Self-Hosted Deployments (Legacy)

Overview

Upgrades

When Panther publishes a new release, we will notify our self-hosted customers so that they can coordinate upgrades on their schedule. Upgrades should generally be straightforward, but there are a few steps to follow before and during upgrades to make sure everything goes smoothly.

Before you upgrade

Before you begin an upgrade, make sure you know which version of Panther to upgrade to. Panther uses semantic versioning, and it's strongly recommended to upgrade to the most recent patch version (without skipping minor releases).

For example, if you are on version 1.10.X and want to upgrade to version 1.13.X, you must first upgrade to the highest patch version of 1.11.X, then 1.12.X, and then finally 1.13.X. This will ensure there are no migration issues.

To see the latest patch version for one or all minor versions, or a list of available patch versions for a minor version, use the following AWS CLI commands:

export VERSION=<Minor Panther version you want to see patch versions for, e.g. 1.108>

# To print the latest patch version of a given minor version:
aws s3 ls s3://panther-community-us-east-1 --no-sign-request | grep "PRE v$VERSION" | awk -F"PRE v|/"  '{print $2}' | sort -V | tail -1

# To print all patch versions of a given minor version:
aws s3 ls s3://panther-community-us-east-1 --no-sign-request | grep "PRE v$VERSION" | awk '{print $2}' | sort -t "." -k1,1n -k2,2n -k3,3n

# To print the latest patch version of each minor version
aws s3 ls s3://panther-community-us-east-1 --no-sign-request | \
    grep "PRE v" | \
    awk -F"PRE v|/" '{print $2}' | \
    sort -V | \
    awk -F. '{key=$1"."$2} prev!=key && NR>1{print last} {prev=key; last=$0} END{print last}'

Additionally, if you are using the PantherDeploymentRole to deploy Panther, make sure you update the PantherDeploymentRole to the correct version for the version of Panther you are deploying. If you are on version 1.13.X and wish to upgrade to version 1.14.X, make sure the PantherDeploymentRole is also on version 1.14.X before upgrading. Here is the PantherDeploymentRole template URL:

While you upgrade

In order to perform the upgrade, simply find the root Panther stack in the CloudFormation console, click the Update button, select Replace template URL, and insert the TemplateURL for the desired version of Panther you wish to deploy. The template URL should be in this format:

Example

https://panther-enterprise-us-east-2.s3.amazonaws.com/v1.25.1/panther.yml

You will be prompted to click through a few pages verifying your CloudFormation parameters are correct and that CloudFormation can create IAM resources and nested CloudFormation resources on your behalf.

Trigger Pulumi CodeBuild

We use Pulumi for infrastructure management. After the main Panther stack is deployed, you'll need to start a build for the panther-pulumi CodeBuild project. For example: aws codebuild start-build --project-name panther-pulumi

Reference

Naming the root stack

When deploying Panther, you will be provided with a template URL to a root panther stack to deploy. If you're using the PantherDeploymentRole to deploy Panther, be sure to name the root stack something with a panther- prefix. The name of the root stack will be pre-pended to any resources created by the stack, and the PantherDeploymentRole limits its access in part by restricting its permissions to only affect resources that start with the name panther-.

Configuring deployment parameters

The Panther CloudFormation stack has a number of configurable deployment parameters. Pay special attention to the following options:

• FedRAMPEnabled: Enable/disable Fedramp controls. The default value is false, with allowed values of true or false.

• FirstUserEmail (required): a Panther admin invite will be sent to this email address. Updates to this value are ignored after the first successful deploy.

• FirstUserFamilyName (required): Initial Panther user - last name

• FirstUserGivenName (required): Initial Panther user - first name

• PulumiSecretArn and PulumiSecretKeyArn (required): these values will be provided by our team - you will have a dedicated Pulumi access token in our organization.

• SentryEnabled: Enable/Disable Sentry integration. The default value is true, with allowed values of true or false. This is ignored when FedRAMPEnabled is true.

• SnowflakeAPISecretARN (required): ARN pointing at the Snowflake API readonly secret with config and creds.

• SnowflakeAPISecretRotationDays: The rotation cycle in days for the Snowflake PANTHER_READONLY secret. The default value is 0, with a minimum value of 0.

• SnowflakeAdminAPISecretRotationDays: The rotation cycle in days for the Snowflake PANTHER_ADMIN secret. The default value is 0, with a minimum value of 0. The recommended value is 1.

• SnowflakeAdminAPISecretARN (required): ARN pointing at the Snowflake API admin secret with config and creds.

• SnowflakeAdminAPISecretRotationDays: The rotation cycle in days for the Snowflake PANTHER_ADMIN secret. The default value is 0, with a minimum value of 0. The recommended value is 1.

• SnowflakeDestinationClusterARNs (required): Snowflake cluster ARNs to associate with Snowflake IAM role. This is used to configure Snowpipe.

• SnowflakeEdition: Edition of the Snowflake instance. The default is standard.

• SnowflakeType: The type of the data lake backend. Set to Connected.

Panther has a number of other configuration options besides the ones listed above. We recommend not setting any of these parameters on the first deployment of Panther. If any step of the initial deployment fails, the entire deployment will fail and rollback deleting all infrastructure. After you complete the initial deployment of Panther, you can update the stack with different root parameters. Then if any of these settings cause a deployment failure, Panther will simply roll back to the previous settings without needing an entire fresh deployment. This includes parameters like the snowflake and custom domain configuration parameters.