# Pre-Deployment Tools (Legacy)

## Overview

{% hint style="danger" %}
Do not follow the instructions on this page—instead, follow the [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) and [Setting Up a Cloud Connected Panther Instance instructions](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected/set-up). This page exists only for historical reference.
{% endhint %}

Panther offers a set of tools for organizations deploying a [Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/cloud-connected) Panther instance:

* **Readiness checker tool:** This tool runs a simulation of the actions defined by the deployment role against the AWS account to identify organizational policies that may collide with the Panther deployment and require further review. It also verifies that your AWS account has Amazon S3 Select enabled.
  * A successful run of this tool is a strong indicator that you are unlikely to encounter IAM or S3 Select-related deployment issues, and can streamline the deployment process from Panther's end.
* **Snowflake credential bootstrap tool:** This tool aids in storing your Snowflake credentials inside your AWS account before the first deployment of Panther infrastructure in AWS (including the initial configuration of Snowflake). This allows for the following benefits:
  * You can avoid an escape of credentials from the AWS account, including any human handoff with Panther employees.
  * Credentials can be validated early on in the setup process for accuracy.

These are distributed as a collection of lambda functions defined as CloudFormation templates built using [AWS SAM](https://aws.amazon.com/serverless/sam/). The source for these utilities is in [this `panther-auxiliary` GitHub repository](https://github.com/panther-labs/panther-auxiliary/tree/main/serverless/panther-preflight-tools).

## Deploying the tool set

### Prerequisites

* The `PantherDeploymentRole` CloudFormation stack must be already deployed.
  * You should have completed this in [Step 3 of the Configuring AWS for Cloud Connected](https://docs.panther.com/system-configuration/panther-deployment-types/legacy-configurations/configuring-aws-for-cloud-connected-legacy#step-3-deploy-the-pantherdeploymentrole) process.

### Deploying the pre-deployment tools CloudFormation template

1. Construct the S3 URL where the CloudFormation template is stored by replacing `<region>` in the URL below with the region you intend to deploy Panther in:\
   `https://panther-public-cloudformation-templates.s3.us-west-2.amazonaws.com/panther-preflight-tools-<region>/latest/template.yml`
2. Deploy the template using the S3 URL you constructed. See the CloudFormation documentation for instructions on how to create a CloudFormation stack from a template either [using the CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) or[ using the AWS CLI](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html).
   * Select the AWS region that the`PantherDeploymentRole`and Snowflake account reside in.
   * For the stack name, we recommend using `PantherPreflightToolsStack`, for consistency with the contents.
   * There are no parameters to configure in this stack.\
     ![A "Create Stack" screen in the AWS Console is shown. Under "Template source," "Amazon S3 URL" has been selected, and a S3 URL has been inputted in a text field.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-64952f158221446dcb8e528c44b7331d025fc1ae%2Fimage.png?alt=media)

## Using the readiness checker tool

Invoking the readiness check does not require a payload. It can be invoked either in the AWS CLI or AWS console.

{% tabs %}
{% tab title="AWS console" %}
Invoking in the AWS console:

1. In an authenticated session of the AWS console, navigate to the test page of the `PantherReadinessCheck` lambda utility:\
   <https://console.aws.amazon.com/lambda/home#/functions/PantherReadinessCheck?tab=testing>
2. In the **Event Name** field, provide a name.
3. In the **Event JSON** field, enter an empty payload.
4. In the upper-right corner, click **Test**.\
   ![In the AWS Console, you can enter the Event Name and leave the payload blank. In the upper right, there is a Test button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-528bb3f68fa4d029ad766d0f918b354a550776ca%2FScreenshot%202024-03-20%20at%2012.19.05%20PM.png?alt=media)
5. When the test is complete, click the **Details** dropdown to see the results.\
   ![In the AWS Console, click the Details tab to expand it and view results.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-18a4919f95511802e8a1bb7971eca117baf50fe0%2FScreenshot%202024-03-20%20at%2012.19.38%20PM.png?alt=media)
   * Do not proceed until you have a successful run. If you are having trouble successfully running this tool, reach out to the Panther Support team.
     {% endtab %}

{% tab title="AWS CLI" %}
Invoking on the command line with the `aws` CLI:

1. Run the following:

   ```
     aws lambda invoke --function-name "PantherReadinessCheck"\
     --cli-binary-format raw-in-base64-out output.json
   ```
2. In this example, the result will end up in the `output.json`:

   ```
   [12:18] user@host $> aws lambda invoke --function-name "PantherReadinessCheck" --cli-binary-format raw-in-base64-out output.json
   [12:18] user@host $> cat output.json
   {"Message": "All evaluations were successful against the Deployment Role"}
   ```

   * Do not proceed until you have a successful run. If you are having trouble successfully running this tool, reach out to the Panther Support team.
     {% endtab %}
     {% endtabs %}

### Reasons for readiness checker failure

If your readiness checker run fails, it may be due to one of the reasons below.

#### Service control policy

If the output of the command is `Some evaluations were not allowed!` with a list of failing actions, update your organizational [service control policy (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to allow the`PantherDeploymentRole` to perform the necessary actions to ensure successful deployment.

#### Control Tower Guardrails

You may have an [AWS Control Tower Guardrails](https://docs.aws.amazon.com/audit-manager/latest/userguide/controltower.html) policy blocking your deployment.

#### Amazon S3 Select is not enabled

If the output from the command includes `"s3_select_enabled": false`, please reach out to the Panther Support team. Panther will work with AWS to enable [Amazon S3 Select](https://docs.aws.amazon.com/AmazonS3/latest/userguide/selecting-content-from-objects.html) for your account.

## Using the Snowflake credential bootstrap tool

To use the tool, you will run the `PantherSnowflakeCredentialBootstrap` lambda twice, with a step in between. The first lambda run seeds the secret into the AWS account—its output will direct you to a page in AWS where you can modify the secret to add credentials. The second lambda run verifies connectivity with the newly created secret against the Snowflake account, and yields the ARN of the new, validated secret.

{% tabs %}
{% tab title="AWS console" %}

1. In your AWS console, navigate to the Lambda service.
   * Ensure you are working in the same region your Snowflake account is deployed in.
2. Find your `PantherSnowflakeCredentialBootstrap` lambda.
3. Click the **Test** tab.
4. In **Test event action** ensure **Create new event** is selected.
5. In the **Event name field**, provide a name.
6. In the **Event JSON** editor, replace its contents with a single key/value pair, where the key is `host` and the value is your Snowflake account URL:

   ```json
   {
       "host": "<org-name>-<account-name>.snowflakecomputing.com"
   }
   ```
7. In the upper-right corner, click **Test**.\
   ![Under a "Test event" header are various form fields, including Event name and Event JSON. A "Test" button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-42b4b4312792c4b205cdebb12ed92e3d4b638e11%2FScreenshot%202024-09-16%20at%209.21.31%E2%80%AFAM.png?alt=media)
8. When the test is complete (and has run successfully), click the **Details** dropdown to see the results.
9. Copy the outputted URL, and open it in a new browser tab.\
   ![Under an "Executing function: succeeded" header is a textfield with text. A URL value has been underlined.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-5865f35f86df4063ad6c0c9943293c1516b7602a%2FScreenshot%202024-09-16%20at%209.22.33%E2%80%AFAM.png?alt=media)
10. Modify the secret:
    1. On the **Secret value** tile, click **Retrieve secret value**.\
       ![The AWS console is shown. A "Retrieve secret value" button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-ca96fd85e87eeda9d2ba5f73551a0a02fb18a632%2Fimage.png?alt=media)
    2. Click **Edit**.\
       ![In an "Overview" tab, there is a tile titled "Secret value." An "Edit" button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-8750cd93c989f339ff8e5cdb77fc6be152bdd3b7%2FScreenshot%202024-02-28%20at%2009.59.02.png?alt=media)
    3. Update the value of the `password` key with the password for your `pantheraccountadmin` Snowflake user.\
       ![An "Edit secret value" screen is shown. It has various key/value pairs. The value for the "password" key, "this\_is\_my\_actual\_password," is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-9872109dd0fa3cde52ef3eae0731d26234d39888%2FScreenshot%202024-02-28%20at%2009.59.42.png?alt=media)
    4. Click **Save**.
11. Return to the browser tab open to your `PantherSnowflakeCredentialBootstrap` lambda.
12. Still in the **Test** tab, in the **Event JSON** editor, update the event to:

    ```json
    {
        "validate": "true"
    }
    ```
13. In the upper-right corner, click **Test**.\
    ![Under a "Test event" section are various form fields, such as Event name and Event JSON. A "Test" button is circled.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-6d68373be91dd046dbe99de0a229702d0b309af4%2FScreenshot%202024-09-16%20at%209.26.58%E2%80%AFAM.png?alt=media)
    * The response to this call, if successful, will include the ARN of the newly created secret.
14. Save the outputted ARN value in a secure location, as you will need to provide it to your Panther support team in a later step.
    {% endtab %}
    {% endtabs %}