The symopsio/runtime-connector/sym module is deprecated as of September 30, 2022. Please migrate to symopsio/runtime-connector/aws. This can be done in your module declarations by replacing the symopsio/runtime-connector/sym source argument with symopsio/runtime-connector/aws.
module "runtime_connector" {
source = "symopsio/runtime-connector/aws"
version = ">= 1.0.0"
environment = "main"
}
The runtime-connector module provisions the IAM role that a Sym Runtime uses to execute a Flow.
This Connector will provision a single IAM role for the Sym Runtime to use at execution time.
By default, the Runtime only has permissions to assume roles that have a path that begins with /sym/, and only within a provided safelist of AWS accounts. The Runtime always includes the current AWS account in the safelist.
The role created for the Runtime uses an External ID, a best practice for invoking cross-account roles. This module will generate an External ID for you, unless you configure the custom_external_id to override it.
module "runtime_connector" {
source = "symopsio/runtime-connector/sym"
version = ">= 1.0.0"
environment = "sandbox"
}| Name | Version |
|---|---|
| terraform | >= 0.13.7 |
| aws | ~> 3.0 |
| Name | Version |
|---|---|
| aws | ~> 3.0 |
| random | n/a |
| Name | Source | Version |
|---|---|---|
| aws_kinesis_data_stream | symopsio/kinesis-data-stream-addon/sym | >= 1.0.0 |
| aws_kinesis_firehose | symopsio/kinesis-firehose-addon/sym | >= 1.0.0 |
| aws_secretsmgr | symopsio/secretsmgr-addon/sym | >= 1.0.0 |
| Name | Type |
|---|---|
| aws_iam_policy.assume_roles | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.assume_roles_attach | resource |
| aws_iam_role_policy_attachment.aws_kinesis_data_stream_attach | resource |
| aws_iam_role_policy_attachment.aws_kinesis_firehose_attach | resource |
| aws_iam_role_policy_attachment.aws_secretsmgr_attach | resource |
| aws_iam_role_policy_attachment.extra_policy_attachments | resource |
| random_uuid.external_id | resource |
| aws_caller_identity.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_id_safelist | List of addtional AWS account ids (beyond the current AWS account) that the runtime can assume roles in. | list(string) |
[] |
no |
| addon_params | Additional parameters for selected addons | map(map(any)) |
{} |
no |
| addons | List of Sym addon permissions for the runtime connector role. Addons give the runtime permissions to work with other resources without assuming another AWS role. | list(string) |
[] |
no |
| custom_external_id | The external ID to use for AWS assume role validation. If unspecified, the connector generates an external ID and the Sym platform ensures it is unique. | string |
"" |
no |
| environment | An environment qualifier for the resources this module creates, to support a Terraform SDLC. | string |
n/a | yes |
| policy_arns | Map of logical identifiers to additional IAM Managed Policy ARNs to add to the runtime connector role. The identifiers are only used for managing Terraform state. | map(string) |
{} |
no |
| sym_account_ids | List of account ids that can assume the runtime role. By default, only Sym production accounts can assume the runtime role. | list(string) |
[ |
no |
| tags | Additional tags to apply to resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| account_id | The AWS account ID for this connector |
| settings | A map of settings to supply to a Sym Permission Context. |