feat: Add detection resources (Rule, Policy, ScheduledRule, SimpleRule) #67
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements REST-based rule resource with full CRUD operations: ## New Resource Added: - **panther_rule**: REST-based detection rule management using generated schema ## Key Features: - Full CRUD operations (Create, Read, Update, Delete) - Import support using rule IDs - Generated schema from OpenAPI specification - Support for all rule fields including tests, severity levels, log types - Deduplication period and threshold configuration - Tag and report management - Runbook and summary attributes ## Client Implementation: - Added Rule types to REST client interface - Implemented REST endpoints at /rules - Added Rule, CreateRuleInput, and UpdateRuleInput types - Generic doRuleRequest helper for clean REST calls ## Code Generation: - Updated generator_config.yml to include rule resource - Updated provider-code-spec.json with rule schema - Generated rule_resource_gen.go with complete schema validation ## Documentation: - Added comprehensive docs/resources/rule.md - Included detection-rules examples with main.tf, outputs.tf, rules.tf - Added panther_rule resource example ## Testing: - Included resource_rule_test.go for acceptance testing - Provider successfully builds with new rule resource 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
This was referenced Oct 9, 2025
Add Policy resource for managing Panther policies (cloud resource detection rules) using the REST API. Policies are similar to Rules but analyze cloud resources instead of logs. Key changes: - Add Policy types and REST methods to client - Add generator config for policy, scheduled_rule, and simple_rule resources - Implement panther_policy resource with CRUD operations - Generate schema files for all detection resource types - Manually add Id field to generated model structs (workaround for generator limitation) Policies differ from Rules: - Use ResourceTypes instead of LogTypes - Simpler schema (no dedupPeriodMinutes, threshold, runbook, etc.) - Include Suppressions field for ignoring specific resources Also prepared infrastructure for scheduled_rule and simple_rule resources (types and client methods added, but resource implementations deferred to future work). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Adds two additional detection resource types to complement Rule and Policy: - ScheduledRule: Detection rules that run on scheduled query results - Uses scheduled_queries instead of log_types - Analyzes aggregated data from scheduled queries - Includes dedup_period_minutes and threshold fields - SimpleRule: YAML-based detection rules with no Python required - Uses detection field with YAML syntax instead of Python body - Compiles to Python automatically (read-only python_body field) - Includes SimpleRule-specific fields: alert_context, alert_title, dynamic_severities, group_by, inline_filters - Uses log_types like standard Rule Also adds comprehensive test coverage for Policy, ScheduledRule, and SimpleRule resources with proper field validation based on actual schemas. Includes documentation and examples demonstrating all four detection resource types with realistic use cases. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
billyjbryant
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
This PR adds support for managing all four types of Panther detections as Terraform resources. This is part of breaking up the larger PR (#59) into smaller, more focused PRs as requested in the review feedback at #59 (comment).
Changes
This PR implements all four detection resource types available in Panther:
1. Rule Resource (
panther_rule)log_typesarray to specify which logs to analyzebodyfield contains the rule logic2. Policy Resource (
panther_policy)resource_typesarray to specify which resources to checkbodyfield contains the policy logic3. ScheduledRule Resource (
panther_scheduled_rule)scheduled_queriesarray instead of log_typesbodyfield evaluates aggregated query results4. SimpleRule Resource (
panther_simple_rule)detectionfield with YAML syntax (compiles to Python automatically)log_typeslike standard Rulepython_bodyfield shows compiled Python codeImplementation Details
REST Client Implementation:
/rules,/policies,/scheduled-rules,/simple-rulesGenerated Schema:
Configuration Files:
generator_config.ymlto include all detection resourcesprovider-code-spec.jsonwith all schemasComprehensive Documentation:
Test Coverage:
Testing
go buildsuccessfulPANTHER_API_URLandPANTHER_API_TOKEN)Related
Part of breaking up #59 into focused PRs:
AI Usage
This PR was developed with assistance from Claude Code for: