1.0 Introduction
This article describes how to create, manage, approve, and execute workflows in Fortanix Confidential Computing Manager (CCM) using Connectors and Scripts. It also explains how to use the RUN functionality to execute workflow jobs and monitor workflow execution status.
Using the Workflows menu item in the Fortanix CCM user interface (UI), you can create and manage workflows through a visual workflow canvas. This visual representation illustrates how different workflow components, such as inbound connectors, scripts, and outbound connectors, are connected and interact within the workflow.
2.0 Execute the Script using Azure Service Principal
This section describes how to execute workflows in Fortanix CCM using a compute cluster configured with Azure Service Principal authentication.
2.1 Prerequisites
Before executing workflows, ensure that compute clusters are configured in Fortanix CCM. A compute cluster is a collection of worker nodes that run containerized applications and is required to execute workflows in Fortanix CCM.
For more information about configuring compute clusters in Fortanix CCM using Azure Service Principal authentication, refer to Section 3.0: Configure the Cluster using Azure Service Principal.
2.2 Create a Cluster
Ensure that a compute cluster is configured in Fortanix CCM using Azure Service Principal authentication. This compute cluster is required to execute workflows in Fortanix CCM.
For more information about configuring a compute cluster using Azure Service Principal authentication, refer to Azure Service Principal with Fortanix Confidential Computing Manager.
3.0 Configure the Cluster using Azure Service Principal
Perform the following steps to configure a compute cluster using Azure Service Principal authentication:
In the CCM UI left navigation panel, click Infrastructure → COMPUTE CLUSTERS, and then click ADD CLUSTER to create a compute cluster.
Figure 1: Add Compute Cluster
In the Add Cluster form:
Cluster name: Enter a name for the compute cluster.
Description (Optional): Enter a brief description of the cluster.
Type: Select either of the following two options from the drop down menu:
Kubernetes:
Kubernetes configuration: Enter the Kubernetes cluster configuration in YAML format in the provided text box. Alternatively, click UPLOAD FILE to upload the Kubernetes configuration file.
NOTE
Ensure that the uploaded Kubernetes configuration file is valid and contains the required cluster access details for establishing connectivity with the Kubernetes environment.
ACI via Service Principal:
Location: Select the Azure region where the deployment will occur. If the required region is not available in the list, select Other and manually enter the region.
ACI configuration:
APP ID: Enter the Azure Active Directory application ID (client ID) used to identify the application.
APP Passcode: Enter the application secret used for authentication.
Tenant ID: Enter the unique identifier of the Azure Active Directory instance (Directory ID).
Subscription: Enter the subscription ID under which the Azure resources are managed.
Resource Group: Enter the Azure resource group used to manage container instances and deployments.
Click ADD CLUSTER to create the compute cluster.
After the cluster is created, it is available for executing workflows that use Azure Service Principal–based compute resources.
4.0 Create a Workflow
This section describes how to create a workflow by connecting inbound connectors, scripts, and outbound connectors in Fortanix CCM.
In a workflow, inbound connectors are used to access input data, which is processed within scripts using SQL queries or Python code. The processed output is then exported through outbound connectors to the configured destination.
These workflow connections enable secure execution of data processing and data transfer operations within Fortanix CCM.
Perform the following steps to create a workflow:
In the Fortanix CCM UI left navigation panel, click Workflows, and then click ADD WORKFLOW to create a new workflow.
Figure 2: Add workflow
In the Add Workflow form:
Name: Enter a name for the workflow.
Group: Select the required Fortanix Armor Identity and Access Management (IAM) group from the drop down menu to associate the workflow with that group.
Description (Optional): Enter a short description for the workflow.
Click ADD WORKFLOW to create the workflow.
4.1 Add Inbound and Outbound Connectors
This section describes how to add inbound and outbound connectors to a workflow.
Perform the following steps to add connectors to the workflow:
Add an inbound connector:
Drag the Inbound Connector node onto the workflow canvas, and then click ADD INBOUND CONNECTOR.
In the INBOUND CONNECTOR dialog box, either create a new inbound connector or select an existing inbound connector. For more information about creating an inbound connector, refer to Inbound Connectors.
Click ADD INBOUND CONNECTOR to add the selected or newly created inbound connector.
Add an outbound connector:
Drag the Outbound Connector node onto the workflow canvas, and then click ADD OUTBOUND CONNECTOR.
In the OUTBOUND CONNECTOR dialog box, either create a new outbound connector or select an existing outbound connector. For more information about creating an outbound connector, refer to Outbound Connectors.
Click ADD OUTBOUND CONNECTOR to add the selected or newly created outbound connector.
4.2 Add Scripts
This section describes how to add scripts to a workflow.
Perform the following steps to add scripts to the workflow:
Add a script:
Drag the Script node onto the workflow canvas, and then click ADD SCRIPT.
In the SCRIPT dialog box, either create a new script or select an existing script. For more information about creating a script, refer to Scripts.
Click ADD SCRIPT to add the selected or newly created script.
4.3 Establish the connections
This section describes how to establish valid connections between workflow components.
Perform the following steps to connect the workflow components:
Connect the workflow components in the following order:
Connect inbound connectors to script nodes written in SQL, Python, or SQL Aggregate.
Connect SQL or Python script nodes to SQL Aggregate script nodes, if applicable.
Connect SQL Aggregate script nodes to one or more outbound connectors to generate output.
NOTE
The following rules apply when creating workflow connections:
SQL script nodes must have at least one incoming connection originating from either an inbound connector or a Python script node.
SQL Aggregate script nodes must have exactly one incoming connection originating from either a SQL script node, a Python script node, or an inbound connector.
Python script nodes must have at least one incoming connection originating from either an inbound connector or a SQL or Python script node.
Python script nodes must also have at least one outgoing connection to another script node (Python, SQL, or SQL Aggregate) or to an outbound connector.
Only one Python script node and one SQL script node per workflow are supported in this release.
Outbound connectors must have at least one incoming connection:
If there is exactly one incoming connection, it may originate from a SQL script node, Python script node, or SQL Aggregate script node.
If there are multiple incoming connections, all incoming connections must originate from SQL Aggregate script nodes.
All other types of inbound connections are not supported.
Disconnected workflow components are not allowed:
Inbound connectors, script nodes, and outbound connectors must be connected to at least one other workflow node.
Unattached workflow nodes are considered invalid, except when the workflow is in Draft state.
Connections between legacy nodes and Windsor nodes are not supported.
Connections such as Application to Data Connector and Dataset to Data Connector or Script are not supported.
5.0 Request the Workflow Approval
After the workflow configuration is complete, click SAVE AND REQUEST APPROVAL to submit the workflow for review and approval by the assigned users.
WARNING
After a workflow is submitted for approval, it is removed from the Drafts list. Workflows in Pending or Approved state cannot be edited directly.
5.1 Approve or Reject a Workflow
Perform the following steps to review and respond to a workflow approval request:
After submission, the workflow remains in Pending state until all required approvals are completed.
From the PENDING tab, click SHOW APPROVAL REQUEST to review the workflow.
In the APPROVAL REQUEST – CREATE WORKFLOW dialog box, click APPROVE or DECLINE to respond to the workflow request.
NOTE
A workflow can also be approved or declined from the Tasks tab.
Users who have approved the workflow are indicated by a green tick displayed against their user icon.
At least one administrative user approval is required to finalize the workflow.
If any user declines the workflow, the workflow is rejected.
When all required users approve the workflow, it is successfully deployed.
After successful approval, Fortanix CCM performs the following actions:
a. Configures applications to access the associated datasets.
b. Creates the Workflow Application Configurations.
c. Generates and returns the list of hashes required to start the applications.
6.0 Configure the Approved Workflow
This section describes how to configure an approved workflow before execution in Fortanix CCM.
Perform the following steps to configure the workflow:
In the CCM UI left navigation panel, click Workflows → Approved.
From the list of approved workflows, select a workflow that contains a single application, as Fortanix CCM supports only single-job deployments.
On the workflow details page, RUN remains disabled until the Azure account and deployment location are configured. Click the Settings icon to configure these settings and enable RUN.
In the RUN WORKFLOW dialog box:
Deployment Type: Select Azure Confidential Instances (Single Job) from the drop down menu.
Azure account: Select the configured compute cluster from the drop down menu.
Location: Select the Azure region where the workflow will be deployed.
Click SAVE CONFIGURATION to apply the configuration changes.
After the configuration is saved, RUN becomes enabled.
7.0 Run the Workflow
Before running the workflow, ensure that an Image Registry is configured in Fortanix CCM. For more information, refer to Image Registry.
A registry containing the application image used in the workflow must be configured in the Fortanix CCM account. During workflow execution, the registry credentials are passed to Azure Container Instances (ACI) to pull the application image.
Perform the following steps to run the ACI workflow application:
Configure the image pull secret.
On the workflow details page, click RUN.
In the RUN WORKFLOW dialog box, verify all configuration parameters, and then click RUN to start workflow execution.
A running indicator appears at the bottom of the workflow page.
NOTE
The workflow execution status is not updated in real time. Click the Refresh icon to retrieve the latest execution status from the cluster.
To stop workflow execution, click STOP. RUN becomes enabled again after execution stops.
After successful execution, the execution status appears in the EXECUTION LOG section.
Click View detail to view detailed log information.
The EXECUTION LOG dialog box provides complete execution details. You can also download the log using DOWNLOAD.
NOTE
Executing workflows containing more than one application is not supported in this release. Fortanix CCM supports execution of workflows containing a single application only. You can also access the generated CSV output file to verify the workflow output data.