GitHub Access Strategy

πŸ“˜

Did you configure your GitHub Integration?

Before continuing, make sure you followed the instructions on the main GitHub page to set up your GitHub credentials and Integration.

Before continuing, you will need to have:

  • Connected Sym with AWS Secrets Manager
  • Configured your GitHub Credentials with Sym
  • Defined a GitHub Integration resource

Add GitHub Access Targets

Define sym_target resources with type = github_repo for all of the repositories that you wish to manage access to.

  • repo_name: A required setting that must be set to the name of the repository being managed.
resource "sym_target" "private-repo" {
  type  = "github_repo"

  name  = "main-private-repo-access"
  label = "Private Repo"

  settings = {
    repo_name = "private-repo"
  }
}

resource "sym_target" "other-private-repo" {
  type  = "github_repo"

  name  = "main-other-private-repo-access"
  label = "Other Private Repo"

  settings = {
    repo_name = "other-private-repo"
  }
}

Add a GitHub Access Strategy

Define a sym_strategy resource with type = github and include the GitHub Integration and GitHub Access Targets you defined above.

resource "sym_strategy" "github" {
  type           = "github"
  name           = "main-github-strategy"
  integration_id = sym_integration.github.id

  # This must be a list of `github_repo` sym_targets that users can request to be escalated to
  targets = [sym_target.private-repo.id, sym_target.other-private-repo.id]
}

Add the GitHub Strategy to your Flow

In your sym_flow resource, reference your GitHub sym_strategy as the strategy_id in your Flow Parameters.

resource "sym_flow" "this" {
  name  = "github"
  label = "GitHub Access"

  # ... other Flow attributes not shown

  params {
    strategy_id = sym_strategy.github.id

    # ... other Flow params not shown
  }
}

Full Example

You can find the complete code for this example in our GitHub Access Strategy Example.

Advanced Concepts

Dynamic GitHub Access Targets

In the case where you might have too many repositories than practical for a drop-down menu, you should consider using Dynamic Access Targets, where requesters enter the name of the repository they wish to access.

Add a Repository Name Prompt Field

In your sym_flow configuration, add a new prompt field for repo_name. This will add a text field "Repository Name" to the Slack Request Modal.

Note, this prompt field must have name = "repo_name", because we are using this prompt field to populate the required repo_name setting of the GitHub Access Target.

resource "sym_flow" "this" {
  name  = "github_access"
  label = "Github Access"

  # ... other Flow attributes not shown

  params {
    strategy_id = sym_strategy.this.id
    
    prompt_field {
      name     = "repo_name"
      label    = "Repository Name"
      type     = "string"
      required = true
    }
  
    # ... other prompt_fields and Flow params not shown
  }
}

Define a Dynamic Target

Instead of defining a sym_target for each repository, you will define only one target, but with a special attribute field_bindings. This attribute indicates that the repo_name setting will be populated dynamically by the requester.

The field binding must be repo_name, because this is the required setting that is being dynamically populated.

resource "sym_target" "dynamic-repo" {
  type  = "github_repo"

  name  = "private-repos"
  label = "Private Repos"

  # A special attribute that indicates the `repo_name` setting is dynamic
  field_bindings = ["repo_name"]
}

Reference your Dynamic Target in your Strategy

In your sym_strategy definition, you now only need to specify one sym_target.

resource "sym_strategy" "github" {
  type           = "github"
  name           = "main-github-strategy"
  integration_id = sym_integration.github.id

  targets = [sym_target.dynamic-repo.id]
}

With these changes, your requests should now have a text input allowing requesters to specify which repository they wish to be escalated to.

You can find the complete code for this example in our GitHub Strategy with Dynamic Targets Example.