Overview

Sym provides both a Terraform resource for moving users in and out of GitHub repos, and an SDK convenience method to check repo collaborators for approval routing.

Setup

In order to grant Sym access to GitHub, you'll need to create a new access token. To do so, go to your Github settings page then navigate to Settings -> Developer settings -> Personal access tokens then "Generate a new token".

The following permission scopes are required for Sym to invite and remove access to your organization's Github repositories:

  • read:org
  • repo
  • user:email

Once created, make note of your token, we'll need it later!

Sharing your API Token with Sym

You'll store your API Token in a value in AWS Secrets Manager in the same account where you provisioned your Runtime Connector. Contact us if you'd like to use an alternative secrets store.

Runtime Connectors support optional permissions using the addon input. Ensure that your Runtime Connector is provisioned with the aws/secretsmgr addon enabled.

For more information about the Secrets Manager Addon, see our docs here.

resource "aws_secretsmanager_secret" "github" {
  name        = "/symops.com/${var.sym_environment_name}/github_access_token"
  description = "Github access token for SymOps"

  tags = local.tags
}

That's it - now you can use Github in your Sym workflows!

Implementation

To add Github to your Flow, define the following items in Terraform:

data "sym_integration" "github" {
  type = "github"
  name = "github-prod"
}

# The Github Access Workflow, which uses an Github strategy to grant repo access to users
resource "sym_flow" "this" {
  name  = "github_access"
  label = "Github Access"

  params = {
    strategy_id = sym_strategy.this.id
  }
}

# A Strategy uses an Integration to grant people access to Targets
resource "sym_strategy" "this" {
  type           = "github"
  name           = "github-strategy-prod"
  integration_id = data.sym_integration.github.id
  targets        = [sym_target.target.id]
}

# A Target something Sym is managing access to
resource "sym_target" "prod" {
  type  = "github_repo"
  label = "My Private Repo"
  settings = {
    repo_name = "my-private-repo"
  }
}

Supporting dynamic repo name entry

In this scenario, you want the users to type in the name of the repository from the Slack modal instead of selecting it from a dropdown list. Modify the previous example with the following:

resource "sym_flow" "this" {
  name  = "github_access"
  label = "Github Access"

  params = {
    strategy_id = sym_strategy.this.id
    
    prompt_fields_json = jsonencode(
      [
        {
          name     = "repo_name"
          label    = "Repository Name"
          type     = "string"
          required = true
        }
      ]
    )
  }
}

resource "sym_target" "target" {
  type  = "github_repo"

  name  = "private-repo"
  label = "private-repo"

  field_bindings = ["repo_name"]
}

In this example, Sym will use the target's field_bindings values to request access to the repository the user typed in!


Did this page help you?