Managing AWS Cloud Accounts with Terraform

Manage AWS Cloud Accounts as code in Terraform

Overview

You can define your AWS Cloud Account integration in Terraform using the Panther Terraform provider. AWS Cloud Accounts enable Panther's Cloud Security Scanning capabilities to monitor cloud resource configurations for security compliance.

Other methods to create an AWS Cloud Account integration include using the Panther REST API directly and manual creation in the Panther Console.

How to define your AWS Cloud Account in Terraform

The following sections outline how to define your AWS Cloud Account integration in HashiCorp Configuration Language (HCL).

Prerequisites

Before starting, ensure you have:
- An API URL and token with the Manage Cloud Security Sources permission. This is required to complete Step 2.
  - If needed, follow these instructions for creating an API token in the Panther Console.
- The IAM audit role deployed in your AWS account. Use the CloudFormation template generated by Panther (Configure > Cloud Accounts > Connect an account) to provision the role, then use its ARN in your Terraform configuration.

Step 1: Define variables

Define a variables.tf file with the Panther variables shown in the code block below.

variable "panther_api_token" {
  description = "Panther API token"
  type        = string
  sensitive   = true
}

variable "panther_api_url" {
  description = "Panther API URL"
  type        = string
}

variable "integration_label" {
  description = "Display name for the AWS Cloud Account integration."
  type        = string
}

variable "aws_account_id" {
  description = "The 12-digit AWS account ID."
  type        = string
}

variable "audit_role" {
  description = "The IAM role ARN that Panther assumes to scan the AWS account."
  type        = string
}

// (Optional) Regions, resource types, and ARN regex patterns to exclude from scanning.
variable "region_ignore_list" {
  description = "AWS regions to exclude from scanning."
  type        = list(string)
  default     = []
}

variable "resource_type_ignore_list" {
  description = "Resource types to exclude from scanning (for example, AWS.S3.Bucket)."
  type        = list(string)
  default     = []
}

variable "resource_regex_ignore_list" {
  description = "Regex patterns matching resource ARNs to exclude from scanning."
  type        = list(string)
  default     = []
}

Step 2: Provide values for the defined variables

Add a *.tfvars file that assigns values to the variables you defined in Step 1. Note that to complete this section, you will need the API URL and token outlined in the Prerequisites section.
- Your panther_api_url value should be your root API URL. This is either:
  - A GraphQL API URL without the /public/graphql suffix
  - A REST API URL as-is (REST URLs do not have a suffix after the root URL)

panther_api_token          = "XXXXXXXXXX"
panther_api_url            = "https://your-panther-url/v1"
integration_label          = "production-aws"
aws_account_id             = "123456789012"
audit_role                 = "arn:aws:iam::123456789012:role/PantherAuditRole"
region_ignore_list         = ["us-west-1"]
resource_type_ignore_list  = ["AWS.KMS.Key"]
resource_regex_ignore_list = [".*-test-.*"]

Step 3: Define the Terraform provider

Add the Panther Terraform provider.

terraform {
  required_providers {
    panther = {
      source  = "panther-labs/panther"
      version = "~> 0.2.11"
    }
  }
}

Step 4: Define the Panther AWS Cloud Account resource

The following HCL configuration defines the AWS Cloud Account integration in Panther.

provider "panther" {
  token = var.panther_api_token
  url   = var.panther_api_url
}

resource "panther_aws_cloud_account" "example" {
  integration_label = var.integration_label
  aws_account_id    = var.aws_account_id

  aws_scan_config = {
    audit_role = var.audit_role
  }

  region_ignore_list         = var.region_ignore_list
  resource_type_ignore_list  = var.resource_type_ignore_list
  resource_regex_ignore_list = var.resource_regex_ignore_list
}

aws_account_id is immutable. Changing it after creation forces Terraform to destroy and recreate the resource.

Resource reference

`panther_aws_cloud_account`

Arguments

Name

Type

Required

Description

integration_label

string

✓

Display name for the integration (alphanumeric, spaces, and hyphens only; maximum 36 characters).

aws_account_id

string

✓

The 12-digit AWS account ID. Immutable—changing this value forces resource replacement.

aws_scan_config

object

✓

AWS scanning configuration. See aws_scan_config below.

region_ignore_list

list(string)

—

AWS regions to exclude from scanning. Defaults to [].

resource_type_ignore_list

list(string)

—

Resource types to exclude from scanning (for example, AWS.S3.Bucket). Defaults to [].

resource_regex_ignore_list

list(string)

—

Regex patterns matching resource ARNs to exclude from scanning. Defaults to [].

`aws_scan_config`

Name

Type

Required

Description

audit_role

string

✓

The IAM role ARN that Panther assumes to scan the AWS account.

Attributes

Name

Type

Description

id

string

Panther integration ID (UUID) for the AWS Cloud Account.

Importing existing AWS Cloud Accounts

If you have existing AWS Cloud Accounts in Panther that you want to manage with Terraform, use terraform import with the integration ID. The integration ID is a UUID visible in the Panther Console URL when viewing the Cloud Account (Configure > Cloud Accounts).

terraform import panther_aws_cloud_account.example 12345678-1234-1234-1234-123456789012

PreviousTerraform NextManaging AWS S3 Log Sources with Terraform

Last updated 21 days ago

Was this helpful?