Configure a Connector Proxy

Setting the Environment Variable

Once a Connector Proxy has been deployed, to integrate it with SpiffArena, we simply need to update an environment variable and restart the backend. If you’re using the Getting Started Guide, open the docker-compose.yml file; otherwise, edit the environment variable in the way that is appropriate for your deployment. The variable we need to change is called SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL.

Here’s an example diff using the function URL from the AWS tutorial:

diff --git a/docker-compose.yml b/docker-compose.yml
index 95b87b39..7d55c492 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,7 +26,7 @@ services:
       SPIFFWORKFLOW_BACKEND_URL: "http://localhost:${SPIFF_BACKEND_PORT:-8000}"

       SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR: "/app/process_models"
-      SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL: "http://spiffworkflow-connector:8004"
+      SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL: "https://crbxgaopinfxqscntkqixjbl4e0gigpm.lambda-url.us-east-1.on.aws"
       SPIFFWORKFLOW_BACKEND_DATABASE_URI: "mysql+mysqlconnector://root:${SPIFF_MYSQL_PASS:-my-secret-pw}@spiffworkflow-db:${SPIFF_MYSQL_PORT:-8003}/spiffworkflow_backend_development"
       SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA: "false"
       SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_ID: "spiffworkflow-backend"

To restart:

docker compose down
docker compose up -d

Securing the Connector Proxy with an API Key

If your Connector Proxy is publicly accessible (for example, deployed as an AWS Lambda function with a public URL), you can restrict access to it using an API key. When configured, SpiffArena’s backend will include a Spiff-Connector-Proxy-Api-Key header on every request it sends to the proxy. Your connector proxy can then validate this header and reject requests that don’t include the correct key.

Set the API key using the SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_API_KEY environment variable:

SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_API_KEY: "your-secret-api-key"

When this variable is set, all requests from the SpiffArena backend to the connector proxy (command discovery, authentication listing, and command execution) will include:

Spiff-Connector-Proxy-Api-Key: your-secret-api-key

If the variable is not set, no API key header is sent and access is unrestricted (suitable for connector proxies on private networks).

See Connector Proxy for details on how to validate this header in your own connector proxy implementation.

Testing

Create a new process model as described in the Getting Started Guide. Add a Service Task and in its properties panel, you will see a dropdown from which you can select the connector in your Connector Proxy to call. In this demo, we deployed HTTP GET and POST connectors:

Screenshot from 2023-04-06 16-38-02

Choose the http/GetRequest operator ID and enter the dog fact API URL. Remember to quote it since parameters are evaluated as Python expressions.

Screenshot from 2023-04-06 16-50-42

Run the process and once it’s complete, you can see the response in the workflow:

Screenshot from 2023-04-06 16-49-53

You have successfully configured a Connector Proxy for use with SpiffArena. You made a call from a workflow to get a dog fact. Now, imagine if that call was to communicate with an external system relevant to your business processes.