Sign Up

KnowBe4 SDK Integration

Set up KnowBe4 for use in the Sym SDK.

Suggest Edits

With Sym and KnowBe4, you can take advantage of your users' training enrollments and security group enrollment to speed up escalations in a secure way.

Common uses of the KnowBe4 Integration include checking if a User has completed a particular training enrollment and auto-approving them if so.

Connect Sym with your AWS Secrets Manager

Follow the Manage Secrets with AWS Secrets Manager tutorial to connect your AWS Secrets Manager with the Sym Runtime.

Share your KnowBe4 API Key with Sym

Follow the Share Secrets with the Sym Runtime tutorial to share your credentials. We recommend using the plain style secret.

# Note: This example snippet shows only the KnowBe4 specific resources.

# An AWS Secrets Manager Secret to hold your KnowBe4 API Key. Set the value with:
# aws secretsmanager put-secret-value --secret-id "main/knowbe4-api-key" --secret-string "YOUR-KNOWBE4-API-KEY"
resource "aws_secretsmanager_secret" "knowbe4_api_key" {
  name        = "sym/main/knowbe4-api-key"
  description = "API Key for Sym to call KnowBe4 APIs"

  # This SymEnv tag is required and MUST match the SymEnv tag in the 
  # aws_iam_policy.secrets_manager_access in your `secrets.tf` file
  tags = {
    SymEnv = local.environment_name
  }
}

resource "sym_secret" "knowbe4_api_key" {
  # `sym_secrets` is defined in "Manage Secrets with AWS Secrets Manager"
  source_id = sym_secrets.this.id

  path = aws_secretsmanager_secret.knowbe4_api_key.name
}

Add a KnowBe4 Integration

Define a sym_integration resource with type = knowbe4. This integration will specify the KnowBe4 API Key, and will ensure that your KnowBe4 API key is available to the Sym Runtime when invoking the knowbe4 module in your impl.py

  • external_id: Your KnowBe4 primary domain from the domains list from the Admin portal UI
  • api_token_secret: A required setting which must be set to the ID of a sym_secret referencing your KnowBe4 API Key
  • region: A required setting which must set the location of the KnowBe4 account ("us", "eu", "ca", "uk", "de")
resource "sym_integration" "knowbe4" {
  type = "knowbe4"
  name = "knowbe4-main"

  # KnowBe4 domain, get the primary domain from the domains list from the Admin portal UI
  external_id = "YOUR-PRIMARY-DOMAIN"

  settings = {
    # This secret was defined in the previous step
    api_token_secret = sym_secret.knowbe4_api_key.id
    region = "us"
  }
}

Add your KnowBe4 Integration to your Environment

Finally, add the PagerDuty integration to your sym_environment as knowbe4_id. This will ensure that the KnowBe4 SDK methods can authenticate their API calls with the correct API token.

resource "sym_environment" "this" {
  name            = var.environment_name
  runtime_id      = sym_runtime.this.id
  error_logger_id = sym_error_logger.slack.id

  integrations = {
    slack_id = sym_integration.slack.id

    # This `knowbe4_id` is required to be able to use the `knowbe4` SDK methods
    # It tells the Sym Runtime to use the API Token defined in `sym_integration.knowbe4` resource
    knowbe4_id = sym_integration.knowbe4.id
  }
}

Using KnowBe4 in your Flows

Now you can use information about training enrollments and groups in your Flow implementations.

For more information on the supported methods in the knowbe4 module, please visit the Sym SDK KnowBe4 Docs.

Example implementations

Auto-approve if User has passed a specific training

from sym.sdk.annotations import hook
from sym.sdk.integrations import knowbe4, slack
from sym.sdk.templates import ApprovalTemplate


@hook
def on_request(event):
  if knowbe4.get_training_enrollments_for_user(event.user, store_purchase_id=209465, campaign_id=100345)[0]["status"] == "Passed":
    # If the training has been completed, then auto-approve their requests
    return ApprovalTemplate.approve()

Auto-approve if User has passed all assigned training

from sym.sdk.annotations import hook
from sym.sdk.integrations import knowbe4, slack
from sym.sdk.templates import ApprovalTemplate


@hook
def on_request(event):
  training_enrollments = knowbe4.get_training_enrollments_for_user(event.user)
  for enrollment in training_enrollments:
    if enrollment["status"] != "Passed":
      return

  # If User has completed all assigned training, then auto-approve their requests
  return ApprovalTemplate.approve()

Auto-approve if User is part of a specific group

from sym.sdk.annotations import hook
from sym.sdk.integrations import knowbe4, slack
from sym.sdk.templates import ApprovalTemplate


@hook
def on_request(event):
  if knowbe4.is_user_in_group(user=evt.user, group_id=234332):
    # If the User is part of this special group, then auto-approve their requests
    return ApprovalTemplate.approve()

Full Example: Auto-approve user who has completed specific training

You can find the complete code (Terraform configuration and impl.py) for a full end-to-end example in our KnowBe4 Example.

Updated 21 days ago