From e810a65df9d2083da060c489c8e27b48ba8c4a21 Mon Sep 17 00:00:00 2001
From: Al Cutter <al@google.com>
Date: Thu, 25 Sep 2025 10:39:14 +0100
Subject: [PATCH] Point OmniGCP at public witness configs.

---
 deployment/live/witness/dev/terragrunt.hcl | 1 +
 deployment/modules/witness/main.tf         | 8 +++++++-
 deployment/modules/witness/variables.tf    | 6 ++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/deployment/live/witness/dev/terragrunt.hcl b/deployment/live/witness/dev/terragrunt.hcl
index ae1617f..38cfa77 100644
--- a/deployment/live/witness/dev/terragrunt.hcl
+++ b/deployment/live/witness/dev/terragrunt.hcl
@@ -7,6 +7,7 @@ inputs = merge(
   include.root.locals,
   {
     witness_docker_image = "us-central1-docker.pkg.dev/checkpoint-distributor/distributor-docker-dev/witness:latest"
+    public_witness_config_urls = ["https://raw.githubusercontent.com/transparency-dev/witness-network/refs/heads/main/site/static/testing/log-list.1"]
     ephemeral = true
   }
 )
diff --git a/deployment/modules/witness/main.tf b/deployment/modules/witness/main.tf
index 73c9424..efe327d 100644
--- a/deployment/modules/witness/main.tf
+++ b/deployment/modules/witness/main.tf
@@ -136,6 +136,10 @@ resource "google_project_iam_member" "iam_secret_accessor" {
   member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
 }
 
+locals {
+  public_witness_config_args = formatlist("--public_witness_config_url=%s", var.public_witness_config_urls)
+}
+
 resource "google_cloud_run_v2_service" "default" {
   name         = "witness-service-${var.env}"
   location     = var.region
@@ -158,7 +162,9 @@ resource "google_cloud_run_v2_service" "default" {
         "--listen=:8080",
         "--spanner=${local.spanner_db_full}",
         "--signer_private_key_secret_name=${data.google_secret_manager_secret_version.witness_secret_data.name}"
-      ], var.extra_args)
+        ], 
+        local.public_witness_config_args, 
+        var.extra_args)
       ports {
         container_port = 8080
       }
diff --git a/deployment/modules/witness/variables.tf b/deployment/modules/witness/variables.tf
index 9c6014c..7539395 100644
--- a/deployment/modules/witness/variables.tf
+++ b/deployment/modules/witness/variables.tf
@@ -45,3 +45,9 @@ variable "ephemeral" {
   type        = bool
   default     = false
 }
+
+variable "public_witness_config_urls" {
+  description = "Set to a list of URLs where public witness config files can be retrieved"
+  type        = list(string)
+  default     = []
+}