symflow generate
Overview
You can generate the Terraform and Python files needed to configure a Sym Flow with symflow generate!
This command must be run inside of the directory created by symflow init, and it will prompt you for the information needed to set up your Sym Flow. Most resources will differ based on the chosen type of Flow, but commonly there will be:
- A file containing the
sym_flowresource - An
implsdirectory containing the Python implementation files for your Flows - A
connectors.tffile that connects Sym to your AWS Account - A
secrets.tffile that allows Sym Runtime to access secrets in AWS Secrets Manager
sym_flow
sym_flowThe Terraform configuration of a sym_flow can be broken down into two parts:
The basics
resource "sym_flow" "basic_approval" {
name = "basic-approval"
label = "Approval-Only"
implementation = file("${path.module}/impls/approval_basic_impl.py")
environment_id = sym_environment.this.id
vars = {
auto_approve = "[email protected]"
}
}
The basic configuration of a sym_flow includes:
| Field | Description | Required |
|---|---|---|
name | A unique, human-readable identifier for the Flow. This can be used to run the Flow directly in Slack (e.g. /sym req approval) | Yes |
label | The display name for the Flow. This is what you'll see in Slack. | No |
implementation | The path to a file where the Sym Python SDK will be used to customize the workflow. More on that later! | Yes |
environment_id | What Environment this Flow belongs to. This can be helpful to separate Flows you're still iterating on and testing from Flows that are stable and used every day by your organization. Think "main" vs. "sandbox" or "prod" vs. "staging". | Yes |
vars | A string to string map of values to pass to impl.py | No |
name, label, and environment are surfaced in the Slack modal.
The prompt fields
Different types of access requests need different types of data. That's why Flows support custom fields in the request modal! We've kept it fairly basic here with just two generic questions— "what do you need access to" and "why"— but fields can be as specific as needed. Check out Prompt Fields for more information.
resource "sym_flow" "basic_approval" {
...
params {
# The prompt_field block defines a custom form field for the Slack modal that
# requesters fill out to make their requests.
prompt_field {
name = "resource-identifier"
label = "What do you need access to?"
type = "string"
required = true
}
prompt_field {
name = "reason"
label = "Why do you need access?"
type = "string"
required = true
}
}
}
prompt_fields become form fields for your request modal!
impls/
impls/A folder that houses all the impl.py files. symflow generate will generate a new impl.py file per Flow, but you may choose to reuse implementations across Flows if you so choose.
The impl.py Python Implementation
impl.py Python ImplementationNow that the sym_flow resource is configured, all that's left is to write its impl.py. This is where Sym's Python SDK can be used to customize your Flow's logic.
The first thing we'll need in the impl.py is a get_approvers reducer. This is the only required part of an impl.py, and it tells Sym where to send access requests in Slack:
# First, we'll import everything we need for this impl.py
from sym.sdk.annotations import reducer
from sym.sdk.integrations import slack
# Then, we add our first reducer! `get_approvers` will be used any time a request
# is made in Sym.
@reducer
def get_approvers(event):
"""Route Sym requests to a specified channel."""
# Make sure that this channel has been created in your workspace!
return slack.channel("#sym-requests", allow_self=True)
While get_approvers is the only required function in the impl.py, there are many other hooks that you can implement.
connectors.tf
connectors.tfIf you generated a Flow that requires Sym to interact with your AWS account, such as okta or aws-iam, then a connectors.tf file will be generated for you. This file contains the AWS resources needed to allow Sym to perform actions in your AWS account. For more details, see Connecting Sym to AWS.
secrets.tf
secrets.tfIf you generated a Flow that interacts with a third-party service that requires authentication, such as okta, then a secrets.tf file will be generated for you. This file contains the Terraform module needed to allow Sym to read secrets from your AWS Secrets Manager. For more details, see Manage Secrets with AWS Secrets Manager.
Testing in Slack
Almost there! All the Terraform configuration is now written, all that's left to do is test it out. We'll start by applying the Terraform:
$ terraform init
Initializing the backend...
Initializing provider plugins...
Terraform has been successfully initialized!
$ terraform apply
sym_integration.slack: Creating...
sym_integration.slack: Creation complete after 1s [id=2127a917-f92b-491a-ba63-6556734b152c]
sym_error_logger.slack: Creating...
sym_error_logger.slack: Creation complete after 0s [id=358fa690-c5bb-457e-9527-ef5aad12a542]
...
Once the terraform apply is done:
- Go to the Slack workspace you installed Sym in
- Type
/symanywhere
You should see your very first Sym Flow:
Next steps
Nice job! You should have a Sym Flow up and running. Now that you've got the basics down, there are a ton of ways to tailor Sym to your organization's needs. To learn more, check out:
- Integrated Services - Learn how Sym can automatically grant or escalate access to external services like AWS, Okta, and Aptible.
- Approval workflows-as-code - Learn how to customize the
impl.pyto fit your specific rules using our Python SDK. - Reporting and audit - Learn how to get structured logs for all access requests and set your organization up for audit success via our Reporting framework.
Check out our Examples Repo for end-to-end examples
If you're looking for some fully-baked samples of working Sym Flows, head over to our Examples Repo!
Updated 3 days ago