This page assumes you have completed Getting Started: Implement Your First Flow, or already have some basic Sym resources created. If you have not created any Sym resources yet, please visit the Getting Started pages first.
Sym provides several first-party integrations with AWS Services:
- Managing AWS IAM Group Membership
- Invoking AWS Lambdas as an Access Strategy or from hooks
- Managing AWS SSO Access
- Reporting through AWS Kinesis Firehose and AWS Kinesis Data Stream
Connect the Sym Runtime with your AWS Account
You only need one Runtime Connector per environment
If you have already completed the steps in Manage Secrets with AWS Secrets Manager, then you can move on to the "Add the Runtime Permission Context to your Sym Runtime" section!
In order for Sym to integrate with these AWS Services, you must give the Sym Runtime the correct IAM Roles and policies to access your AWS Account's resources.
This is largely done with the Runtime Connector module. To use any AWS Integration, you must declare a runtime_connector module and connect it to your sym_runtime instance.
Declare the Runtime Connector Module
Add the runtime_connector module to your Terraform configuration. This only needs to be done once for an environment.
The most basic declaration creates an AWS IAM Role that the Sym Runtime can assume to execute operations in your AWS account.
# Creates an AWS IAM Role that the Sym Runtime can use for execution
# Allow the runtime to assume roles in the /sym/ path in your AWS Account
module "runtime_connector" {
source = "symopsio/runtime-connector/sym"
version = ">= 1.0.0"
environment = "main"
# For secrets and reporting, you will need to declare addons later
# addons = ["aws/secretsmgr", ...]
}
Declare the Runtime Permission Context
The runtime_connector created the AWS resources necessary for the Sym Runtime to access resources in your AWS account, but we still need to Terraform the Sym resources needed for the Sym Runtime to know which IAM role it should assume.
This is done with a sym_integration resource with type = permission_context.
# An Integration that tells the Sym Runtime which IAM Role to assume in your Account
# (The IAM Role created by the runtime_connector module)
resource "sym_integration" "runtime_context" {
type = "permission_context"
name = "runtime-main"
settings = module.runtime_connector.settings
external_id = module.runtime_connector.settings.account_id
}
Add the Runtime Permission Context to your Sym Runtime
In Getting Started: Declare the Sym Runtime, you created a basic sym_runtime resource with just a name. Add a new key context_id to refer to the sym_integration.runtime_context resource.
resource "sym_runtime" "this" {
name = "main"
# This tells the Sym Runtime to assume the IAM Role declared by the
# runtime_connector module when executing AWS-related Access Strategies
context_id = sym_integration.runtime_context.id
}
Full Configuration Example
############ Giving Sym Runtime Permissions to Execute in your AWS Account ##############
# Creates an AWS IAM Role that the Sym Runtime can use for execution
# Allow the runtime to assume roles in the /sym/ path in your AWS Account
module "runtime_connector" {
source = "symopsio/runtime-connector/sym"
version = ">= 1.0.0"
environment = "main"
}
# An Integration that tells the Sym Runtime resource which AWS Role to assume
# (The AWS Role created by the runtime_connector module)
resource "sym_integration" "runtime_context" {
type = "permission_context"
name = "main-runtime"
external_id = module.runtime_connector.settings.account_id
settings = module.runtime_connector.settings
}
############ Basic Environment Setup ##############
resource "sym_runtime" "this" {
name = "main"
# Give the Sym Runtime the permissions defined by the runtime_connector module.
context_id = sym_integration.runtime_context.id
}
Next Steps
With these resources, you are now ready to implement a AWS-integrated Sym Flow!
Updated 7 days ago