Skip to content

feat(integrations): Atlassian Assets connector with service account support#141

Open
joshlemos wants to merge 4 commits intogrcengineering:mainfrom
joshlemos:feat/atlassian-assets
Open

feat(integrations): Atlassian Assets connector with service account support#141
joshlemos wants to merge 4 commits intogrcengineering:mainfrom
joshlemos:feat/atlassian-assets

Conversation

@joshlemos
Copy link
Contributor

@joshlemos joshlemos commented Feb 12, 2026

Summary

  • Add Atlassian Assets (CMDB) connector with service account authentication via API gateway
  • Graceful fallback: when Assets/CMDB scopes are unavailable (common with service accounts), the connector syncs Jira project data instead
  • Flatten nested config.credentials for quick-setup compatibility in testConnection() and triggerSync()
  • Route service account requests through api.atlassian.com/ex/jira/{cloudId} gateway with Cloud ID auto-discovery via _edge/tenant_info
  • Add Atlassian integration type to frontend config modal and type definitions

Context

Atlassian service account API tokens cannot be granted CMDB/Assets scopes — this is a known platform limitation. Rather than failing, the connector treats auth + Jira access as success and reports Assets as an optional capability. When Assets is unavailable, sync pulls Jira projects (id, key, name, description, type, lead).

The quick-setup flow stores credentials under config.credentials.{field} but connectors expect flat top-level fields. Added credential flattening in the service layer before validation and connector invocation.

Dependencies

This PR depends on #139 (Infisical integration) — it modifies integrations.service.ts which was heavily changed in that PR. Merge #139 first.

Test plan

  • Atlassian integration type appears in frontend integration setup modal
  • testConnection() succeeds with valid Atlassian service account credentials
  • Connection test reports capabilities (Jira access, Assets availability)
  • triggerSync() syncs Jira projects when Assets is unavailable
  • Credentials stored via quick-setup (nested) work correctly
  • Service accounts route through API gateway, not direct site URL

@chadfryer
Copy link
Collaborator

chadfryer commented Feb 13, 2026

This PR depends on #139 which has merge conflicts. Please wait for #139 to be rebased and merged first.

joshlemos added 4 commits February 13, 2026 10:49
feat(infisical): add Infisical secrets management integration
5581351 
Phase 1 & 2 implementation of centralized secrets management:
- Add Infisical service to dev and prod Docker Compose configs
- Add SecretsModule/SecretsService to shared library
- Integrate SecretsModule into controls service for credential storage
- Add per-service auth modules for frameworks, policies, audit, trust
- Add database init scripts for Keycloak and Infisical databases
- Fix Keycloak DB URL to use dedicated database instead of app DB
- Update startup scripts with Infisical bootstrap secret generation
- Add Makefile targets for secrets-ui and secrets-seed
- Backward compatible: falls back to env vars when Infisical unavailable
feat(integrations): enhance Atlassian Assets connector and integratio…
1ddaf1b 
…n UX

- Rewrite Atlassian Assets connector with auto-discovery of Cloud ID
  and Workspace ID from site URL
- Add object schema sync support alongside asset objects
- Fix integration update mutation to exclude immutable type field
- Update frontend config fields with helpful placeholders and descriptions
fix(atlassian): route service accounts through API gateway
4c5c94b 
Atlassian service account API tokens must use the Platform API Gateway
(api.atlassian.com/ex/jira/{cloudId}) rather than the site URL directly.
Regular user API tokens continue to use the site URL.

- Auto-detect service accounts by @serviceaccount.atlassian.com email
- Discover Cloud ID via public /_edge/tenant_info endpoint
- Route all API calls through api.atlassian.com for service accounts
- Provide clear error messages about required token scopes
- Update sync() to use same gateway routing logic
fix(atlassian): handle nested credentials, graceful Assets fallback, …
0169430 
…and Keycloak DB URL

Atlassian connector:
- Add resolveCredentials() for flat or nested config.credentials
- verifyAuth() falls back from /myself to /project for service account scope compat
- Treat auth + Jira access as success; Assets is optional (service account CMDB scope limitation)
- Sync Jira projects when Assets workspace is unavailable
- Flatten nested credentials in integrations.service.ts before validation

Keycloak:
- Fix KC_DB_URL to use dedicated keycloak database instead of app database
@joshlemos joshlemos force-pushed the feat/atlassian-assets branch from 4610f1c to 0169430 Compare February 13, 2026 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joshlemos @chadfryer