Self-Hosted Deployments (Legacy)
Manage self-hosted deployments in Panther
Last updated
Was this helpful?
Manage self-hosted deployments in Panther
Last updated
Was this helpful?
This deployment type is seldom used, and reserved for customers with special requirements.
When Panther publishes a new release, we will notify our self-hosted customers so that they can coordinate upgrades on their schedule. Upgrades should generally be straightforward, but there are a few steps to follow before and during upgrades to make sure everything goes smoothly.
Before you begin an upgrade, make sure you know which version of Panther to upgrade to. Panther uses semantic versioning, and it's strongly recommended to upgrade to the most recent patch version (without skipping minor releases).
For example, if you are on version 1.10.X
and want to upgrade to version 1.13.X
, we recommend first upgrading to the highest patch version of 1.11.X
, then 1.12.X
, and then finally 1.13.X
. This will ensure there are no migration issues.
Below is a periodically updated list of . To see the latest patch version at any given time, or an always up-to-date list of available patch versions for each minor version, use the following commands:
Additionally, if you are using the PantherDeploymentRole
to deploy Panther, make sure you update the PantherDeploymentRole
to the correct version for the version of Panther you are deploying. If you are on version 1.13.X
and wish to upgrade to version 1.14.X
, make sure the PantherDeploymentRole
is also on version 1.14.X
before upgrading. Here is the PantherDeploymentRole
template URL:
In order to perform the upgrade, simply find the root Panther stack in the CloudFormation console, click the Update
button, select Replace template URL
, and insert the TemplateURL
for the desired version of Panther you wish to deploy. The template URL should be in this format:
You will be prompted to click through a few pages verifying your CloudFormation parameters are correct and that CloudFormation can create IAM resources and nested CloudFormation resources on your behalf.
We use Pulumi for infrastructure management. After the main Panther stack is deployed, you'll need to start a build for the panther-pulumi
CodeBuild project.
For example: aws codebuild start-build --project-name panther-pulumi
When deploying Panther, you will be provided with a template URL to a root panther stack to deploy. If you're using the PantherDeploymentRole
to deploy Panther, be sure to name the root stack something with a panther-
prefix. The name of the root stack will be pre-pended to any resources created by the stack, and the PantherDeploymentRole
limits its access in part by restricting its permissions to only affect resources that start with the name panther-
.
The Panther CloudFormation stack has a number of configurable deployment parameters. Pay special attention to the following options:
FedRAMPEnabled
: Enable/disable Fedramp controls. The default value is false
, with allowed values of true
or false
.
FirstUserEmail
(required): a Panther admin invite will be sent to this email address. Updates to this value are ignored after the first successful deploy.
FirstUserFamilyName
(required): Initial Panther user - last name
FirstUserGivenName
(required): Initial Panther user - first name
SentryEnabled
: Enable/Disable Sentry integration. The default value is true
, with allowed values of true
or false
. This is ignored when FedRAMPEnabled
is true.
SnowflakeAPISecretARN
(required): ARN pointing at the Snowflake API readonly secret with config and creds.
SnowflakeAPISecretRotationDays
: The rotation cycle in days for the Snowflake PANTHER_READONLY secret. The default value is 0, with a minimum value of 0.
SnowflakeAdminAPISecretRotationDays
: The rotation cycle in days for the Snowflake PANTHER_ADMIN secret. The default value is 0, with a minimum value of 0. The recommended value is 1.
SnowflakeAdminAPISecretARN
(required): ARN pointing at the Snowflake API admin secret with config and creds.
SnowflakeAdminAPISecretRotationDays
: The rotation cycle in days for the Snowflake PANTHER_ADMIN secret. The default value is 0, with a minimum value of 0. The recommended value is 1.
SnowflakeEdition
: Edition of the Snowflake instance. The default is standard
.
SnowflakeType
: The type of the data lake backend. Set to Connected
.
Panther has a number of other configuration options besides the ones listed above. We recommend not setting any of these parameters on the first deployment of Panther. If any step of the initial deployment fails, the entire deployment will fail and rollback deleting all infrastructure. After you complete the initial deployment of Panther, you can update the stack with different root parameters. Then if any of these settings cause a deployment failure, Panther will simply roll back to the previous settings without needing an entire fresh deployment. This includes parameters like the snowflake and custom domain configuration parameters.
PulumiSecretArn
and PulumiSecretKeyArn
(required): these values will be provided by our team - you will have a dedicated access token in our organization.
SnowflakeDestinationClusterARNs
(required): Snowflake cluster ARNs to associate with Snowflake IAM role. This is used to configure .