Custom Integrations

Sym's Custom Framework enables implementers to define their own Access Strategies.

Overview

In addition to native Access Targets and AWS Lambda, Sym provides an interface that enables implementers to define fully custom Access Strategies.

πŸ“˜

Want to jump right in? Try the quickstart!

If you're ready to dive in, these resources have everything you need to start building:

Custom Strategy Framework

The Sym Strategy Framework provides the tools to:

  • Define custom Strategy logic for escalate, deescalate, and identity fetching/matching
  • Define user-facing targets to which the Strategy can be applied
  • Deploy the Strategy as a custom Flow.

Of course, as with any Sym Strategy, implementers can also define Workflow Handlers to customize, automate, and route their Flows.

πŸ“˜

Terraform is highly variable

The below examples assume a configuration in which multiple Sym Flows are defined as separate modules, and brought together through a single main.tf file. Your configurations may vary. For full context on the below, be sure to check out the whole repo from which these examples are pulled.

The Custom logic

The bulk of the Custom Strategy is defined in the strategy.py file that lives alongside your Flow definition and implementation.

from sym.sdk.strategies import AccessStrategy
from sym.sdk.integrations import slack


class CustomAccess(AccessStrategy):
    def fetch_remote_identity(self, user):
        return user.email

    def escalate(self, target_id, event):
        requester = self.get_requester_identity(event)
        target_identifier = event.payload.fields["target"].settings["identifier"]
        slack.send_message(slack.user(requester), f"Access to {target_identifier} granted!")

    def deescalate(self, target_id, event):
        requester = self.get_requester_identity(event)
        target_identifier = event.payload.fields["target"].settings["identifier"]
        slack.send_message(slack.user(requester), f"Access to {target_identifier} revoked!")

Declaring the Flow, Strategy, and Target definitions

Like any Sym Strategy, a Custom Strategy needs to be declared in Terraform.

# The Flow that grants users access to custom targets.
resource "sym_flow" "this" {
  name  = local.flow_name
  label = "Custom Quickstart"

  template = "sym:template:approval:1.0.0"

  implementation = "${path.module}/impl.py"

  environment_id = var.sym_environment.id

  vars = var.flow_vars

  params = {
    strategy_id = sym_strategy.this.id

    prompt_fields_json = jsonencode(
      [
        {
          name     = "reason"
          type     = "string"
          required = true
        }
      ]
    )
  }
}

# The Strategy your Flow uses to manage access.
resource "sym_strategy" "this" {
  type = "custom"

  name           = local.flow_name
  implementation = "${path.module}/strategy.py"
  integration_id = sym_integration.custom.id
  targets        = [for target in var.targets : sym_target.targets[target["identifier"]].id]
}

# The targets that your Sym Strategy manages access to.
resource "sym_target" "targets" {
  for_each = { for target in var.targets : target["identifier"] => target["label"] }

  type = "custom"

  name  = "${local.flow_name}-${each.key}"
  label = each.value

  settings = {
    identifier = each.key
  }
}

# A custom Integration can be used to access secrets in your custom strategy implementation
# as well as manage identities.
resource "sym_integration" "custom" {
  type        = "custom"
  name        = local.flow_name
  external_id = var.integration_identifier

  settings = {
    secret_ids_json = jsonencode([sym_secret.api_key.id])
  }
}

Deploying the Strategy

Finally, the full Strategy is deployed as a Flow.

# A Flow that can manage access to a list of IAM target groups.
module "custom_access_flow" {
  source = "../modules/custom-access-flow"

  flow_vars        = var.flow_vars
  secrets_settings = module.sym_runtime.secrets_settings
  sym_environment  = module.sym_runtime.prod_environment
  targets          = var.targets
}

Did this page help you?