...
The configure
pragma's defaults are the empty string since there's no workable default for the Twilio keys. You can see that those variables are referenced in the send_sms()
action to create the based URL for the Twilio call.
We use a parameterized module by declaring its use in the meta block of the ruleset that wants to use the module. The use pragma allows parameters to be supplied for configuration variables. The following shows a ruleset that uses the Twilio module.
...
language | js |
---|
...
We avoid putting the keys in the module for two reasons:
Putting keys in the module is security risk since the file may be inadvertently shared or otherwise exposed.
The module should be general purpose, so that it can be used for more than one account. By not putting secrets in the module, we enable it to be used by multiple rulesets with their own keys.
Warning |
---|
Security WarningDon't put keys in rulesets that are publicly hosted, on GitHub for example. |
We use a parameterized module by declaring its use in the meta block of the ruleset that wants to use the module. The use pragma allows parameters to be supplied for configuration variables. The following shows a ruleset that uses the Twilio module.
Code Block | ||
---|---|---|
| ||
ruleset io.picolabs.use_twilio_v2 { meta { keyuse module io.picolabs.twilio_v2 alias twilio { with account_sid = meta:rulesetConfig{"account_sid": "<your} SID goes here>", "auth_token" = meta: rulesetConfig{"<your auth _token goes here>" "} } rule use module io.picolabs.twilio_v2 alias twilio test_send_sms { select when test new_message with account_sid = keys:twilio{"account_sid"}twilio:send_sms(event:attr("to"), auth_token = keys:twilio{"auth_token"} } rule test_send_sms { select when test new_message twilio:send_sms(event:attr("tofrom"), event:attr("frommessage"), event:attr("message") ) } } |
...
}
} |
This pattern uses meta:rulesetConfig() to get information from the configuration data when the ruleset is installed. It passes that information to the module in the use pragma so that uses the Twilio module. By putting the keys in a key
pragma, we tell the KRL parser and interpreter that they are keys so that it can take greater care. For example, they could be automatically redacted when shared.
Warning |
---|
Security WarningDon't put keys in rulesets that are publicly hosted, on GitHub for example. Any ruleset containing keys must be carefully stored so that only authorized parties can see them. See the Security Considerations section of the KRL documentation on |
But, putting the keys in the ruleset means that it can't be publicly hosted and we have to take special care to ensure the keys aren't exposed. Consequently, best practice is to store keys in a module specifically designed for keys. That way, you only have to be careful with modules you are aware have keys.
We can do this by defining a keys module that only contains keys. The provides keys
pragma limits which keys are shared with which module for security.
Code Block | ||
---|---|---|
| ||
ruleset io.picolabs.lesson_keys {
meta {
key twilio {
"account_sid": "<your account SID here>",
"auth_token" : "<your auth token here>"
}
provides keys twilio to io.picolabs.use_twilio_v2
}
} |
We modify the preceding ruleset using the keys to load this ruleset as a module like so:
Code Block | ||
---|---|---|
| ||
ruleset io.picolabs.use_twilio_v2 {
meta {
use module io.picolabs.lesson_keys
use module io.picolabs.twilio_v2 alias twilio
with account_sid = keys:twilio{"account_sid"}
auth_token = keys:twilio{"auth_token"}
}
rule test_send_sms {
select when test new_message
twilio:send_sms(event:attr("to"),
event:attr("from"),
event:attr("message")
)
}
} |
For this to work, the module containing the keys must be registered as io.picolabs.lesson_keys
because that's the name of the module we load. The ruleset using the keys must be registered as io.picolabs.use_twilio_v2
since that's the name of the ruleset the keys are provided to in the provide keys
pragma. You can store the ruleset containing the keys on AWS S3 behind a private URL, on a Web server with Basic Auth, or using some other scheme that will protect it from viewing by people who would steal the keys. The ruleset using the keys can be stored at a public URLmodule has it.