Add Terraform resources for cloud accounts, rules, roles, users and schemas #59
Conversation
|
|
|
|
billyjbryant
changed the title
IssueI encountered an issue in the handling of Root CauseThe Panther API implements permission inheritance, meaning
Solution: Dual-Layer Permission HandlingI implemented a dual-layer permission handling approach to resolve this: 1. Input Filtering (
|
|
Thank you! |
billyjbryant
changed the title
GraphQL Client Migration UpdateWhat Changed: Why This Was Necessary: Fixes Applied:
Result: ✅ 7/7 resources now pass acceptance tests (schema resource now works perfectly) |
|
Hi @billyjbryant, thanks for the contribution. I'll look into this PR in the next couple of days and come back to you! |
| schema: | ||
| ignores: | ||
| - id | ||
| policy: |
There was a problem hiding this comment.
Some of these endpoints do not seem to be related with created resources using the rest-api, so they should not be included here. This file is for code generation of resources that leverage the rest-api, as described in the README
internal/client/panther.go
Outdated
| DeleteRule(ctx context.Context, id string) error | ||
|
|
||
|
|
||
| // Data Models management |
There was a problem hiding this comment.
These methods also do not appear to be used for any resource, so they can be removed.
| "context" | ||
| "encoding/json" | ||
| "fmt" | ||
| "github.com/hasura/go-graphql-client" |
There was a problem hiding this comment.
I understand you had issues with using the hasura client for schemas, but from what I can see the machinebox graphql client that is used instead is not an actively maintained repo, as the last release was 7 years ago. As such, I would prefer we don't switch to it in this repository. I haven't yet looked in detail at the issue you have mentioned, nor researched for alternatives, but combined with my general comment for splitting the PR to individual PRs for fewer resources, I think we can dive deeper into this when/if there is a dedicated PR for the graphql based resources.
There was a problem hiding this comment.
Understood. I will admit that I didn't do my due diligence enough to vet the package's maintenance, I relied on searching for the errors I was seeing and finding multiple suggestions on the replacement package so I tested it. I will re-work the PR to split it up and focus largely on the rest APIs.
There was a problem hiding this comment.
Thanks @billyjbryant, for anything further please let us know.
|
Hi @billyjbryant , Thanks a lot for the effort in creating this PR and the patience while we are reviewing it. I had a chat with folks from different teams as this PR covers resources that are owned by different functions of the company. The consensus is that all resources added in this PR are useful and a meaningful extension of the provider. The PR, however, is quite big which makes it hard to review in a meaningful way and to test on our side that all resources will work as expected when handled with terraform. I'd like to suggest that it be broken down to PRs of 1-2 resources, which will make it easier to review and test. The PR could be broken down to individual PRs, depending on which resources you consider more useful or you would prefer to have in the provider sooner rather than later. Additionally, one important remark here is that the direction we want the provider to take is to be based on the rest-api rather than the graph-api in the future. I can see that the resources you have added are split between the two. It should be noted that for the Regarding resources that can only use the graphql api, after discussing with the team, while it's not in the direction we necessarily want to take, we are ok with adding those if customers consider that it will add value for them at this point. I would probably opt for adding those last (when splitting the PR up), unless they are the ones that you consider you need the most at this time. This would also give us some time to consider if we can add support for them in the rest-api in the meantime. I have also left a couple high level comments to take into account when proceeding with individual PRs for resources. Thanks again for the contribution, please let us know of any issues/comments on this. |
Agreed, I will break it down into smaller chunks to make it more manageable.
Thank you, I wasn't sure of your intended direction and fell back to graphql for performance reasons. I will re-work to move things that do support rest api over to that instead :)
Sounds good! Thank you! |
Implements REST-based rule resource with full CRUD operations: ## New Resource Added: - **panther_rule**: REST-based detection rule management using generated schema ## Key Features: - Full CRUD operations (Create, Read, Update, Delete) - Import support using rule IDs - Generated schema from OpenAPI specification - Support for all rule fields including tests, severity levels, log types - Deduplication period and threshold configuration - Tag and report management - Runbook and summary attributes ## Client Implementation: - Added Rule types to REST client interface - Implemented REST endpoints at /rules - Added Rule, CreateRuleInput, and UpdateRuleInput types - Generic doRuleRequest helper for clean REST calls ## Code Generation: - Updated generator_config.yml to include rule resource - Updated provider-code-spec.json with rule schema - Generated rule_resource_gen.go with complete schema validation ## Documentation: - Added comprehensive docs/resources/rule.md - Included detection-rules examples with main.tf, outputs.tf, rules.tf - Added panther_rule resource example ## Testing: - Included resource_rule_test.go for acceptance testing - Provider successfully builds with new rule resource 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Add Policy resource for managing Panther policies (cloud resource detection rules) using the REST API. Policies are similar to Rules but analyze cloud resources instead of logs. Key changes: - Add Policy types and REST methods to client - Add generator config for policy, scheduled_rule, and simple_rule resources - Implement panther_policy resource with CRUD operations - Generate schema files for all detection resource types - Manually add Id field to generated model structs (workaround for generator limitation) Policies differ from Rules: - Use ResourceTypes instead of LogTypes - Simpler schema (no dedupPeriodMinutes, threshold, runbook, etc.) - Include Suppressions field for ignoring specific resources Also prepared infrastructure for scheduled_rule and simple_rule resources (types and client methods added, but resource implementations deferred to future work). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Adds two additional detection resource types to complement Rule and Policy: - ScheduledRule: Detection rules that run on scheduled query results - Uses scheduled_queries instead of log_types - Analyzes aggregated data from scheduled queries - Includes dedup_period_minutes and threshold fields - SimpleRule: YAML-based detection rules with no Python required - Uses detection field with YAML syntax instead of Python body - Compiles to Python automatically (read-only python_body field) - Includes SimpleRule-specific fields: alert_context, alert_title, dynamic_severities, group_by, inline_filters - Uses log_types like standard Rule Also adds comprehensive test coverage for Policy, ScheduledRule, and SimpleRule resources with proper field validation based on actual schemas. Includes documentation and examples demonstrating all four detection resource types with realistic use cases. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
|
Closing this PR in favor of smaller, focused PRs as requested in the review feedback. This PR has been split into three separate PRs:
Thank you for the guidance on breaking this up! |
4 participants
Summary
New Resources
panther_schema
panther_user
panther_role
panther_rule
panther_cloud_account
GraphQL Client Migration
Replaced hasura/go-graphql-client with machinebox/graphql to resolve schema resource deployment issues:
Technical Implementation
Test Results
✅ ALL 7 RESOURCES PASSING (100% success rate):
🤖 Generated with Claude Code