Skip to main content

Opsgenie Integration

This guide will show you how to setup an integration with Opsgenie and Indent. Once complete, your team can request access to stuff and be approved based on their on-call status.

Through API magic, Indent securely grants access to just about any service. Opsgenie is a good integration for quickly granting access in an emergency.

What can I do with Opsgenie + Indent?

  • Notify the correct people to respond to an incident
  • Give secure, on-demand production and customer data access in seconds based on Opsgenie on-call status
  • Auto-revoke access after a configurable duration
  • Record comprehensive access logs for compliance audits

Opsgenie is one of a few incident solutions integrated with Indent. Other incident solutions, like PagerDuty and Incident.io, are also available. If you'd like us to add another incident manager send us a request.

Components

note

This page assumes you completed the Indent Quickstart. (5 min setup)

Configuration

This guide uses an identity provider (like Google or Okta) to connect with Opsgenie. Indent is used to grant temporary (or permanent) access to resources, and automatically collects evidence your org needs for audits and compliance.

This guide uses GitHub Actions and Terraform to deploy an Opsgenie + Indent integration. AWS S3 will be used to store Terraform state, and AWS Lambda will run the webhook. If you'd prefer Indent to run this for you, contact us!

1. Clone the repo

  • Click on the Fork button to clone the repo
  • In your new fork's GitHub page open the folders example aws-lambda-opsgenie-webhook
    • Leave this tab open for minor edits we'll make to files in upcoming steps
  • In a new tab, open the main GitHub page for your fork and navigate to Settings → Secrets → Actions
    • Leave this tab open for adding secrets from the next steps

2. Create an S3 bucket

  • Go to AWS S3 and select an existing bucket or create a new one
    • Most of the default settings are good, but some recommended values are included here.
Recommended AWS S3 values
  • Name — easily identifiable name for the bucket, such as indent-deploy-state-123.
  • Region — where you plan to deploy the Lambda, like us-west-2.
  • Bucket versioning — if you want to have revisions of past deployments, otherwise pick disabled.
  • Default encryption — enable for server-side encryption for deployment files.
  • This integration assumes your region is us-west-2, and S3 encryption is turned on. If you choose other settings, update your main.tf values accordingly.

3. Create AWS credentials

  • Go to AWS IAM → Add Users and create a new user, such as indent-terraform-deployer
  • Configure the service account's access:
    • Credential type — select Access key - Programmatic access
    • Permissions — click Attach existing policies directly and select AdministratorAccess
    • Follow the prompts until the account is created
  • Add the resulting values as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to GitHub Secrets.

4. Make an OpsGenie API Key

5. Update Indent

  • On your Indent dashboard go to Integrations → Catalog → Opsgenie
    • Copy the webhook secret, and in a new tab add it to your GitHub Secrets as INDENT_WEBHOOK_SECRET
    • Leave this Opsgenie + Indent integrations page open until the final step
  • In a new tab open main.tf from your GitHub repo, and change the empty value for backend to the name you chose in the step 2. Create an S3 bucket
  • From your repo navigate to GitHub Actions → The latest job, and copy the URL shown in Terraform Log
    • Note: If your most recent job failed, relaunch the job and wait for it to succeed
    • On your Opsgenie + Indent integrations page, paste the URL you just copied

6. Update Policies

  • On your Indent dashboard go to Admin → Policies → Webhook Policies → + New
    • Expand the webhooks field, and select your Opsgenie webhook
    • Optionally, you can add other conditions using the Condition Builder. As a default, no condition means that only an active on-call status is needed for auto-approval
  • On your Indent dashboard go to Admin → Config
    • Enable auto-approval by adding the bot user or [email protected] to the list of Reviewers
    • Select one of the elements under Kinds of Resources, and add any resources you want available for on-demand access
    • Save your changes

Confirm it Works

  • Identify a person who is currently on-call
  • Submit an access request for that person, to a resource
    • Note: If you would like a reminder on how to make a request, visit the Indent Quickstart guide.
  • Verify that the Opsgenie bot auto-approves access
  • Add resources like AWS IAM, Okta Groups, and other services that your on-call engineers might need to request access to during an incident

Summary

Congrats! You added the Opsgenie + Indent integration. Your team can now request access and have it granted based on their on-call status. Indent will automatically record an audit log, and auto-expire access after a time period of your choosing.

Check out the Integrations page page for other services your teams want to request. If there's a new integration you'd like to see, request a new one. You might be ready to start inviting others to try Indent. If that's the case, you'll want to send them docs on how to make a request. You and anyone approving requests should read more about approving and declining requests.

Questions

How do I customize who gets auto-approved for which resources?

You may want secure auto-approvals to behave differently based on a few conditions. For instance, is the response team dealing with sensitive data or are they fixing a more general incident? A shorter 3 hour duration might make sense for sensitive data, while an 18 hour duration might be ideal for more mundane incidents.

To change default approval durations, create a new GitHub Secret in the same repo you created in Step 1.

Change approval duration

  • Add a secret named AUTO_APPROVAL_DURATION
    • Set the value to the default number of hours you would like an approval to last
    • For example, a value of 3 would default to a 3 hour duration

Similarly, you can set secure auto-approvals to only apply to specific on-call schedules.

Specify auto-approved schedules

  • Add a secret named AUTO_APPROVAL_INCIDENTIO_ROLES
    • Set the value to a comma separated list of the schedules you want to target
    • For example, a value of DBA, API would narrow the auto-approvals to just those Roles
      • Note: Role names are case sensitive

Lastly, adding labels to resources can help restrict auto-approvals to a smaller set of resources.

Filter with labels

  • Visit your Indent Admin page
    • For the rule you want to modify, click Edit → Add label
    • Enter a label name and value
    • For example, a label name might be Env and value Prod
    • Click Done → Save
  • Navigate to Resources and click on a resource you want the rule to target
    • Click Edit add an Env label
    • CLick Add label → Save to save your changes
    • Repeat this for each resource you want the rule to target
Where do I view the code I'm deploying?

The code is in the initial Indent APIs GitHub repo that you cloned.

How do I create a Opsgenie API Key?

Opsgenie has detailed docs on how to find and create an API Key.

Where can I find a list of all of the secrets?

A full list of secrets used by this integration are listed here.

NameValue
INDENT_WEBHOOK_SECRETGet this from your Indent App or an Indent Webhook in the Dashboard
OPSGENIE_KEYCreate an API access key for programatically getting on-call schedule participants.
AWS_ACCESS_KEY_IDYour Programmatic AWS Access Key ID
AWS_SECRET_ACCESS_KEYYour Programmatic AWS Secret Access Key
AWS_SESSION_TOKENOptional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires
How do I redeploy the webhook?

The repo you created from a template auto-deploys to AWS when you push or merge PRs to the main branch. You can manually redeploy the webhooks by re-running the latest GitHub Action job.

How do I ask for help?

If you have questions or need help with your integration, try chatting with Indent Support.

  • © Indent Inc

  • Built in California.
  • All rights reserved.

Product

Support

Company

Social