Heroku Credential Rotation Requirement
Updated: Aug 14, 2020
Dear valued Ignite users,
In the event of a Heroku Security breach, partners need to have an ability to rotate keys for their install base. This is an “At-Will” exercise to protect Heroku and Partner customers. Heroku will notify you accordingly.
Partners will be asked by Heroku to perform credential rotation activities which may require a restart of "dynos" with the CG Ignite Editor Add-on attached. Though we don't anticipate the need to do this, it is a great practice to rotate security keys on your own. That is why the Ignite team will be providing a convenient method to do this key rotation on your own in the unlikely event of a Heroku breach. Until then, we'll make sure you are properly notified before performing this kind of activity.
In Case of Breach, We Will Perform Necessary Steps
As a Partner, Ignite will perform the following steps to rotate keys when asked by Heroku:
Regenerate our Add-on OAuth credentials that interact with Heroku's Partner API
Update appropriate manifest and configuration files in Ignite's environment
Roll-out a "Heroku Config Var" update to your Ignite Runtime that was generated when your Add-on was originally provisioned (this step automatically restarts your "dyno" within seconds)
New User Impact
New users who attach the add-on after a credential roll will not be affected.
Existing User Impact
Only your login to the Add-on may be affected by this potential change. Your existing application flows may be impacted only when the dyno restarts from the resulting Config Var update in Step 3. Note that existing credentials will be temporarily allowed until new credentials are in place.
If you have any questions, please email support.