Managing Log Source Alarms with Terraform

Manage log source drop-off alarms as code in Terraform

Overview

You can define a drop-off alarm for a log source in Terraform using the Panther Terraform provider. A drop-off alarm fires when a log source receives no events for a configured time interval. Defining the alarm in Terraform lets you manage your log source monitoring alongside the rest of your Panther infrastructure.

Other methods to configure a drop-off alarm include using the Panther REST API directly and manual configuration in the Panther Console.

Only the SOURCE_NO_DATA alarm type is user-configurable. The other alarm types visible in the Panther Console (permissions checks, classification failures, log-processing errors, scanning errors) are system-managed and cannot be defined in Terraform.

How to define a log source alarm in Terraform

The following sections outline how to define a drop-off alarm in HashiCorp Configuration Language (HCL).

Prerequisites

Before starting, ensure you have:
- An API URL and token with the Manage Log Sources permission. This is required to complete Step 2.
  - If needed, follow these instructions for creating an API token in the Panther Console.
- An existing Panther log source to attach the alarm to, defined in the same Terraform configuration or referenced by ID. See the Terraform pages for S3, HTTP, GCS, or Pub/Sub log sources.

Step 1: Define variables

Define a variables.tf file with the Panther variables shown in the code block below.

variable "panther_api_token" {
  description = "Panther API token"
  type        = string
  sensitive   = true
}

variable "panther_api_url" {
  description = "Panther API URL"
  type        = string
}

variable "minutes_threshold" {
  description = "How long Panther waits, in minutes, before alerting when no events are received. Must be between 15 and 43,200 (30 days)."
  type        = number
  default     = 60
}

Step 2: Provide values for the defined variables

Add a *.tfvars file that assigns values to the variables you defined in Step 1. Note that to complete this section, you will need the API URL and token outlined in the Prerequisites section.
- Your panther_api_url value should be your root API URL. This is either:
  - A GraphQL API URL without the /public/graphql suffix
  - A REST API URL as-is (REST URLs do not have a suffix after the root URL)

panther_api_token = "XXXXXXXXXX"
panther_api_url   = "https://your-panther-url/v1"
minutes_threshold = 60

Step 3: Define the Terraform provider

Add the Panther Terraform provider.

terraform {
  required_providers {
    panther = {
      source  = "panther-labs/panther"
      version = "~> 0.2.12"
    }
  }
}

Step 4: Define the Panther log source alarm resource

The following HCL configuration defines a drop-off alarm on an existing log source. The example assumes a panther_s3_source named demo_source is defined elsewhere in your configuration; the same source_id pattern applies to any log source type (panther_httpsource, panther_gcssource, panther_pubsubsource).

provider "panther" {
  token = var.panther_api_token
  url   = var.panther_api_url
}

resource "panther_log_source_alarm" "demo_alarm" {
  source_id         = panther_s3_source.demo_source.id
  type              = "SOURCE_NO_DATA"
  minutes_threshold = var.minutes_threshold
}

source_id and type are immutable. Changing either after creation forces Terraform to destroy and recreate the alarm.

Resource reference

`panther_log_source_alarm`

Arguments

Name

Type

Required

Description

source_id

string

✓

The ID of the log source to attach the alarm to. Immutable—changing this value forces resource replacement.

type

string

✓

The alarm type. Currently only SOURCE_NO_DATA is supported. Immutable—changing this value forces resource replacement.

minutes_threshold

number

✓

How long Panther waits, in minutes, before alerting when no events are received. Must be between 15 and 43200 (30 days).

Attributes

Name

Type

Description

id

string

Composite identifier in the form {source_id}/{type}.

Importing existing log source alarms

If you have an existing drop-off alarm in Panther that you want to manage with Terraform, use terraform import with the composite {source_id}/{type} identifier.

terraform import panther_log_source_alarm.demo_alarm "12345678-1234-1234-1234-123456789012/SOURCE_NO_DATA"

PreviousManaging HTTP Log Sources with Terraform Nextpantherlog Tool

Last updated 21 days ago

Was this helpful?