Add Intelligent Approvals to Your CircleCI Pipeline

Jon Bass
July 28, 2022

Sym is all about helping teams weave intelligent approvals into their systems. With our new CircleCI Orb, we’ve extended the range of workflows we support to include CI/CD pipelines. Sym’s CircleCI support means you can integrate risk-based decision making into your automation pipelines with lightweight configurations of Sym’s SDK.

Add intelligence to your CircleCI approval flows

If you’re using CircleCI with GitHub or GitLab, the approval tools at your disposal provide a limited range of out-of-the-box options. Branch protection rules in GitHub and GitLab both allow you to configure approver requirements at the time of merge. CircleCI has an approval job type that will hold a job until someone comes into the app and clicks approve. You can also trigger the approval via the CircleCI API.

Sym helps you build on these approval primitives to create workflows that exactly match your business requirements. With Sym, you can set up intelligent approvals when:

  • You have business or regulatory requirements that require a human review if the automation meets certain risk criteria.
  • Your build pipeline is set up such that you need approvals after the code has already been merged and your build has been triggered.
  • You want custom validation around who can approve a workflow. For example, if you want only the author of a PR to be able to approve a deployment for that PR.
  • You have multiple automation flows that are triggered by an upstream change in source control, but you want to tie these all into one approval.
  • You want to generate just-in-time credentials for an automation that are tied to a specific approval.

Sym's SDK enables you to not only slot simple approval gates anywhere in your pipeline, but to automate routing and rules so your team is making the right decisions, quickly, with the right context.

Setting up a basic approval flow with Sym

Let’s start by looking at how to wire Sym approvals into your CircleCI job. With this improvement, we’ll get the benefits of Slack-based approval while opening up lots of options for intelligent build approval down the road.

Slack-based approvals with Sym

After you have followed the next steps, you’ll have a secure, audit-friendly approval flow for your CircleCI builds that surfaces approvals in Slack. The approvals will look like the following:

Using the sym_flow Terraform resource and the Sym orb

You can view a full walkthrough on our docs site, but the highlights are:

1. Add a CircleCI API token to your Sym secrets

2. Add a Flow with api as an allowed_source, as well as inputs we can supply from our CircleCI build:

3. Upon approval, use a Sym Hook to tell CircleCI to approve the build.

4. Create a Sym Bot Token for your CircleCI project

5. Wrap the CircleCI approval job type in the Sym Orb’s request and validate jobs:

View your Sym workflow from the CircleCI dashboard

Once you’ve got the basic flow set up, your CircleCI workflows will make a request to Sym that gets routed to Slack for approval. You’ll see the new steps show up in your CircleCI Dashboard:

Adding approval intelligence with Sym

Now that you’ve got a Sym flow wired up, you can add conditions to decide when to request approvals, as well as who to ask. There are tons of ways you can configure this with Sym, but we’ll start with an example that uses the Sym Request API’s context feature. With context, you can supply additional data to your flow to assist in routing decisions.

Auto-approving when there are no Terraform changes

The full implementation for this flow is over in our examples repo!

Let’s say you want to automatically approve changes unless there’s been a modification to your Terraform configs, in which case you want to wait for an approval. You can do this by creating a diff and then passing this data along to Sym in your API context!

1. Generate a list of changed files in your CircleCI config, and persist it into your CircleCI workspace in the sym/contexts path. Sym’s orb will automatically load context files that are saved into this workspace directory:

2. Now in your Sym Flow implementation, add an on_request Hook to check if a diff has been supplied in the context field. If it was, and you detect no Terraform files, then fast track approval!

3. Your users will see the fast-tracked approval in Slack:

Next steps

Here we’ve covered some of the basics on how to use Sym and CircleCI for intelligent approvals. There’s a lot more to cover here, including:

  1. Using an approval for multiple jobs as part of a more complex GitOps setup
  2. Generating job-specific credentials

Reach out if you'd like to give the new Sym orb a try. It's quick, easy and free to try us out.

Recommended Posts