# Managing Log Source Alarms with Terraform ## Overview You can define a [drop-off alarm](/data-onboarding/monitoring-log-sources.md#viewing-the-log-source-health) for a log source in Terraform using the Panther [Terraform provider](https://registry.terraform.io/providers/panther-labs/panther/latest). A drop-off alarm fires when a log source receives no events for a configured time interval. Defining the alarm in Terraform lets you manage your log source monitoring alongside the rest of your Panther infrastructure. Other methods to configure a drop-off alarm include [using the Panther REST API](/panther-developer-workflows/api/rest/log-source-alarms.md) directly and [manual configuration in the Panther Console](/system-configuration/notifications/system-errors.md#configuring-log-drop-off-alarms-for-log-sources). {% hint style="info" %} Only the `SOURCE_NO_DATA` alarm type is user-configurable. The other alarm types visible in the Panther Console (permissions checks, classification failures, log-processing errors, scanning errors) are system-managed and cannot be defined in Terraform. {% endhint %} ## How to define a log source alarm in Terraform The following sections outline how to define a drop-off alarm in HashiCorp Configuration Language (HCL). ### Prerequisites * Before starting, ensure you have: * An API URL and token with the `Manage Log Sources` permission. This is required to complete [Step 2](#step-2-provide-values-for-the-defined-variables). * If needed, follow [these instructions for creating an API token in the Panther Console](/panther-developer-workflows/api.md#how-to-create-a-panther-api-token). * An existing Panther log source to attach the alarm to, defined in the same Terraform configuration or referenced by ID. See the Terraform pages for [S3](/panther-developer-workflows/terraform/s3.md), [HTTP](/panther-developer-workflows/terraform/http.md), [GCS](/panther-developer-workflows/terraform/gcs.md), or [Pub/Sub](/panther-developer-workflows/terraform/pubsub.md) log sources. ### Step 1: Define variables * Define a `variables.tf` file with the Panther variables shown in the code block below. ```hcl variable "panther_api_token" { description = "Panther API token" type = string sensitive = true } variable "panther_api_url" { description = "Panther API URL" type = string } variable "minutes_threshold" { description = "How long Panther waits, in minutes, before alerting when no events are received. Must be between 15 and 43,200 (30 days)." type = number default = 60 } ``` ### Step 2: Provide values for the defined variables * Add a `*.tfvars` file that assigns values to the variables you defined in Step 1. Note that to complete this section, you will need the API URL and token outlined in the [Prerequisites section](#prerequisites). * Your `panther_api_url` value should be your root API URL. This is either: * A [GraphQL API URL](/panther-developer-workflows/api/graphql.md#step-1-identify-your-panther-graphql-api-url) without the `/public/graphql` suffix * A [REST API URL](/panther-developer-workflows/api/rest.md#step-1-identify-your-panther-rest-api-url) as-is (REST URLs do not have a suffix after the root URL) ```hcl panther_api_token = "XXXXXXXXXX" panther_api_url = "https://your-panther-url/v1" minutes_threshold = 60 ``` ### Step 3: Define the Terraform provider * Add the [Panther](https://registry.terraform.io/providers/panther-labs/panther/latest) Terraform provider. ```hcl terraform { required_providers { panther = { source = "panther-labs/panther" version = "~> 0.2.12" } } } ``` ### Step 4: Define the Panther log source alarm resource The following HCL configuration defines a drop-off alarm on an existing log source. The example assumes a `panther_s3_source` named `demo_source` is defined elsewhere in your configuration; the same `source_id` pattern applies to any log source type ([`panther_httpsource`](/panther-developer-workflows/terraform/http.md), [`panther_gcssource`](/panther-developer-workflows/terraform/gcs.md), [`panther_pubsubsource`](/panther-developer-workflows/terraform/pubsub.md)). ```hcl provider "panther" { token = var.panther_api_token url = var.panther_api_url } resource "panther_log_source_alarm" "demo_alarm" { source_id = panther_s3_source.demo_source.id type = "SOURCE_NO_DATA" minutes_threshold = var.minutes_threshold } ``` {% hint style="info" %} `source_id` and `type` are immutable. Changing either after creation forces Terraform to destroy and recreate the alarm. {% endhint %} ## Resource reference ### `panther_log_source_alarm` #### Arguments | Name | Type | Required | Description | | ------------------- | ------ | -------- | ---------------------------------------------------------------------------------------------------------------------------- | | `source_id` | string | ✓ | The ID of the log source to attach the alarm to. Immutable—changing this value forces resource replacement. | | `type` | string | ✓ | The alarm type. Currently only `SOURCE_NO_DATA` is supported. Immutable—changing this value forces resource replacement. | | `minutes_threshold` | number | ✓ | How long Panther waits, in minutes, before alerting when no events are received. Must be between `15` and `43200` (30 days). | #### Attributes | Name | Type | Description | | ---- | ------ | ------------------------------------------------------ | | `id` | string | Composite identifier in the form `{source_id}/{type}`. | ## Importing existing log source alarms If you have an existing drop-off alarm in Panther that you want to manage with Terraform, use `terraform import` with the composite `{source_id}/{type}` identifier. ```shell terraform import panther_log_source_alarm.demo_alarm "12345678-1234-1234-1234-123456789012/SOURCE_NO_DATA" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/panther-developer-workflows/terraform/log-source-alarms.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.