Workflows
This explains how to make workflows to be used in Common Fate.
What are Access Workflows?
Workflows are used in Common Fate to inform the policy engine how long access should last. Workflows connect with other resources like availabilities and Slack alerts.
Creating an Access Workflow
Access workflows are created using the commonfate_access_workflow resource in Terraform.
resource "commonfate_access_workflow" "workflow-demo" {
name = "demo"
access_duration_seconds = 60 * 60
priority = 100
}
Changing the access duration on a Workflow does not affect the duration of any existing Access Requests.
For example, if you have an Access Workflow with a 2 hour access duration, create an Access Request, and then reduce the duration of the Access Workflow to 1 hour, the existing Access Request will still have a 2 hour duration.
The priority governs whether the policy will be used. If a different policy with a higher priority and the same role exists that one will be used over another.
Specifying an activation expiry
Added in Common Fate v1.41.0. Requires Common Fate Terraform Provider v2.16 or later.
Common Fate can be configured to automatically close approved requests if they are not activated within a particular duration. To configure an activation expiry, set the activation_expiry variable in the Access Workflow:
resource "commonfate_access_workflow" "workflow-demo" {
name = "demo"
access_duration_seconds = 60 * 60
priority = 100
+ activation_expiry = 60 * 60 * 8
}
The activation_expiry cause requests to expire if they are approved but not activated for a specified amount of time.
In the example above any requests approved but not activated after 8 hours will be closed, requiring the user to re-request access.
Requiring a reason on Access Requests
Added in Common Fate v1.42.0. Requires Common Fate Terraform Provider v2.17 or later.
To require a reason on Access Requests for a particular workflow, you can specify the validation variable on the Access Workflow:
resource "commonfate_access_workflow" "workflow-demo" {
name = "demo"
access_duration_seconds = 60 * 60
priority = 100
+ validation = {
+ has_reason = true
+ }
}
Specifying a default duration for Access Requests
Added in Common Fate v1.42.0. Requires Common Fate Terraform Provider v2.17 or later.
The Common Fate web console and CLI will default to the maximum duration when requesting access. You can change the default duration by providing the default_duration_seconds variable on the Access Workflow:
resource "commonfate_access_workflow" "workflow-demo" {
name = "demo"
access_duration_seconds = 60 * 60
+ default_duration_seconds = 30 * 60
priority = 100
}
Enabling Access Request Extensions
Added in Common Fate v4.4.0. Requires Common Fate Terraform Provider v2.22.0 or later.
By default, the Common Fate web console will not allow extensions if the extension_conditions configuration is not specified on the Access Workflow.
A cedar policy also needs to be defined to allow the Access::Action::“Extension” action on the resource.
resource "commonfate_access_workflow" "workflow-demo" {
name = "demo"
access_duration_seconds = 60 * 60
priority = 100
+ extension_conditions = {
+ maximum_number_of_extensions = 2
+ extension_duration_seconds = 10 * 60
+ }
}
The maximum_number_of_extensions parameter sets the number of times an Access Request can be extended. This can be set to 0, effectively disabling extensions.
The extension_duration_seconds parameter defines the duration, in seconds, that the Access Request will be extended by.
Using the configuration above, if you have 35 minutes remaining on your Access Request, you can extend the duration by 10 minutes. This will increase the remaining time to 45 minutes. You can extend the access up to two times, meaning you can add a total of 20 minutes to your initial access duration.