policies directly and select AdministratorAccess
    • Follow the prompts until the account is created
  • Add the resulting values as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to GitHub Secrets.

4. Get Incident.io API Key

  • Go to Incident.io's dashboard and click API Keys → + Add new
    • Enter a recognizable name like indent_auto_approvals
    • Select the following scopes:
      • View data, like public incidents and organisation settings
      • View all incident data, including private incidents
    • Create and copy the key that appears as a GitHub Secret named INCIDENTIO_API_KEY

5. Update Indent

  • On your Indent dashboard go to Integrations → Catalog → Incident.io
    • Copy the webhook secret, and in a new tab add it to your GitHub Secrets as INDENT_WEBHOOK_SECRET
    • Leave this Incident.io + Indent integrations page open until the final step
  • In a new tab open main.tf from your GitHub repo, and change the empty value for backend to the name you chose in the step 2. Configuring the S3 bucket
  • From your repo navigate to GitHub Actions → The latest job, and copy the URL shown in Terraform Log
    • IF your most recent job failed, relaunch the job and wait for it to succeed
    • On your Incident.io + Indent integrations page, paste the URL you just copied

6. Update policies

  • On your Indent dashboard go to Admin → Policies → Webhook Policies → + New
    • Expand the webhooks field, and select your Incident.io webhook
    • Optionally, you can add other conditions using the Condition Builder. As a default, no condition means that only an active on-call status is needed for auto-approval
  • On your Indent dashboard go to Admin → Config
    • Enable auto-approval by adding the bot user or [email protected] to the list of Reviewers
    • Select one of the elements under Kinds of Resources, and add any resources you want available for on-demand access
    • Save your changes

7. Confirm it works

  • Identify a person who is in an incident.io channel and has a role
  • Submit an access request for that person to the example resource
  • Confirm that the request is auto-approved by [email protected]
  • Add resources like AWS IAM, Okta Groups, and other services that your on-call engineers might need access to during an incident
  • Customize your settings using the How do I customize who gets auto-approved for which resources? guide in the Questions section

Summary

Congrats! You added the Incident.io + Indent integration. Your team can now request secure on-demand server access based on their on-call rotation. Next, try installing Google Groups or adding a GitHub Teams integration for secure access to sensitive repos.

Questions

How do I customize who gets auto-approved for which resources?

You may want secure auto-approvals to behave differently based on a few conditions. For instance, is the response team dealing with sensitive data or are they fixing a more general incident? A shorter 3 hour duration might make sense for sensitive data, while an 18 hour duration might be ideal for more mundane incidents.

To change default approval durations, create a new GitHub Secret in the same repo you created in Step 1.

Change approval duration

  • Add a secret named AUTO_APPROVAL_DURATION
    • Set the value to the default number of hours you would like an approval to last
    • For example, a value of 3 would default to a 3 hour duration

Similarly, you can set secure auto-approvals to only apply to specific on-call schedules.

Specify auto-approved schedules

  • Add a secret named AUTO_APPROVAL_INCIDENTIO_ROLES
    • Set the value to a comma separated list of the schedules you want to target
    • For example, a value of DBA, API would narrow the auto-approvals to just those Roles
      • Note: Role names are case sensitive

Lastly, adding labels to resources can help restrict auto-approvals to a smaller set of resources.

Filter with labels

  • Visit your Indent Admin page
    • For the rule you want to modify, click Edit → Add label
    • Enter a label name and value
    • For example, a label name might be Env and value Prod
    • Click Done → Save
  • Navigate to Resources and click on a resource you want the rule to target
    • Click Edit add an Env label
    • CLick Add label → Save to save your changes
    • Repeat this for each resource you want the rule to target
Where do I view the code I'm deploying?

The code is in the initial Indent APIs GitHub repo that you cloned.

How do I create a Incident.io API Key?

Incident.io has detailed docs on how to find and create an API Key.

Where can I find a list of all of the secrets?

A full list of secrets used by this integration are listed here.

NameValue
INDENT_WEBHOOK_SECRETGet this from your Indent App or an Indent Webhook in the Dashboard
Incident.io_KEYCreate an API access key for programatically getting on-call schedule participants.
AWS_ACCESS_KEY_IDYour Programmatic AWS Access Key ID
AWS_SECRET_ACCESS_KEYYour Programmatic AWS Secret Access Key
AWS_SESSION_TOKENOptional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires
How do I redeploy the webhook?

The repo you created from a template auto-deploys to AWS when you push or merge PRs to the main branch. You can manually redeploy the webhooks by re-running the latest GitHub Action job.

How do I ask for help?

If you have questions or need help with your integration, try chatting with Indent Support.