Runtime Connector

The runtime-connector module provisions the IAM role that a Sym Runtime uses to execute a Flow.

This Connector will provision a single IAM role for the Sym Runtime to use at execution time.

By default, the Runtime only has permissions to assume roles that have a path that begins with /sym/, and only within a provided safelist of AWS accounts. The Runtime always includes the current AWS account in the safelist.

The role created for the Runtime uses an External ID, a best practice for invoking cross-account roles. This module will generate an External ID for you, unless you configure the custom_external_id to override it.

module "runtime_connector" {
  source  = "terraform.symops.com/symopsio/runtime-connector/sym"
  version = ">= 1.0.0"

  environment = "sandbox"
}

Outputs

NameDescription
account_idThe AWS account ID for this connector
settingsA map of settings to supply to a Sym Permission Context.

Inputs

NameTypeDefaultRequired
account_id_safelistlist(string)[]no
addonslist(string)[]no
custom_external_idstring""no
environmentstringn/ayes
policy_arnsmap(string)[]no
sym_account_idslist(string)[ "803477428605" ]no

Required Inputs

The following input variables are required:

environment

Description: An environment qualifier for the resources this module creates, to support a Terraform SDLC.

Type: string

Optional Inputs

The following input variables are optional (have default values):

account_id_safelist

Description: List of addtional AWS account ids (beyond the current AWS account) that the runtime can assume roles in.

Type: list(string)

Default: []

addons

Description: List of Sym addon permissions for the runtime connector role. Addons give the runtime permissions to work with other resources without assuming another AWS role.

Type: list(string)

Default: []

custom_external_id

Description: The external ID to use for AWS assume role validation. If unspecified, the connector generates an external ID and the Sym platform ensures it is unique.

Type: string

Default: ""

policy_arns

Description: Map of logical identifiers to additional IAM Managed Policy ARNs to add to the runtime connector role. The identifiers are only used for managing Terraform state.

Type: map(string)

Default: {}

sym_account_ids

Description: List of account ids that can assume the runtime role. By default, only Sym production accounts can assume the runtime role.

Type: list(string)

Default:

[
  "803477428605"
]

Did this page help you?