Sign Up

Migrating Generated Files from symflow v7 to v8

Suggest Edits

Overview

In symflow v7.x, we introduced the commands symflow init and symflow generate to quickly generate the basic Terraform configurations necessary to get a Sym Flow up and running. Since then, we have consolidated two of the generated boiler-plate files into public Terraform Modules, to stay aligned with Terraform best practices.

The changes are as follows:

If you generated files with symflow v7 and wish to continue generating flows with symflow v8, you will need to migrate your configuration to match these changes.

πŸ“˜

Have you tried running symflow migrate?

symflow migrate attempts to migrate your configuration automatically to match the changes documented on this page.

If you wish to see a diff of the proposed changes first, you can try running it with symflow migrate --dry-run.

Migrating runtime.tf

If you have a runtime.tf file, you will want to refactor these resources and use the symopsio/runtime-connector/aws module instead.

Create a connectors.tf file

Our recommended convention is to keep all of your connector modules in a single file named connectors.tf.

If you do not already have a connectors.tf file, then create one now.

If you already have one, then you can continue to the next step and append to your existing file.

Declare the runtime_connector module in connectors.tf

Then, declare the runtime_connector module in connectors.tf as follows:

############ Runtime Connector Setup ##############  
# The runtime_connector module creates an IAM Role that the Sym Runtime can assume to execute operations in your AWS account.  
module "runtime_connector" {  
    source = "symopsio/runtime-connector/aws"  
    version = "~> 2.0"  
  
    environment = local.environment_name  
}

For AWS SSO Only: Add the account_id_safelist to runtime_connector

If you have an AWS SSO Flow declared, you will need to give the IAM role declared by the runtime_connector permissions to perform operations in your SSO Management account. Previously this was done by declaring a new IAM Policy that grants these permissions. With the new runtime_connector module, you simply need to include the SSO Account ID as an input to the module, and the module will handle creating that policy for you.

Update the runtime_connector module to include your SSO Account ID in the account_id_safelist input. You should already have a data.aws_caller_identity.sso declared in your connectors.tf file (this data resource was declared when the SSO Flow was generated).

############ Runtime Connector Setup ##############  
# The runtime_connector module creates an IAM Role that the Sym Runtime can assume to execute operations in your AWS account.  
module "runtime_connector" {  
    source = "symopsio/runtime-connector/aws"  
    version = "~> 2.0"  
  
    environment = local.environment_name  
      
    # Allow the Runtime Connector Role to assume IAM Roles in the SSO Account as well.  
    account_id_safelist = [data.aws_caller_identity.sso.account_id]
}

Declare moved blocks for resources in runtime.tf

Since we are moving the resources previously declared in runtime.tf to be declared as part of the runtime_connector module, we will need to tell Terraform that the resource addresses have changed, otherwise Terraform will attempt to create duplicate resources, which will lead to conflicts. We will utilize Terraform's moved blockshttps://developer.hashicorp.com/terraform/language/modules/develop/refactoring) to do this.

Create a migration_v8.tf file containing the following blocks:

moved {  
    from = random_uuid.external_id
    to   = module.runtime_connector.random_uuid.external_id  
}  
  
moved {  
    from = aws_iam_role.sym_runtime_connector_role
    to   = module.runtime_connector.aws_iam_role.sym_runtime_connector_role  
}  
  
moved {  
    from = aws_iam_policy.assume_roles  
    to   = module.runtime_connector.aws_iam_policy.assume_roles  
}  
  
moved {  
    from = aws_iam_role_policy_attachment.attach_assume_roles  
    to   = module.runtime_connector.aws_iam_role_policy_attachment.attach_assume_roles  
}  
  
moved {  
    from = sym_integration.runtime_context  
    to   = module.runtime_connector.sym_integration.runtime_context  
}

If you have a sym_runtime resource declared in runtime.tf, then you will also need to add the following moved block:

moved {  
    # The sym_runtime resource name depends on your environment name! Make sure to replace the resource_name here with the correct reference, as defined in runtime.tf
    from = sym_runtime.resource_name 
    to   = module.runtime_connector.sym_runtime.this  
}

Update references to runtime.tf resources

In all your configuration files, you will now want to update any references to resources declared in runtime.tf to use the resources outputted by the runtime_connector module. Namely, replace all references to:

  • aws_iam_role.sym_runtime_connector_role with module.runtime_connector.aws_iam_role.sym_runtime_connector_role
  • sym_integration.runtime_context with module.runtime_connector.sym_integration.runtime_context
  • sym_runtime.resource_name with module.runtime_connector.sym_runtime.this

Some notable places where these values might be referenced:

  • As inputs to any iam_connector, sso_connector, or lambda_connector modules.
  • As the runtime_id input to your sym_environment resource in environment.tf

Delete runtime.tf

All of the resources in runtime.tf should now be accounted for as part of the runtime_connector module. You may now delete this file.

Migrating secrets.tf

In secrets.tf, we will be replacing the following two resources with the secrets_manager_access module

  • aws_iam_policy.secrets_manager_access
  • aws_iam_role_policy_attachment.attach_secrets_manager_access

Declare the secrets_manager_access in secrets.tf

In secrets.tf, declare the following module:

# This secrets_manager_access module defines an AWS IAM Policy and attachment that grants the Sym Runtime Role  
# the permissions to read secrets from AWS Secrets Manager that are under the /sym/ path and tagged with  
# `SymEnv = local.environment_name`.  
module "secrets_manager_access" {  
    source  = "symopsio/secretsmgr-addon/aws"  
    version = "~> 1.1"  
      
    environment   = local.environment_name  
    iam_role_name = module.runtime_connector.sym_runtime_connector_role.name  
}

Declare moved blocks for resources in secrets.tf

Similar to how we handled refactoring the resources in runtime.tf, we will need to declare Terraform moved blocks for the resources we are replacing in secrets.tf.

In your migration_v8.tf file, add the following blocks:

moved {  
    from = aws_iam_policy.secrets_manager_access  
    to   = module.secrets_manager_access.aws_iam_policy.this  
}  
  
moved {  
    from = aws_iam_role_policy_attachment.attach_secrets_manager_access  
    to   = module.secrets_manager_access.aws_iam_role_policy_attachment.attach_secrets_manager_access[0]  
}

Delete old secrets.tf resources

Now that we have declared the new resources and added the moved blocks to refactor the resource addresses in Terraform state, you may now remove the old resources:

  • aws_iam_policy.secrets_manager_access
  • aws_iam_role_policy_attachment.attach_secrets_manager_access

🚧

Don't delete your sym_secrets!

Make sure that you don't delete the sym_secrets.this resource!

Optional: Update references to symflow v7

When generating Flows with symflow generate, version 8.x of symflow will check if any of the configuration files were generated by symflow v7. If any are found, it will print a warning that v8 is incompatible with v7.

To suppress these warnings after you have completed your manual migration, replace references to symflow v7 in the comments with symflow v8.0.0.

Updated 22 days ago