init: repo

Author: zkodjo

.github/workflows/terraform.yml

@@ -0,0 +1,86 @@
+name: deploy.indent-pagerduty-decision-integration
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+env:
+  AWS_REGION: 'us-west-2'
+
+jobs:
+  terraform:
+    name: 'Terraform'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v1
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }} # if you have/need it
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Add profile credentials to ~/.aws/credentials
+        run: |
+          aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} --profile default
+          aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} --profile default
+
+      - name: Terraform Format
+        id: fmt
+        run: terraform fmt -check -diff
+
+      - name: Build Webhook (template-aws-lambda-pagerduty-decision-webhook)
+        run: npm run deploy:prepare && npm install && npm run build
+
+      - name: Terraform Init
+        id: init
+        run: terraform init
+
+      - name: Terraform Plan
+        id: plan
+        if: github.event_name == 'pull_request'
+        run: terraform plan -input=false -no-color
+        continue-on-error: true
+        env:
+          TF_VAR_indent_webhook_secret: ${{ secrets.INDENT_WEBHOOK_SECRET }}
+          TF_VAR_pagerduty_key: ${{ secrets.PAGERDUTY_KEY }}
+
+      - uses: actions/github-script@0.9.0
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+            <details><summary>Show Plan</summary>
+            \`\`\`${process.env.PLAN}\`\`\`
+            </details>
+            *Actor: @${{ github.actor }}, Event: \`${{ github.event_name }}\`*`;
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply -input=false -auto-approve
+        env:
+          TF_VAR_indent_webhook_secret: ${{ secrets.INDENT_WEBHOOK_SECRET }}
+          TF_VAR_pagerduty_key: ${{ secrets.PAGERDUTY_KEY }}

.gitignore

@@ -0,0 +1,10 @@
+data
+dist
+lib
+.env
+node_modules
+*.tfstate
+.terraform
+*.tfstate.*
+terraform/config/*.tfvars
+!terraform/config/example.tfvars

README.md

@@ -0,0 +1,81 @@
+# Indent + PagerDuty Integration
+
+This repository contains one webhook (AWS Lambda) to enable auto approvals for on-call rotation participants from Pagerduty using [Indent](https://indent.com/docs).
+
+## Quicklinks
+
+- [Indent Support](https://support.indent.com)
+- [GitHub Secrets](./settings/secrets/actions)
+- [GitHub Actions](./actions/workflows/terraform.yml)
+
+## Configuration
+
+Before you deploy these webhooks for the first time, [create an S3 bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) to store Terraform state, add your credentials as [GitHub Secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets), then update the bucket in `main.tf` once you're done.
+
+<details><summary><strong>1. Configuring the S3 bucket</strong></summary>
+<p>
+
+- [Go to AWS S3](https://s3.console.aws.amazon.com/s3/buckets) and select an existing bucket or create a new one.
+- Select the settings given your environment:
+  - Name — easily identifiable name for the bucket (example = indent-deploy-state-123)
+  - Region — where you plan to deploy the Lambda (default = us-west-2)
+  - Bucket versioning — if you want to have revisions of past deployments (default = disabled)
+  - Default encryption — server-side encryption for deployment files (default = Enable)
+
+</p>
+</details>
+
+<details><summary><strong>2. Configuring AWS credentials</strong></summary>
+<p>
+
+- [Go to AWS IAM → New User](https://console.aws.amazon.com/iam/home#/users$new?step=details) and create a new user for deploys, e.g. `indent-terraform-deployer`
+- Configure the service account access:
+  - Credential type — select **Access key - Programmatic access**
+  - Permissions — select **Attach existing policies directly** and select `AdministratorAccess`
+- Add the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` as GitHub Secrets to this repo
+
+</p>
+</details>
+
+<details><summary><strong>3. Connecting to PagerDuty</strong></summary>
+
+- [Go to PagerDuty > Integrations > API Access Keys](https://support.pagerduty.com/docs/api-access-keys#section-generate-a-general-access-rest-api-key) and create a new API key, then give the ke a descriptive name like `Indent Auto Approvals`
+- Add this as `PAGERDUTY_KEY` as a GitHub Secret
+
+</details>
+
+<details><summary><strong>4. Connecting to Indent</strong></summary>
+
+- If you're setting up as part of a catalog flow, you should be presented a **Webhook Secret** or [go to your Indent space and create a webhook](https://indent.com/spaces?next=/manage/spaces/[space]/webhooks/new)
+- Add this as `INDENT_WEBHOOK_SECRET` as a GitHub Secret
+
+</details>
+
+<details><summary><strong>5. Deploy</strong></summary>
+
+- Enter the bucket you created in `main.tf` in the `backend` configuration
+- This will automatically kick off a deploy, or you can [manually trigger from GitHub Actions](./actions/workflows/terraform.yml)
+
+</details>
+
+### Actions secrets
+
+Add the credentials for one of the authentication options below to your GitHub Secrets.
+
+<details open><summary>Configuring secrets / environment variables</summary>
+<p>
+
+| Name                  | Value                                                                                                                                                                                                                                                                |
+| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| INDENT_WEBHOOK_SECRET | Get this from your [Indent App](https://indent.com/spaces?next=/manage/spaces/%5Bspace%5D/apps) or an [Indent Webhook](https://indent.com/spaces?next=/manage/spaces/%5Bspace%5D/webhooks) in the Dashboard                                                          |
+| PAGERDUTY_KEY         | Create an [API access key](https://support.pagerduty.com/docs/api-access-keys#section-generate-a-general-access-rest-api-key) for programatically getting on-call schedule participants.                                                                             |
+| AWS_ACCESS_KEY_ID     | [Your Programmatic AWS Access Key ID](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys)                                                                                                                      |
+| AWS_SECRET_ACCESS_KEY | [Your Programmatic AWS Secret Access Key](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys)                                                                                                                  |
+| AWS_SESSION_TOKEN     | Optional: [Your AWS Session Token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#using-temp-creds-sdk-cli). **Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires** |
+
+</p>
+</details>
+
+## Deployment
+
+This repository auto-deploys to AWS when you push or merge PRs to the `main` branch. You can manually redeploy the webhooks by re-running the [latest GitHub Action job](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs).

main.tf

@@ -0,0 +1,15 @@
+terraform {
+  backend "s3" {
+    encrypt = true
+    bucket  = ""
+    key     = "indent/terraform.tfstate"
+  }
+}
+
+module "pagerduty-auto-approval-webhook" {
+  source = "./terraform"
+
+  aws_region            = var.aws_region
+  indent_webhook_secret = var.indent_pull_webhook_secret
+  pagerduty_key         = var.pagerduty_key
+}

outputs.tf

@@ -0,0 +1,4 @@
+output "pagerduty_auto_approval_webhook_url" {
+  value       = module.pagerduty_auto_approval_webhook.api_base_url
+  description = "The URL of the deployed Lambda"
+}

package.json

@@ -0,0 +1,42 @@
+{
+  "name": "@indent/template-aws-lambda-pagerduty",
+  "version": "0.0.0",
+  "description": "A Node.js starter for Terraform on AWS with Indent and PagerDuty.",
+  "main": "index.js",
+  "private": true,
+  "scripts": {
+    "build": "tsc",
+    "clean:dist": "rm -rf dist",
+    "clean:modules": "rm -rf node_modules",
+    "clean:tf": "rm -rf terraform/.terraform && rm -rf terraform/terraform.tfstate*",
+    "clean:all": "npm run clean:dist; npm run clean:tf; npm run clean:modules",
+    "create:all": "npm run deploy:init; npm run deploy:prepare; npm run deploy:all",
+    "deploy:init": "cd terraform; terraform init",
+    "deploy:prepare": "npm install --production && ./scripts/build-layers.sh",
+    "deploy:all": "npm run build && npm run tf:apply -auto-approve",
+    "destroy:all": "npm run tf:destroy -auto-approve",
+    "tf:plan": "cd terraform && terraform plan -var-file ./config/terraform.tfvars",
+    "tf:apply": "cd terraform && terraform apply -compact-warnings -var-file ./config/terraform.tfvars",
+    "tf:destroy": "cd terraform && terraform destroy -auto-approve -var-file ./config/terraform.tfvars"
+  },
+  "author": "Indent Inc <open@indent.com>",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/indentapis/template-aws-lambda-pagerduty.git"
+  },
+  "devDependencies": {
+    "@types/aws-lambda": "^8.10.39",
+    "@types/node": "^13.9.8",
+    "@types/node-fetch": "^2.5.5",
+    "ts-loader": "^6.2.2",
+    "typescript": "^3.8.3"
+  },
+  "dependencies": {
+    "@indent/integration-pagerduty": "canary",
+    "@indent/runtime-aws-lambda": "canary",
+    "@indent/webhook": "latest",
+    "@indent/types": "latest",
+    "ts-node": "^8.5.4"
+  }
+}

scripts/build-layers.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -x
+set -e
+
+ROOT_DIR="$(pwd)"
+
+OUTPUT_DIR="$(pwd)/dist"
+
+LAYER_DIR=$OUTPUT_DIR/layers/nodejs
+
+mkdir -p $LAYER_DIR
+
+cp -LR node_modules $LAYER_DIR
+
+cd $OUTPUT_DIR/layers
+
+zip -q -r layers.zip nodejs

src/index.ts

@@ -0,0 +1,6 @@
+import { PagerdutyDecisionIntegration } from '@indent/integration-pagerduty'
+import { getLambdaHandler } from '@indent/runtime-aws'
+
+export const handle = getLambdaHandler({
+  integrations: [new PagerdutyDecisionIntegration()],
+})

terraform/apiGateway.tf

@@ -0,0 +1,64 @@
+resource "aws_api_gateway_rest_api" "api_gateway_rest_api" {
+  name        = "api_gateway"
+  description = "Api Gateway for Lambda"
+}
+
+resource "aws_api_gateway_resource" "api_gateway" {
+  rest_api_id = aws_api_gateway_rest_api.api_gateway_rest_api.id
+  parent_id   = aws_api_gateway_rest_api.api_gateway_rest_api.root_resource_id
+  path_part   = "{proxy+}"
+}
+
+resource "aws_api_gateway_method" "api_gateway_method" {
+  rest_api_id   = aws_api_gateway_rest_api.api_gateway_rest_api.id
+  resource_id   = aws_api_gateway_resource.api_gateway.id
+  http_method   = "ANY"
+  authorization = "NONE"
+
+  request_parameters = {
+    "method.request.header.x-indent-signature" = true
+    "method.request.header.x-indent-timestamp" = true
+  }
+}
+
+resource "aws_api_gateway_integration" "api_gateway_integration" {
+  rest_api_id = aws_api_gateway_rest_api.api_gateway_rest_api.id
+  resource_id = aws_api_gateway_method.api_gateway_method.resource_id
+  http_method = aws_api_gateway_method.api_gateway_method.http_method
+
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = aws_lambda_function.lambda.invoke_arn
+}
+
+resource "aws_api_gateway_method" "api_gateway_root_method" {
+  rest_api_id   = aws_api_gateway_rest_api.api_gateway_rest_api.id
+  resource_id   = aws_api_gateway_rest_api.api_gateway_rest_api.root_resource_id
+  http_method   = "ANY"
+  authorization = "NONE"
+
+  request_parameters = {
+    "method.request.header.x-indent-signature" = true
+    "method.request.header.x-indent-timestamp" = true
+  }
+}
+
+resource "aws_api_gateway_integration" "api_gateway_root_integration" {
+  rest_api_id = aws_api_gateway_rest_api.api_gateway_rest_api.id
+  resource_id = aws_api_gateway_method.api_gateway_root_method.resource_id
+  http_method = aws_api_gateway_method.api_gateway_root_method.http_method
+
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = aws_lambda_function.lambda.invoke_arn
+}
+
+resource "aws_api_gateway_deployment" "api_gateway_deployment" {
+  depends_on = [
+    aws_api_gateway_integration.api_gateway_integration,
+    aws_api_gateway_integration.api_gateway_root_integration,
+  ]
+
+  rest_api_id = aws_api_gateway_rest_api.api_gateway_rest_api.id
+  stage_name  = "dev"
+}