feat(m365): add separate directory for adhoc scans (#21)

Author: jacdavi

m365/image/run_container.ps1

@@ -58,7 +58,8 @@ $Env:AZCOPY_ACTIVE_DIRECTORY_ENDPOINT = if ($Env:IS_GOV -eq "true") {"https://lo
 Invoke-SCuBA -Version
 
 Write-Output "Grabbing tenant config files"
-.\azcopy copy "$Env:TENANT_INPUT/*" 'input' --output-level essential
+New-Item -Path "input" -ItemType Directory | Out-Null
+.\azcopy copy "$Env:TENANT_INPUT/*" 'input' --include-pattern "*.yaml;*.yml;*.json" --output-level essential
 if ($LASTEXITCODE -gt 0) {
     throw "Error reading config files"
 }

m365/terraform/modules/container/main.tf

@@ -3,6 +3,7 @@ data "azurerm_client_config" "current" {}
 locals {
   is_us_gov    = startswith(lower(var.resource_group.location), "usgov")
   aad_endpoint = local.is_us_gov ? "https://login.microsoftonline.us" : "https://login.microsoftonline.com"
+  container_types = toset(["scheduled", "adhoc"])
 }
 
 resource "azurerm_user_assigned_identity" "container_mi" {
@@ -33,7 +34,7 @@ resource "azurerm_key_vault_access_policy" "mi_kv_access" {
 #   If "Private", a port must be opened on the container. This is dictated by Azure's APIs
 #   The open port is still within the vnet, so nothing is exposed externally
 resource "azurerm_container_group" "aci" {
-  for_each            = toset(["scheduled", "adhoc"])
+  for_each            = local.container_types
   name                = "${var.resource_prefix}-${each.key}-container"
   location            = var.resource_group.location
   resource_group_name = var.resource_group.name
@@ -74,7 +75,7 @@ resource "azurerm_container_group" "aci" {
       "TENANT_ID"        = data.azurerm_client_config.current.tenant_id
       "APP_ID"           = var.application_client_id
       "REPORT_OUTPUT"    = local.output_storage_container_url
-      "TENANT_INPUT"     = local.input_storage_container_url
+      "TENANT_INPUT"     = "${local.input_storage_container_url}/${each.key}"
       "IS_VNET"          = var.subnet_ids != null
       "IS_GOV"           = local.is_us_gov
       "VAULT_NAME"       = var.cert_info.vault_name

m365/terraform/modules/container/storage.tf

@@ -60,14 +60,30 @@ resource "azurerm_storage_container" "input" {
   container_access_type = "private"
 }
 
+resource "azurerm_storage_blob" "keep_files" {
+  for_each               = local.container_types
+  name                   = "${each.key}/.keep"
+  storage_account_name   = azurerm_storage_account.storage[0].name
+  storage_container_name = azurerm_storage_container.input[0].name
+  type                   = "Block"
+  source_content         = "File used for keeping directory structure in absence of config files"
+
+  lifecycle {
+    ignore_changes = [
+      cache_control
+    ]
+  }
+}
+
+
 # Blobs containing configuration for each tenant
 resource "azurerm_storage_blob" "tenants" {
-  for_each               = fileset(var.tenants_dir_path, "*")
+  for_each               = { for typeFile in setproduct(local.container_types, fileset(var.tenants_dir_path, "*")): "${typeFile[0]}/${typeFile[1]}" => typeFile[1] }
   name                   = each.key
   storage_account_name   = azurerm_storage_account.storage[0].name
   storage_container_name = azurerm_storage_container.input[0].name
   type                   = "Block"
-  source                 = "${var.tenants_dir_path}/${each.key}"
+  source                 = "${var.tenants_dir_path}/${each.value}"
 
   lifecycle {
     ignore_changes = [