Worklytics · eschultink · Sep 10, 2025 · Sep 10, 2025 · Sep 10, 2025 · Sep 10, 2025
diff --git a/infra/examples-dev/aws/google-workspace.tf b/infra/examples-dev/aws/google-workspace.tf
@@ -14,13 +14,14 @@ module "worklytics_connectors_google_workspace" {
     google = google.google_workspace
   }
 
-  environment_id                 = var.environment_name
-  enabled_connectors             = var.enabled_connectors
-  gcp_project_id                 = var.google_workspace_gcp_project_id
-  google_workspace_example_user  = var.google_workspace_example_user
-  google_workspace_example_admin = var.google_workspace_example_admin
-  provision_gcp_sa_keys          = var.google_workspace_provision_keys
-  todos_as_local_files           = var.todos_as_local_files
+  environment_id                    = var.environment_name
+  enabled_connectors                = var.enabled_connectors
+  enabled_connectors_from_templates = var.enabled_connectors_from_templates
+  gcp_project_id                    = var.google_workspace_gcp_project_id
+  google_workspace_example_user     = var.google_workspace_example_user
+  google_workspace_example_admin    = var.google_workspace_example_admin
+  provision_gcp_sa_keys             = var.google_workspace_provision_keys
+  todos_as_local_files              = var.todos_as_local_files
 }
 
 output "google_workspace_api_clients" {

diff --git a/infra/examples-dev/aws/main.tf b/infra/examples-dev/aws/main.tf
@@ -24,6 +24,7 @@ module "worklytics_connectors" {
   # source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors?ref=rc-v0.5.9"
 
   enabled_connectors                       = var.enabled_connectors
+  enabled_connectors_from_templates        = var.enabled_connectors_from_templates
   chat_gpt_enterprise_example_workspace_id = var.chat_gpt_enterprise_example_workspace_id
   confluence_example_cloud_id              = var.confluence_example_cloud_id
   confluence_example_group_id              = var.confluence_example_group_id
@@ -51,6 +52,7 @@ locals {
     module.worklytics_connectors.enabled_api_connectors,
     module.worklytics_connectors_google_workspace.enabled_api_connectors,
     local.msft_api_connectors_with_auth,
+    var.custom_api_connectors,
     {}
   )
 

diff --git a/infra/examples-dev/aws/msft-365.tf b/infra/examples-dev/aws/msft-365.tf
@@ -5,6 +5,7 @@ module "worklytics_connectors_msft_365" {
   # source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=rc-v0.5.9"
 
   enabled_connectors                         = var.enabled_connectors
+  enabled_connectors_from_templates          = var.enabled_connectors_from_templates
   environment_id                             = var.environment_name
   msft_tenant_id                             = var.msft_tenant_id
   example_msft_user_guid                     = var.example_msft_user_guid

diff --git a/infra/examples-dev/aws/variables.tf b/infra/examples-dev/aws/variables.tf
@@ -219,6 +219,14 @@ variable "enabled_connectors" {
   description = "list of ids of connectors to enabled; see modules/worklytics-connector-specs"
 }
 
+variable "enabled_connectors_from_templates" {
+  type = map(object({
+    template_id = string
+  }))
+  description = "map of connector id --> id of connector template to enable"
+  default     = {}
+}
+
 variable "non_production_connectors" {
   type        = list(string)
   description = "connector ids in this list will be in development mode (not for production use)"
@@ -237,6 +245,40 @@ variable "bulk_sanitized_expiration_days" {
   default     = 1805 # 5 years; intent is 'forever', but some upperbound in case bucket is forgotten
 }
 
+variable "custom_api_connectors" {
+  type = map(object({
+    source_kind             = string
+    source_auth_strategy    = string
+    target_host             = string
+    oauth_scopes_needed     = optional(list(string), [])
+    environment_variables   = optional(map(string), {})
+    enable_async_processing = optional(bool, false)
+    example_api_calls       = optional(list(string), [])
+    example_api_requests = optional(list(object({
+      method       = optional(string, "GET")
+      path         = string
+      content_type = optional(string, "application/json")
+      body         = optional(string, null)
+    })), [])
+    example_api_calls_user_to_impersonate = optional(string)
+    secured_variables = optional(list(object({
+      name                = string
+      value               = optional(string)
+      writable            = optional(bool, false)
+      lockable            = optional(bool, false)
+      sensitive           = optional(bool, true)
+      description         = optional(string)
+      value_managed_by_tf = optional(bool, true)
+      })),
+    [])
+    settings_to_provide = optional(map(string), {})
+    rules_file          = optional(string, null)
+  }))
+
+  description = "map of API connectors to provision"
+  default     = {}
+}
+
 variable "custom_api_connector_rules" {
   type        = map(string)
   description = "map of connector id --> YAML file with custom rules"

diff --git a/infra/examples-dev/gcp/google-workspace.tf b/infra/examples-dev/gcp/google-workspace.tf
@@ -14,13 +14,14 @@ module "worklytics_connectors_google_workspace" {
     google = google.google_workspace
   }
 
-  environment_id                 = var.environment_name
-  enabled_connectors             = var.enabled_connectors
-  gcp_project_id                 = var.google_workspace_gcp_project_id
-  google_workspace_example_user  = var.google_workspace_example_user
-  google_workspace_example_admin = var.google_workspace_example_admin
-  provision_gcp_sa_keys          = var.google_workspace_provision_keys
-  todos_as_local_files           = var.todos_as_local_files
+  environment_id                    = var.environment_name
+  enabled_connectors                = var.enabled_connectors
+  enabled_connectors_from_templates = var.enabled_connectors_from_templates
+  gcp_project_id                    = var.google_workspace_gcp_project_id
+  google_workspace_example_user     = var.google_workspace_example_user
+  google_workspace_example_admin    = var.google_workspace_example_admin
+  provision_gcp_sa_keys             = var.google_workspace_provision_keys
+  todos_as_local_files              = var.todos_as_local_files
 }
 
 output "google_workspace_api_clients" {

diff --git a/infra/examples-dev/gcp/main.tf b/infra/examples-dev/gcp/main.tf
@@ -57,6 +57,7 @@ locals {
     module.worklytics_connectors.enabled_api_connectors,
     module.worklytics_connectors_google_workspace.enabled_api_connectors,
     local.msft_api_connectors_with_auth,
+    var.custom_api_connectors,
     {}
   )
 

diff --git a/infra/examples-dev/gcp/msft-365.tf b/infra/examples-dev/gcp/msft-365.tf
@@ -5,6 +5,7 @@ module "worklytics_connectors_msft_365" {
   # source = "git::https://github.com/worklytics/psoxy//infra/modules/worklytics-connectors-msft-365?ref=rc-v0.5.9"
 
   enabled_connectors                         = var.enabled_connectors
+  enabled_connectors_from_templates          = var.enabled_connectors_from_templates
   environment_id                             = var.environment_name
   msft_tenant_id                             = var.msft_tenant_id
   example_msft_user_guid                     = var.example_msft_user_guid

diff --git a/infra/examples-dev/gcp/variables.tf b/infra/examples-dev/gcp/variables.tf
@@ -228,6 +228,15 @@ variable "enabled_connectors" {
   description = "list of ids of connectors to enabled; see modules/worklytics-connector-specs"
 }
 
+variable "enabled_connectors_from_templates" {
+  type = map(object({
+    template_id = string
+  }))
+  description = "map of connector id --> id of connector template to enable"
+  default     = {}
+}
+
+
 variable "non_production_connectors" {
   type        = list(string)
   description = "connector ids in this list will be in development mode (not for production use"
@@ -246,6 +255,40 @@ variable "bulk_sanitized_expiration_days" {
   default     = 1805 # 5 years; intent is 'forever', but some upperbound in case bucket is forgotten
 }
 
+variable "custom_api_connectors" {
+  type = map(object({
+    source_kind             = string
+    source_auth_strategy    = string
+    target_host             = string
+    oauth_scopes_needed     = optional(list(string), [])
+    environment_variables   = optional(map(string), {})
+    enable_async_processing = optional(bool, false)
+    example_api_calls       = optional(list(string), [])
+    example_api_requests = optional(list(object({
+      method       = optional(string, "GET")
+      path         = string
+      content_type = optional(string, "application/json")
+      body         = optional(string, null)
+    })), [])
+    example_api_calls_user_to_impersonate = optional(string)
+    secured_variables = optional(list(object({
+      name                = string
+      value               = optional(string)
+      writable            = optional(bool, false)
+      lockable            = optional(bool, false)
+      sensitive           = optional(bool, true)
+      value_managed_by_tf = optional(bool, true)
+      description         = optional(string)
+      })),
+    [])
+    settings_to_provide = optional(map(string), {})
+    rules_file          = optional(string, null)
+  }))
+
+  description = "map of custom API connectors to provision"
+  default     = {}
+}
+
 variable "custom_api_connector_rules" {
   type        = map(string)
   description = "map of connector id --> YAML file with custom rules"

diff --git a/infra/modules/aws-host/main.tf b/infra/modules/aws-host/main.tf
@@ -28,6 +28,8 @@ locals {
 
   has_enabled_webhook_collectors = length(keys(var.webhook_collectors)) > 0
   enable_webhook_testing         = var.provision_testing_infra && local.has_enabled_webhook_collectors
+
+  api_connector_rules_files = merge(var.custom_api_connector_rules, { for k, v in var.api_connectors : k => v if v.rules_file != null })
 }
 
 module "psoxy" {
@@ -218,7 +220,7 @@ module "api_connector" {
     {
       PSEUDONYMIZE_APP_IDS   = tostring(var.pseudonymize_app_ids)
       EMAIL_CANONICALIZATION = var.email_canonicalization
-      CUSTOM_RULES_SHA       = try(var.custom_api_connector_rules[each.key], null) != null ? filesha1(var.custom_api_connector_rules[each.key]) : null
+      CUSTOM_RULES_SHA       = try(local.api_connector_rules_files[each.key], null) != null ? filesha1(local.api_connector_rules_files[each.key]) : null
       IS_DEVELOPMENT_MODE    = contains(var.non_production_connectors, each.key)
     }
   )
@@ -229,7 +231,7 @@ module "api_connector" {
 module "custom_api_connector_rules" {
   source = "../../modules/aws-ssm-rules"
 
-  for_each = var.custom_api_connector_rules
+  for_each = local.api_connector_rules_files
 
   prefix    = "${local.instance_ssm_prefix}${replace(upper(each.key), "-", "_")}_"
   file_path = each.value

diff --git a/infra/modules/aws-host/variables.tf b/infra/modules/aws-host/variables.tf
@@ -197,6 +197,7 @@ variable "api_connectors" {
       })),
     [])
     settings_to_provide = optional(map(string), {})
+    rules_file          = optional(string, null)
   }))
 
   description = "map of API connectors to provision"

diff --git a/infra/modules/gcp-host/main.tf b/infra/modules/gcp-host/main.tf
@@ -13,6 +13,8 @@ locals {
   config_parameter_prefix               = var.config_parameter_prefix == "" ? local.default_config_parameter_prefix : var.config_parameter_prefix
   environment_id_prefix                 = "${var.environment_name}${length(var.environment_name) > 0 ? "-" : ""}"
   environment_id_display_name_qualifier = length(var.environment_name) > 0 ? " ${var.environment_name} " : ""
+
+  api_connector_rules_files = merge(var.custom_api_connector_rules, { for k, v in var.api_connectors : k => v if v.rules_file != null })
 }
 
 module "psoxy" {
@@ -196,7 +198,7 @@ module "api_connector" {
       BUNDLE_FILENAME        = module.psoxy.filename
       IS_DEVELOPMENT_MODE    = contains(var.non_production_connectors, each.key)
       PSEUDONYMIZE_APP_IDS   = tostring(var.pseudonymize_app_ids)
-      CUSTOM_RULES_SHA       = try(var.custom_api_connector_rules[each.key], null) != null ? filesha1(var.custom_api_connector_rules[each.key]) : null
+      CUSTOM_RULES_SHA       = try(local.api_connector_rules_files[each.key], null) != null ? filesha1(local.api_connector_rules_files[each.key]) : null
       EMAIL_CANONICALIZATION = var.email_canonicalization
     }
   )
@@ -209,7 +211,7 @@ module "api_connector" {
 }
 
 module "custom_api_connector_rules" {
-  for_each = var.custom_api_connector_rules
+  for_each = local.api_connector_rules_files
 
   source = "../../modules/gcp-sm-rules"
 

diff --git a/infra/modules/gcp-host/variables.tf b/infra/modules/gcp-host/variables.tf
@@ -199,6 +199,7 @@ variable "api_connectors" {
       })),
     [])
     settings_to_provide = optional(map(string), {})
+    rules_file          = optional(string, null)
   }))
 
   description = "map of API connectors to provision"
-Original file line number
+Diff line change
@@ Expand Up / @@ -197,6 +197,7 @@ variable "api_connectors" { @@
           })),
         [])
         settings_to_provide = optional(map(string), {})
+        rules_file          = optional(string, null)
       }))
       description = "map of API connectors to provision"
@@ Expand Down @@