Flow Params

All Sym Flows require a set of params that combine the Flow's Strategy with a set of prompt fields that define what an end-user sees when they invoke a Sym request.

Overview

The Flow is the core primitive that brings the Sym end-user experience, access Strategy, and implementation rules into a single declaration. While the Strategy and Target(s) are defined as separate resources in Terraform, the Flow itself defines the fields that an end-user sees.

Params

Flows that inherit from sym:approval require you to specify the below parameters.

πŸ“˜

The below table applies only to Flows that have a defined Strategy

All Access Flows must have a strategy_id that references a valid Strategy. If the strategy_id is omitted from the params, it implies an Approval-Only Flow, which has slightly different requirements.

Name

Type

Required

Description

strategy_id

String

Yes*

The ID of a Strategy. A Strategy has a set of Targets, and knows how to grant access to them.

prompt_fields_json

JSON

Yes

Defines a set of one or more fields that enable you to collect variable information from a user who's requesting access to a resource.

This attribute collects all your fields as a jsonencoded string so they can be rendered at runtime.

schedule_deescalation

Boolean

No;
at least one of schedule_deescalation and allow_revoke must be true.

Defaults to true.

If true, duration is required and may be specified – see Access Duration.

If false, de-escalation only occurs when manually invoked (e.g., using the "Revoke" button in Slack).

allow_revoke

Boolean

No;
at least one of schedule_deescalation and allow_revoke must be true.

Defaults to true.

If true, shows a "Revoke" button in Slack that allows both the person requesting access and the person approving access to instantly revoke that access. This is the required configuration if schedule_deescalation is false.

If false, escalations cannot be manually revoked and are only de-escalated when the duration is reached (i.e., the escalation expires).

additional_header_text

String; supports Slack markdown.

No

An optional text field that will append the string value to the header text that is displayed at the top of the Slack request modal.

Note that this is append only. The default text will always be displayed.

allowed_sources

JSON-list of strings

No

Defaults to all sources.

An optional list of sources from which this Flow can be invoked.

Valid sources:

  • slack
  • api

Examples

prompt_fields_json

Fields are important for gathering important context for your requests for approvals, parsing and routing via Handlers, and for inclusion in your Reports.

In addition to any optional fields you'd like to include, there are two required fields for all sym:approval requests: reason, which is a simple text field, and duration, which defines a list of allowed values for how long access will be granted. For more information on the duration attribute, see our guide on Access Duration.

params = {
    name = "prod_access"
    label = "Prod SSO Access"

    template = "sym:template:approval:latest"
    implementation = "${path.module}/impl.py"

    # The strategy (including Targets, defined elsewhere)
    strategy_id = sym_strategy.this.id

    # Prompt fields the end user will see
    prompt_fields_json = jsonencode(
        [
            {
                name     = "reason"
                type     = "string"
                required = true
            },
            {
                name     = "duration"
                type     = "duration"
                required = true
                allowed_values = ["10s", "1m", "1h", "1d"]
            }
        ]
    )
}

additional_header_text

Additional header text can be defined for one or more Flows. This can be helpful for proving quick information to users, or for linking to external systems that may have detailed instructions, policies, or other context.

params = {
    # The extra text that we want displayed on the request modal
    additional_header_text = "For more information on Sym, please see <https://symops.com/|click here>."

    name = "prod_access"
    label = "Prod SSO Access"

    template = "sym:template:approval:latest"
    implementation = "${path.module}/impl.py"

    # The strategy (including Targets, defined elsewhere)
    strategy_id = sym_strategy.this.id

    # Prompt fields the end user will see
    prompt_fields_json = jsonencode(
        [
            {
                name     = "reason"
                type     = "string"
                required = true
            },
            {
                name     = "duration"
                type     = "duration"
                required = true
                allowed_values = ["10s", "1m", "1h", "1d"]
            }
        ]
    )
}

allowed_sources

If your Flow should only be called by API or only by Slack, you may specify a list of allowed_sources. If slack is not an allowed source, then the Flow will not be listed in the Flow Selection Modal when /sym is invoked.

params = {
    # In this example, this Flow can only be invoked via API,
    # and will NOT be displayed in list of Flows when `/sym` is invoked in Slack.
    allowed_sources = jsonencode(["api"])

    name = "prod_access"
    label = "Prod SSO Access"

    template = "sym:template:approval:latest"
    implementation = "${path.module}/impl.py"

    # For Flows invoked by API, these prompt fields define the
    # structure of the `flow_inputs` block in the body of the request.
    prompt_fields_json = jsonencode(
        [
            {
                name     = "workflow_id"
                type     = "string"
                required = true
            }
        ]
    )
}

Did this page help you?