Managing HTTP Log Sources with Terraform

Manage HTTP log sources as code in Terraform

Overview

You can define your HTTP log source in Terraform using the Panther Terraform provider.

Other methods to create an HTTP log source include using the Panther API directly and manual creation in the Panther Console.

How to define your Panther HTTP log source in Terraform

The following sections outline how to define your HTTP log source in HashiCorp Configuration Language (HCL).

Prerequisite

Before starting, ensure you have an API URL and token with the Manage Log Sources permission. This is required to complete Step 3.
- If needed, follow these instructions for creating an API token in the Panther Console.

Step 1: Choose an authentication method

Select an authentication method for your HTTP endpoint from the options listed on HTTP Source.

The authentication method you select will determine the variables you define in Step 2, below.

Step 2: Define variables

Define a variables.tf file with the Panther variables shown in the code block below.

variable "panther_api_token" {
  description = "Panther API token"
  type        = string
}

variable "panther_api_url" {
  description = "Panther API URL"
  type        = string
}

variable "integration_label" {
  description = "The name of the integration."
  type        = string
}

variable "auth_method" {
  description = "Authentication method used."
  type        = string
}

// Auth variables are specific to auth_method. See table below
variable "auth_header_key" {
  description = "Key for the authentication header."
  type        = string
}

variable "auth_secret_value" {
  description = "Authentication secret value."
  type        = string
  sensitive   = true
}

// (Optional) Relevant only when log_stream_type = "JsonArray"
variable "json_array_envelope_field" {
  description = "Envelope field for json array stream"
  type        = string
}

Authentication method-specific variables

In your variables.tf file, include the values in the Additional variables column below for the authentication method you chose in Step 1.

Authentication method

auth_method value

Additional variables

Shared secret

SharedSecret

auth_header_key, auth_secret_value

HMAC

HMAC

auth_header_key, auth_secret_value

Bearer

Bearer

auth_bearer_token

Basic

Basic

auth_username, auth_password

None (not recommended)

None

Step 3: Provide values for the defined variables

Add a *.tfvars file that assigns values to the variables you defined in Step 2. Note that to complete this section, you will need the API URL and token outlined in the Prerequisite section.
- Your panther_api_url value should be your root API URL. This is either:
  - A GraphQL API URL without the /public/graphql suffix
  - A REST API URL as-is (REST URLs do not have a suffix after the root URL)

panther_api_token         = "XXXXXXXXXX"
panther_api_url           = "https://your-panther-url/v1"
integration_label         = "test-integration"
auth_method               = "SharedSecret" // SharedSecret, HMAC, Bearer, Basic, or None
// Auth variables are specific to auth_method. See table in Step 2
auth_header_key           = "x-api-key"
auth_secret_value         = "XXXXXXXXXX"
json_array_envelope_field = "records"

Step 4: Define the Terraform provider

Add the Panther Terraform provider.

terraform {
  required_providers {
    panther = {
      source = "panther-labs/panther"
      version = "~> 0.2.4"
    }
  }
}

Step 5: Define Panther HTTP log source

The following HCL configuration defines the HTTP log source in Panther.

provider "panther" {
  token = var.panther_api_token
  url   = var.panther_api_url
}

resource "panther_httpsource" "demo_http_source" {
  integration_label = var.integration_label
  log_stream_type   = "JSON" // Options: JSON, JsonArray, Auto, Lines, and CloudWatchLogs
  log_types         = ["AWS.CloudTrail"]
  auth_method       = var.auth_method
  // Auth variables are specific to auth_method. See table in Step 2
  auth_header_key   = var.auth_header_key
  auth_secret_value = var.auth_secret_value
  // (Optional) Relevant only when log_stream_type = "JsonArray"
  log_stream_type_options = {
    json_array_envelope_field = var.json_array_envelope_field
  }
}

PreviousManaging AWS S3 Log Sources with Terraform Nextpantherlog Tool

Last updated 8 months ago

Was this helpful?

hashtagOverview

hashtagHow to define your Panther HTTP log source in Terraform

hashtagPrerequisite

hashtagStep 1: Choose an authentication method

hashtagStep 2: Define variables

hashtagAuthentication method-specific variables

hashtagStep 3: Provide values for the defined variables

hashtagStep 4: Define the Terraform provider

hashtagStep 5: Define Panther HTTP log source