PagerDuty + Indent Webhook

This guide explains how to deploy an Indent webhook to the cloud for automatically managing access to PagerDuty schedules. This webhook can be run as an AwS Lambda.

Take a look at our example template on GitHub:

• template-aws-lambda-pagerduty

This page assumes that you or someone on your team has already completed the Quickstart. If you haven't already, we would recommend you check it out - it should take 5 minutes. By the end you should have a working Space you can integrate with this webhook.

Prerequisites

• PagerDuty Account
• PagerDuty API Key

Overview

We're going to set up automatic approvals for certain resource types for any on-call users with PagerDuty. This webhook can only be deployed as an AWS Lambda.

Step 0: Configure your cloud provider

Let's get all the AWS-specific items ready before getting started:

• AWS Account
• AWS CLI
• Terraform
  • Optional: Terraform's guide to working with the AWS Provider

Step 1: Configure the GitHub Repo

Before you deploy these webhooks for the first time, create an S3 bucket to store Terraform state, add your credentials as GitHub Secrets, then update the bucket in main.tf once you're done.

1. Configuring the S3 bucket

• Go to AWS S3 and select an existing bucket or create a new one.
• Select the settings given your environment:
  • Name — easily identifiable name for the bucket (example = indent-deploy-state-123)
  • Region — where you plan to deploy the Lambda (default = us-west-2)
  • Bucket versioning — if you want to have revisions of past deployments (default = disabled)
  • Default encryption — server-side encryption for deployment files (default = Enable)

2. Configuring AWS credentials

• Go to AWS IAM → New User and create a new user for deploys, e.g. indent-terraform-deployer
• Configure the service account access:
  • Credential type — select Access key - Programmatic access
  • Permissions — select Attach existing policies directly and select AdministratorAccess
• Add the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as GitHub Secrets to this repo

3. Connecting to PagerDuty

• Go to PagerDuty > Integrations > API Access Keys and create a new API key, then give the ke a descriptive name like Indent Auto Approvals
• Add this as PAGERDUTY_KEY as a GitHub Secret

4. Connecting to Indent

• If you're setting up as part of a catalog flow, you should be presented a Webhook Secret or go to your Indent space and create a webhook
• Add this as INDENT_WEBHOOK_SECRET as a GitHub Secret

5. Deploy

• Enter the bucket you created in main.tf in the backend configuration
• This will automatically kick off a deploy, or you can manually trigger from GitHub Actions

Actions secrets

Add the credentials for one of the authentication options below to your GitHub Secrets.

Configuring secrets / environment variables

Name	Value
INDENT_WEBHOOK_SECRET	Get this from your Indent App or an Indent Webhook in the Dashboard
PAGERDUTY_KEY	Create an API access key for programatically getting on-call schedule participants.
AWS_ACCESS_KEY_ID	Your Programmatic AWS Access Key ID
AWS_SECRET_ACCESS_KEY	Your Programmatic AWS Secret Access Key
AWS_SESSION_TOKEN	Optional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires

Step 2: Add the webhook to Indent

1. Sign into your Indent Space.
2. Navigate to your Webhooks in the sidebar.
3. Click +New in the top-right corner of the screen.
   1. Under "Webhook Name" enter a unique name for the webhook.
   2. Under "Kind of Webhook" select "Decision" from the dropdown.
4. Save the webhook.
5. Copy the signing secret for use with your new GitHub repository and store it securely.

Step 3: Deploy the webhook

1. In your repository, click Actions in the top menu, you should see at least one workflow run in the list.
2. Click on the workflow run, then click Re-run all jobs in the top right.
3. The workflow automatically deploys the webhook to AWS. If you commit any changes to the main branch of this repository the workflows will redeploy automatically.
4. After you finish deploying your webhook, enter the HTTP endpoint from AWS Lambda as the Webhook URL field in your new Webhook.
5. Save the Webhook.

Step 4: Create an auto-approval user

1. Navigate to Resources and create a new resource

2. Enter these details for the Resource:

   • Kind: bot.v1.user
   • Resource Name: PagerDuty Bot User
   • Resource ID: indent-pagerduty-user
   • Resource Email: bot@indent.com

3. Save the Resource.

Step 5: Configure your Indent policies

1. Select Policies in the Indent Dashboard and click on Webhook Policies (note you may need to enable "Feature Preview" to make changes to Webhook policies).

2. Click +New and create a new Policy.

   1. Under "Policy Name" give the Policy a unique name like "PagerDuty Auto Approval".
   2. Under "Webhooks" select the webhook you created in Step 2.

3. Save the new Policy by clicking Save in the top-right.

4. Click Apps in the Indent Dashboard and click on your communication app.

5. Open Access Request Rules and add any resource types to the "Kinds of Resources," your app can manage.

   • Alternatively, you can add individual Groups based on Resource ID in this section.

6. Configure the approvers for granting access to your Tailscale Groups.

   1. Add the user you created in Step 4, "PagerDuty Bot User" as an approver for your Rule.

7. Save the Rules.

Step 6: Make a test request

1. Go to Request Access.
2. Select the Resource Kind you configured for your Auto-approval rule from the dropdown and enter a reason for access.
3. Once the access is approved, check the group's page to confirm membership.

Congrats! You’ve just configured requesting and managing Auto-approvals with PagerDuty and Indent.