Flow Params
All Sym Flows require a set of params
that combine the Flow's Strategy with a set of prompt fields that define what an end-user sees when they invoke a Sym request.
Overview
The Flow is the core primitive that brings the Sym end-user experience, access Strategy, and implementation rules into a single declaration. While the Strategy and Target(s) are defined as separate resources in Terraform, the Flow itself defines the fields that an end-user sees.
Params
Flows that inherit from sym:approval
require you to specify the below parameters.
The below table applies only to Flows that have a defined Strategy
All Access Flows must have a
strategy_id
that references a valid Strategy. If thestrategy_id
is omitted from theparams
, it implies an Approval-Only Flow, which has slightly different requirements.
Name | Type | Required | Description |
---|---|---|---|
| String | Yes* | The ID of a |
| JSON | Yes | Defines a set of one or more fields that enable you to collect variable information from a user who's requesting access to a resource. This attribute collects all your fields as a jsonencoded string so they can be rendered at runtime. |
| Boolean | No; | Defaults to If If |
| Boolean | No; | Defaults to If If |
| String; supports Slack markdown. | No | An optional text field that will append the string value to the header text that is displayed at the top of the Slack request modal. Note that this is append only. The default text will always be displayed. |
| JSON-list of strings | No | Defaults to all sources. An optional list of sources from which this Flow can be invoked. Valid sources:
|
Examples
prompt_fields_json
prompt_fields_json
Fields are important for gathering important context for your requests for approvals, parsing and routing via Handlers, and for inclusion in your Reports.
In addition to any optional fields you'd like to include, there are two required fields for all sym:approval
requests: reason
, which is a simple text field, and duration
, which defines a list of allowed values for how long access will be granted. For more information on the duration
attribute, see our guide on Access Duration.
params = {
name = "prod_access"
label = "Prod SSO Access"
template = "sym:template:approval:latest"
implementation = "${path.module}/impl.py"
# The strategy (including Targets, defined elsewhere)
strategy_id = sym_strategy.this.id
# Prompt fields the end user will see
prompt_fields_json = jsonencode(
[
{
name = "reason"
type = "string"
required = true
},
{
name = "duration"
type = "duration"
required = true
allowed_values = ["10s", "1m", "1h", "1d"]
}
]
)
}


additional_header_text
additional_header_text
Additional header text can be defined for one or more Flows. This can be helpful for proving quick information to users, or for linking to external systems that may have detailed instructions, policies, or other context.
params = {
# The extra text that we want displayed on the request modal
additional_header_text = "For more information on Sym, please see <https://symops.com/|click here>."
name = "prod_access"
label = "Prod SSO Access"
template = "sym:template:approval:latest"
implementation = "${path.module}/impl.py"
# The strategy (including Targets, defined elsewhere)
strategy_id = sym_strategy.this.id
# Prompt fields the end user will see
prompt_fields_json = jsonencode(
[
{
name = "reason"
type = "string"
required = true
},
{
name = "duration"
type = "duration"
required = true
allowed_values = ["10s", "1m", "1h", "1d"]
}
]
)
}


allowed_sources
allowed_sources
If your Flow should only be called by API or only by Slack, you may specify a list of allowed_sources
. If slack
is not an allowed source, then the Flow will not be listed in the Flow Selection Modal when /sym
is invoked.
params = {
# In this example, this Flow can only be invoked via API,
# and will NOT be displayed in list of Flows when `/sym` is invoked in Slack.
allowed_sources = jsonencode(["api"])
name = "prod_access"
label = "Prod SSO Access"
template = "sym:template:approval:latest"
implementation = "${path.module}/impl.py"
# For Flows invoked by API, these prompt fields define the
# structure of the `flow_inputs` block in the body of the request.
prompt_fields_json = jsonencode(
[
{
name = "workflow_id"
type = "string"
required = true
}
]
)
}
Updated about 17 hours ago