Configuring Flow Fields and Parameters

A Sym Flow's parameters can be customized to meet your team's unique needs.

❗️

This page is deprecated!

The information here is no longer accurate as of version 2.0.0 of the Terraform Sym Provider.

Please see upgrade to a newer version and refer to the Provider Documentation for the latest information.

Overview

The Flow is the core primitive that brings the Sym end-user experience, Access Strategy, and Implementation rules into a single declaration. While the Strategy and Target(s) are defined as separate resources in Terraform, the Flow itself defines the fields that an end-user sees.

📘

You can pass arbitrary values to a Flow's impl.py using vars!

This is useful if you need to access values defined in Terraform as part of your SDK implementation.

Params

Flows that inherit from sym:approval require you to specify the below parameters.

NameTypeRequiredDescription
strategy_idStringNoThe ID of a Strategy with Targets that this flow will be managing access to.

If no strategy is defined, the Flow will be an Approval-Only Flow
prompt_fields_jsonJSONYesDefines a set of one or more fields that enable you to collect variable information from a user who's requesting access to a resource.

This attribute collects all your fields as a JSON-encoded string so they can be rendered at runtime.
schedule_deescalationBooleanNo*Defaults to true.

If true, duration is required and may be specified – see Access Duration.

If false, de-escalation only occurs when manually invoked (e.g., using the "Revoke" button in Slack).

*At least one of schedule_deescalation and allow_revoke must be true
allow_revokeBooleanNo*Defaults to true.

If true, shows a "Revoke" button in Slack that allows both the person requesting access and the person approving access to instantly revoke that access. This is the required configuration if schedule_deescalation is false.

If false, escalations cannot be manually revoked and are only de-escalated when the duration is reached (i.e. the escalation expires).

*At least one of schedule_deescalation and allow_revoke must be true
additional_header_textStringNoAn optional text field that will append the string value to the header text that is displayed at the top of the Slack request modal, appended after the default header text.

Supports Slack markdown.
allowed_sourcesJSON-list of stringsNoDefaults to all sources.

An optional list of sources from which this Flow can be invoked.

Valid sources:
- slack
- api
allow_guest_interactionBooleanNoDefaults to false.

If true, guest users will be allowed to interact with this flow. This means they can click the Approve, Deny, and Revoke buttons in Slack after a request has been made by a non-guest user.

When false, guest users' clicks will not register in the Slack modal.

Examples

prompt_fields_json

Fields are important for gathering important context for your requests for approvals, parsing and routing via Handlers, and for inclusion in your Reports.

In addition to any optional fields you'd like to include, there are two required fields for all sym:approval requests: reason, which is a simple text field, and duration, which defines a list of allowed values for how long access will be granted. For more information on the duration attribute, see our guide on Access Duration.

params = {
    name = "prod_access"
    label = "Prod SSO Access"

    template = "sym:template:approval:latest"
    implementation = "${path.module}/impl.py"

    # The strategy (including Targets, defined elsewhere)
    strategy_id = sym_strategy.this.id

    # Prompt fields the end user will see
    prompt_fields_json = jsonencode(
        [
            {
                name     = "reason"
                type     = "string"
                required = true
            },
            {
                name     = "duration"
                type     = "duration"
                required = true
                allowed_values = ["10s", "1m", "1h", "1d"]
            }
        ]
    )
}
943943

additional_header_text

Additional header text can be defined for one or more Flows. This can be helpful for proving quick information to users, or for linking to external systems that may have detailed instructions, policies, or other context.

params = {
    # The extra text that we want displayed on the request modal
    additional_header_text = "For more information on Sym, please see <https://symops.com/|click here>."

    name = "prod_access"
    label = "Prod SSO Access"

    template = "sym:template:approval:latest"
    implementation = "${path.module}/impl.py"

    # The strategy (including Targets, defined elsewhere)
    strategy_id = sym_strategy.this.id

    # Prompt fields the end user will see
    prompt_fields_json = jsonencode(
        [
            {
                name     = "reason"
                type     = "string"
                required = true
            },
            {
                name     = "duration"
                type     = "duration"
                required = true
                allowed_values = ["10s", "1m", "1h", "1d"]
            }
        ]
    )
}
10311031

allowed_sources

If your Flow should only be called by API or only by Slack, you may specify a list of allowed_sources. If slack is not an allowed source, then the Flow will not be listed in the Flow Selection Modal when /sym is invoked.

params = {
    # In this example, this Flow can only be invoked via API,
    # and will NOT be displayed in list of Flows when `/sym` is invoked in Slack.
    allowed_sources = jsonencode(["api"])

    # For Flows invoked by API, these prompt fields define the
    # structure of the `flow_inputs` block in the body of the request.
    prompt_fields_json = jsonencode(
        [
            {
                name     = "workflow_id"
                type     = "string"
                required = true
            }
        ]
    )
}