Boundary SDK Integration

The Sym SDK provides convenience methods for interacting with Boundary in your impl.py.

πŸ“˜

Did you configure your Boundary Integration?

Before continuing, make sure you followed the instructions on the main Boundary page to set up your Boundary system user and Integration.

Before continuing, you will need to have:

  • Connected Sym with AWS Secrets Manager
  • Configured your Boundary system user's credentials with Sym
  • Defined a Boundary Integration resource

Add your Boundary Integration to your Environment

If you are writing an impl.py for your Boundary Access Strategy, then your Boundary Integration will be implicitly available, and you can use the SDK methods without additional configuration.

However, if you wish to use the Boundary SDK methods in a different Flow (e.g. an Approval-Only Flow), then you must specify the Integration in your Environment.

resource "sym_environment" "this" {
  name            = "main"
  error_logger_id = sym_error_logger.slack.id

  integrations = {
    slack_id = sym_integration.slack.id

    # This is required to use Boundary SDK methods in implementations for non-Boundary Flows.
    boundary_id = sym_integration.boundary.id
  }
}

Using Boundary in your Flows

For more information on the supported methods in the boundary module, please visit the Sym SDK Boundary Docs.

Example implementations

Only members of a specific Boundary group can approve requests

from sym.sdk.annotations import hook
from sym.sdk.integrations import boundary
from sym.sdk.templates import ApprovalTemplate


@hook
def on_approve(event):
  # Approver Group ID = g_abc123
  # Only allow members in an Approver Group to be able to approve requests
  approver_group = boundary.get_group(group_id="g_abc123")
  approver_member_ids = approver_group["member_ids"]
  
  if not event.user.identity("boundary") in approver_member_ids:
    return ApprovalTemplate.ignore(message="Only members of the Approvers group may approve")

Only members of the requested Boundary group can approve the request

from sym.sdk.annotations import hook
from sym.sdk.integrations import boundary
from sym.sdk.templates import ApprovalTemplate


@hook
def on_approve(event):
  # Get the group details from the target in the request payload
  requested_group_id = event.payload.fields["target"].settings["group_id"]
  group_name = event.payload.fields["target"].label
  
  current_group_members = boundary.get_group(group_id=requested_group_id)["member_ids"]

  # Only allow members of the group to approve requests
  if not event.user.identity("boundary") in current_group_memebers:
    return ApprovalTemplate.ignore(message=f"Only members of {group_name} may approve requests for {group_name}")