The Workflows tool in Cortex allows you to automate running sequential actions and development workflows based on contextual data that exist inside your workspace. This tool supports both simple Workflows, like granting permissions to a database, and sophisticated ones, like creating a Jira ticket for an incident detected in Cortex.
Workflow RBAC
It is possible to configure specific users, teams, or roles who are allowed to run a Workflow, or you can require the user to be an Owner or Editor of an entity in order to run the Workflow. This is described in more detail under Step 2: Configure your Workflow settings.
It is also possible to add a "Manual approval" block to your Workflow, requiring approval from specific team members. Read more about configuring this under Add blocks to your Workflow.
View Workflows, run history, and Scaffolders
To see your Workflows, click Workflows in the lefthand navigation menu. To view existing Workflows, you must have the View Workflows permission.
At the top of the page, quickly see any Workflows that are pending your approval and a list of recently run Workflows.
In the list of Workflows, click the pin icon to pin any frequently-used Workflows to the top.
In the Workflows tab, view all existing Workflows, including each Workflow's name and description.
In the Runs tab, view historic runs for each Workflow.
To view previous Workflow runs, you must have the View Workflow runs permission.
In the Scaffolders tab, view, edit, or delete your organization's registered Scaffolder templates.
Click the rocketship icon to create a Workflow that contains a Scaffolder step with that template:
Creating a Workflow
You must have the Edit Workflows permission in order to complete these steps.
You can choose to create a Workflow from a template or you can choose to create one from scratch.
There are templates available for the following common workflows:
Create AWS S3 bucket
Create AWS EC2 instance
Create ServiceNow incident
Create Azure function
Create Jira issue
Step 1: Choose a template or a blank Workflow
In the lefthand navigation menu of Cortex, click Workflows.
In the upper right corner of the page, click Create Workflow.
Choose whether to start with a template or a blank workflow.
Workflow Template: Click the tile for the template you wish to use.
Note: Each tile displays the requirements for secrets you must define before using the template; make sure to follow the template's requirements before you proceed.
Step 2: Configure your Workflow settings
On the Create Workflow page, fill in the fields to configure your Workflow. The name, slug, and description are prepopulated for templates.
Name: Enter a descriptive name for your Workflow.
Slug: Enter a unique slug. If you have previously used a template, make sure to update the prepopulated slug when you use the template again.
Description: Optionally enter a description of the Workflow.
Run response template: Optionally enter a response template.
See more information about templating in the Actions docs.
Scope: Select Entity to narrow the Workflow's scope to a specific entity, or select Global if the Workflow should not be scoped to a specific entity.
If you choose Entity:
Entity Type: Select the entity type that this Workflow applies to.
Optionally, you can also choose groups to include or exclude.
User relation to entities: Specify the relation to the entity that the user running the Workflow must have in order to run the Workflow. You can require the user to be an Owner or an Editor of the entity in order to run the Workflow. If you choose Editor, you must have the Team ownership entity setting enabled.
Optionally, if you want to first save this Workflow as a draft, toggle on Save as draft at the top of the page.
When a Workflow is saved as a draft, it is only visible to users with the Workflow edit permission.
By default, a Workflow will be visible to all users in your organization who have permission to view Workflows. If you want to adjust view permissions for your Workflow:
Click Access at the top of the page.
Turn off the toggle for Organization access.
Configure the users, teams, or roles who should have access to your Workflow.
In order for a user to run the Workflow, they must have the Workflow runs execute permission and they must match at least one of the users, teams, or roles that you specify here.
Click Apply.
At the top of the page, click Save Workflow.
Step 3: Add blocks to your Workflow
Workflows are made of individual blocks, which are each responsible for a specific task when a Workflow is run. To add a block to your Workflow, click + in the Workflow visual in the center of the page, choose the type, then configure the block.
Cortex provides a library of blocks to choose from, including core blocks and integration-related blocks. Learn more about configuring blocks below.
Adding core blocks
The core blocks are described below.
Note: The slug for each block must be unique across a Workflow.
Branch
A Branch allows you to set up to five conditional paths for a Workflow.
Configure a branch
To configure a branch:
Click Branch from the list of blocks.
On the right side of the page, enter a Block name and Description.
The slug field will automatically pre-populate based on the name you enter.
The path expression is compatible with CEL syntax. The path expression does not accept dashed values; if you reference a block's slug that contains a dash, wrap the slug in quotes and square brackets.
For example, if you want to reference a block with the slug slug-example, the expression would begin with actions["slug-example"].
Note: Autocomplete will provide correctly formatted options based on the blocks defined in your Workflow.
Under the Path expression text box, click Save.
You will be redirected to the block editor page, showing your newly-added path in the Workflow visual.
Optionally, add additional paths and a fallback path.
Click + under a path to add the next type of block. You can add any type, including another branch.
When you are finished adding paths, click Save at the bottom of the block editor.
If you want to add additional blocks that occur after the paths within your branch, click + below the branch box in the Workflow editor.
How paths work
The paths defined run sequentially. The first path that returns true will execute, even if subsequent paths would also return true. The Workflow will then continue performing blocks in that path. You can also set a fallback path that will run if all other paths fail.
Primary and nested branches function the same way.
Nested branches
To nest a branch:
In the visual Workflow, click the + that is branched off your original branch.
On the right side of the page in the Workflow editor, select Branch.
Enter a name for your branch, then click Save.
There are no limits on how many branches you can nest.
Data transformation
A Data transformation performs data transformations using jq. Except for the block name and slug, the only field required is the jq expression.
Configure a data transformation
To configure a data transformation:
Click Data transformation from the list of blocks.
Enter a name.
The slug field will automatically pre-populate based on the name you enter.
Enter a jq expression. This field can pass any sort of jq expression, as long as the variables and context are referenced differently.
Although you would typically use {} to template the context of your Workflow, in this field you’ll need to reference such values as jq query values.
Click Save.
HTTP request
The HTTP request makes and records a request to a given URL.
Configure an HTTP request
To configure an HTTP request:
Click HTTP request from the list of blocks.
Enter a name.
The slug field will automatically pre-populate based on the name you enter.
Select an HTTP method. The options are DELETE, GET, PATCH, POST, or PUT.
Configure the fields:
URL: Enter a static URL or use a template to reference other blocks.
If you use {{actions.url.outputs.result}}, for example, you can set the URL to the output of a jq action. In this example:
.actions indicates a reference to a Workflow block
.url is the slug for the Workflow block we’re referencing
.outputs is the location of the actual output of the jq expression
.result is the result field where the output is stored
Because Mustache performs HTML escaping by default, special characters referenced in a value with two curly braces ({{}}) will be converted to their associated HTML encoding. For example, {{=}} would become =. To reference a non-escaped value, use three curly braces ({{{=}}}).
Headers: Click one of the options provided, or enter your own.
When using a secret with a header, prefix the secret with context..
Payload: This field appears if you are using an HTTP request that sends a payload. The payload that you supply can also be templated and can reference an entity that the Workflow is being run with. Some additional steps are required to properly template raw JSON in the payload field.
Single primitive values will work as expected, but to add JSON objects or arrays, follow these steps you first need to create a Data Transformation action that accesses the relevant JSON and pipes it into the tojson built-in.
For example, .context.initiatedBy | tojson would enable a user to add the full initiatedBy object () into an HTTP request payload. When templating this value, three curly braces are needed in order to reference a non-escaped value. Continuing our earlier example, if the data transformation action we just created has the slug transform-to-json, then the payload would include {{{actions.transform-to-json.outputs.result}}}.\
Click Save.
If using special characters when templating, make sure to include three curly braces to reference a non-HTML-escaped value.
Manual approval
A Manual approval pauses the Workflow to get approval from a member of a given Team. Like with user inputs, the Workflow will proceed to the next block once it has been approved.
Configure a manual approval
To configure a manual approval:
Click Manual approval from the list of blocks.
Enter a name.
The slug field will automatically pre-populate based on the name you enter.
Under Teams allowed to approve, select one or more teams who are allowed to approve the request from this block. Any member of a given team can approve the block.
Click Save.
You can have multiple manual approvals within a given Workflow. If you have two blocks with two different sets of teams set as approvers, each team will only be able to approve the block they are defined under.
Pending approval
When a manual approval block is triggered, users that belong to teams designated as approvers will see Pending approvals at the top of their Workflows page.
This section displays any blocks that are pending your approval. If manual approval actions exist within a Workflow, but do not require your approval, they will not appear here, even if you are designated to approve a different block in the same Workflow.
You can open any Workflow in the pending approval list to Approve or Reject the block.
Once all of your approval requests have been approved or rejected, this tab will disappear from the Workflows page.
Scaffolder
The Scaffolder uses a Cortex Scaffolder template to perform a given function. You must have the Execute Scaffolder permission to configure a Scaffolder block.
To configure a Scaffolder:
Click Scaffolder from the list of blocks.
Enter a name.
The slug field will automatically pre-populate based on the name you enter.
Under Scaffolder template, select a template from the dropdown.
This dropdown pulls in all templates available from the Scaffolder page.
Configure the remaining fields. The fields differ depending on the template's specifications and available Git providers. The option to create a repo also may or may not be visible, depending on whether the template requires a pull request.
Click Save.
If using the Scaffolder to create a new repo and the desired repo already exists, Cortex will surface an error and prevent the flow from continuing.
Define Scaffolder template overrides
You can also define Scaffolder template overrides for a block — these will override template fields with output variables from a previous Workflow step, or from the context of the Workflow.
To add an override:
In the bottom of the block configuration, click Add variable.
Under Path, enter the path to the actual value we want in the Workflow.
For example, if you wanted to override the Project name variable for a Scaffolder with the tag of the entity you’re running, the path would be context.entity.tag — that will obtain and supply the value.
If you want to override the options that are available to a user running the Workflow, toggle on Is value override.
For example, if you wanted to restrict the project name to some set of values based on a particular HTTP fetch, you would toggle this setting on.
When toggled on, the value being grabbed in lieu of project_name is the value of the variable. When toggled off, the value grabbed would be the option provided for that variable, i.e. the project name.
Running a workflow with a Scaffolder step
When you run a workflow with a Scaffolder block, the Scaffolder will prompt you for user input. Some fields, such as Commit message and Pull request title, only appear if your Scaffolder step creates a Pull Request rather than a repository.
After the inputs are provided, the Scaffolder will run.
User input
The User input block pauses the Workflow and prompts the user for specific inputs. Once user inputs are entered, the Workflow will proceed to the next block.
Note that users with the Edit Workflows permission are inherently able to obtain secret values using complex data transformation on secrets or echoing services.
To configure a user input block:
Click User input from the list of actions.
Enter a name.
The slug field will automatically pre-populate based on the name you enter.
Configure the "Create input field" form:
Name: Enter a name for the input field.
Key: Enter a value to be used when templating. This must be unique across fields in a given user input block.
Description: Enter a description of the input field.
Type: Select from the following:
Number: A numerical value.
If you select this type, you can then choose Integer or Decimal for the number format, and select a minimum and maximum value.
Paragraph: Multi-line, freeform text.
Secret: Capture a secret value.
Select: Manually configured or predefined data selection.
Toggle on Allow multiple to enable multiple selections for a given input field.
Text: Short, freeform text.
Toggle: Boolean value.
Date: Date in YYYY-MM-DD format.
Placeholder: Enter text to display when a field is empty.
Default value: Enter a value that will automatically populate the field.
Validation regex: Set validation options for the input field.
If you chose the Secret type, enter the secret value that a user will need to input to run this action.
Path to override value: Optionally, enter the previous block output path to override the value of a given input.
For example, if the key is name, then entering actions.name-action.outputs.name in the previous block output path field will use the output from a previous step as the name.
Click Add input at the bottom of the "Edit input field" modal.
Click Save.
Additional steps for the Select type
If you chose the type Select while configuring the user input block, additional fields must be configured depending on which Data source you select:
Manual data source: You can manually define each option for the input. You can select any of these defined options as the default value.
Cortex entity data source: You can filter the entities that will be available for user selection. If you don't set filters, the input will apply to all entities in your catalog.
Cortex user data source: You can filter by teams and users to determine the options available to users. If you don't set filters, the input will apply to all Cortex users and Teams.
Slack channels data source: You can choose to include or exclude one or more Slack channels from the available options. The default values will include all Slack channels registered in Cortex.
Adding integration blocks
Before adding an integration-related block, make sure you have configured the integration with the correct permissions described in Cortex's documentation for that integration.
While viewing the blocks library, click the integration block you want to add. At the bottom of the modal, click Insert.
The block is inserted into your Workflow, and a configuration form appears in the side panel.
In the side panel, configure the block:
Block name: Add a name for your block.
Slug: Add a unique identifier for your block.
Description: Enter a description to help others understand its purpose.
Alias: Select the integration alias this block applies to.
Additional fields differ depending on which block you choose.
At the bottom of the side panel, click Save.
For additional information on configuring a Slack block, see below.
Slack
The Slack block sends a Slack message to a given channel.
Prerequisites
Before configuring a Slack block:
Make sure the Cortex Slack Bot is added to the channel you want to send messages to via the Workflow.
Make sure the Slack Bot has the chat:write.public permission scope enabled.
Configure a Slack block
To configure a Slack block:
Click Slack from the list of blocks.
Enter a name.
The slug field will automatically pre-populate based on the name you enter.
Under Channel name, select a channel.
The channels listed in the dropdown are pulled from your organization's integration with Slack.
Under Message text, enter the message that will be sent in Slack via this block.
You can enter a simple string or use templating for a more dynamic message. For example, you can templatize to include the email address of the person who initiated the Workflow, reference prior blocks, or reference outputs.
Click Save.
When testing your new Slack block, if you receive the error Cannot send message to Slack channel without invitation, please try reinstalling the Slack integration to ensure that the correct permissions are configured.
Referencing previous blocks and Workflow state
Each Workflow, when run, will build up a state object that can be referenced throughout the Workflow, and allows blocks to reference both the top-level state and a previous block's state.
In addition, you can use a block's unique identifier (a slug or a user input key) to reference it in another block within your Workflow.
From this page, you can edit, duplicate, run, delete, share, or create a Workflow. Click Run to run the Workflow. Click the 3 dots icon to view options to edit, duplicate, share, or delete the Workflow.
If a Workflow is in draft mode, you'll also see a Draft icon next to its name.
Blank Scorecard: Click the "Blank Workflow" tile at the top of the page.
Click +Add Path.
On the right side of the page, the "Conditional paths" section will expand. Enter a name, a slug, and a path expression.
In the override variable modal, click the Variable dropdown to select the Scaffolder template fields to override. Note that the options in this dropdown will be pulled from fields in the Scaffolder template you selected in the first step.
Click Add user input.
Is override value editable: Enable this option if you want to allow users to edit the override value before continuing to execute the Workflow.
