fix: update variables; use single cert in container

jacdavi · jacdavi · commit 6cdd59532a4b · 2025-06-11T15:01:57.000-07:00
diff --git a/m365/README.adoc b/m365/README.adoc
@@ -97,12 +97,14 @@ Advanced::
 `create_app` (bool) [default=True]::: If true, the app will be created. If false, the app will be imported
 `prefix_override` (string) [default=None]::: Prefix for resource names. If null, one will be generated from app_name
 `input_storage_container_url` (string) [default=None]::: If not null, input container to read configs from (must give permissions to service account). Otherwise by default will create storage container. Expect an https url pointing to a container
-`output_storage_container_url` (string) [default=None]::: If not null, output container to put results in (must give permissions to service account or use SAS). Otherwise by default will create storage container. Expect an https url pointing to a container
-`output_storage_container_sas` (string) [default=None]::: If not null, shared access signature token (query string) to use when writing results to the output storage container. Set this when the container is in an external tenant (the owner of that container will provide the value).
+`output_storage_container_url` (string) [default=None]::: If not null, output container to put results in (must give permissions to service account). Otherwise by default will create storage container. Expect an https url pointing to a container
 `tenants_dir_path` (string) [default=./tenants]::: Relative path to directory containing tenant configuration files in yaml
-`container_registry` (object) [default={'server': 'ghcr.io'}]::: Credentials for logging into registry with container image
+`container_registry` (object) [default=None]::: Credentials for logging into registry with container image
 `container_image` (string) [default=ghcr.io/cisagov/scubaconnect-m365:latest]::: Docker image to use for running ScubaGear.
 `container_memory_gb` (number) [default=3]::: Amount of memory to allocate for ScubaGear container. Due to memory leaks in some dependencies, this may need to be increased if running on many tenants
+`secondary_app_info` (object) [default=None]::: Information for a secondary app. This can be used for one ScubaConnect instance to handle multiple environments (e.g., GCC and GCC High).
+    To use, manually create an app in the other environment and add the certificate created for the primary app to it.
+    Set `environment_to_use` to the environment the manual app is in, either "commericial" or "gcchigh"
 
 [#onboard]
 === Onboarding a Tenant
diff --git a/m365/image/run_container.ps1 b/m365/image/run_container.ps1
@@ -73,7 +73,7 @@ Foreach ($tenantConfig in $(Get-ChildItem 'input\')) {
         Write-Output "Running ScubaGear for $($tenantConfig.BaseName)"
 
         $params = @{
-            CertificateThumbPrint = if ($null -ne $Env:SECONDARY_APP_ID -and $org.EndsWith($Env:SECONDARY_APP_TLD)) {$CertificateThumbPrintSecondary} else {$CertificateThumbPrint};
+            CertificateThumbPrint = $CertificateThumbPrint;
             AppID = if ($null -ne $Env:SECONDARY_APP_ID -and $org.EndsWith($Env:SECONDARY_APP_TLD)) {$Env:SECONDARY_APP_ID} else {$Env:APP_ID}; 
             Organization = $org;
             OutPath = ".\reports\$($org)"; # The folder path where the output will be stored
diff --git a/m365/terraform/env/example/main.tf b/m365/terraform/env/example/main.tf
@@ -15,4 +15,5 @@ module "scuba_connect" {
   input_storage_container_url  = var.input_storage_container_url
   output_storage_container_url = var.output_storage_container_url
   tags                         = var.tags
+  secondary_app_info           = var.secondary_app_info
 }
diff --git a/m365/terraform/env/example/variables.tf b/m365/terraform/env/example/variables.tf
@@ -135,4 +135,20 @@ variable "container_memory_gb" {
     condition     = var.container_memory_gb <= 16 && var.container_memory_gb >= 2
     error_message = "Container memory must be between 2GB and 16GB"
   }
+}
+variable "secondary_app_info" {
+  description = <<EOF
+    Information for a secondary app. This can be used for one ScubaConnect instance to handle multiple environments (e.g., GCC and GCC High).
+    To use, manually create an app in the other environment and add the certificate created for the primary app to it.
+    Set `environment_to_use` to the environment the manual app is in, either "commericial" or "gcchigh"
+  EOF
+  type = object({
+    app_id = string
+    environment_to_use = string
+  })
+  default = null
+  validation {
+    condition = var.secondary_app_info == null ? true : contains(["commercial", "gcchigh"], var.secondary_app_info.environment_to_use)
+    error_message = "Valid values for create_mode are (Default, PointInTimeRestore, Replica)"
+  }
 }
diff --git a/utils/tf_vars_to_adoc.py b/utils/tf_vars_to_adoc.py
@@ -16,4 +16,4 @@
         t = "object"
     default = f"[default={v[name]['default']}]" if "default" in v[name] else ""
     desc = v[name]["description"]
-    print(f"`{name}` ({t}) {default}::: {desc}")
+    print(f"`{name}` ({t}) {default}::: {desc.strip()}")

Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,5 @@ module "scuba_connect" {`
`15`	`15`	`input_storage_container_url = var.input_storage_container_url`
`16`	`16`	`output_storage_container_url = var.output_storage_container_url`
`17`	`17`	`tags = var.tags`
	`18`	`+ secondary_app_info = var.secondary_app_info`
`18`	`19`	`}`