Connect with atSpoke on AWS via Terraform

Prerequisites

• Node v10+ — can find out by running node --version should also have npx

  • via package manager
  • via node version manager
• Terraform — installation docs

• Cloud credentials

  • atSpoke — Service Account and API token
  • AWS — IAM policy for deploying AWS Lambda

• Step 1: Create Indent Space

  • Create a space: indent.com/spaces/new

  • Step 1.2: Add others to Indent and upgrade your role

    • On the manage space page, click "Invite" (FYI: this currently does not email the invitees)
    • Add anyone who needs any kind of access as "Viewer"
    • Add anyone else on your team who'll need to request on others behalf others or may need to edit policies as "Editor" (they will still need to "Viewer" too)
    • Grant yourself or whoever is completing the other steps "Creator" role

• Step 2: Create Slack workspace (if necessary)

  • Create a workspace https://slack.com/get-started#/create
  • Create a channel called #access-requests

• Step 3: Connect Slack to Indent

  • Go to the Connect to Slack page https://indent.com/catalog/slack/start
  • Click Add to Slack, select the test Slack workspace and then select the right Indent space
  • Then you'll land on the App page
  • Expand the Webhook section and keep the Webhook Secret around for Step 5
  • Add @Indent to #access-requests channel (Important!)

• Step 4: Prepare atSpoke

  • Create a new User with an easily identifiable name like "Indent Bot"

    • Use a Google Group or shared inbox as the email

  • Go to Profile → API → API token (tab) then "Generate a token"

    • https://[your-tenant].askspoke.com/profile/api
    • Keep the page open or copy the token to your clipboard

• Step 5: Create and setup your webhook

  • Clone the atSpoke on AWS via Terraform Webhook from the indentapis/indent-js repo...

curl https://codeload.github.com/indentapis/indent-js/tar.gz/master | \
  tar -xz --strip=2 indent-js-master/examples/terraform-aws-atspoke-webhook && \
  mv terraform-aws-atspoke-webhook myapp-terraform-aws-atspoke-webhook

• Now install the dependencies...

npm run deploy:init # initializes terraform aws provider with ~/.aws/config
npm run deploy:prepare # builds AWS Lambda layers

• Add the environment variables...

mv terraform/config/example.tfvars terraform/config/terraform.tfvars

# Indent Webhook Secret is used to verify messages from Indent
indent_webhook_secret = "<from-step-3>"
# Indent Space Name is used to link to the right space on Indent
indent_space_name = "my-space-123"
# atSpoke API Key is used to authorize requests to your atSpoke environment
atspoke_api_key = "<from-step-4"

npm run tf:plan
npm run tf:apply

# or if you want to auto-approve deploy
npm run deploy:all

• Once it's deployed, copy the URL from the endpoints and add to the App

• Step 6: Add Rules to Indent

  • Add kinds of resources, for okta: okta.v1.group
  • Add resource IDs, or leave blank for all
  • Add approvers (individuals who can approve) and, optionally, recipients (public or private channels)