7.9.4 release

stevevillardi · stevevillardi · commit 3e12ab3d1f29 · 2026-06-10T11:47:57.000-04:00
FedRamp fix
diff --git a/Public/Connect-LMAccount.ps1 b/Public/Connect-LMAccount.ps1
@@ -116,6 +116,8 @@ function Connect-LMAccount {
         $Script:InformationPreference = 'Continue'
     }
 
+    $CachedGovCloud = $null
+
     if ($UseCachedCredential -or $CachedAccountName) {
 
         try {
@@ -169,6 +171,7 @@ function Connect-LMAccount {
                 $AccountName = $CachedAccountSecrets[$CachedAccountIndex].Metadata["Portal"]
                 $AccessId = $CachedAccountSecrets[$CachedAccountIndex].Metadata["Id"]
                 $Type = $CachedAccountSecrets[$CachedAccountIndex].Metadata["Type"]
+                $CachedGovCloud = $CachedAccountSecrets[$CachedAccountIndex].Metadata["GovCloud"]
                 if (($Type -eq "LMv1") -or ($null -eq $Type)) {
                     [SecureString]$AccessKey = Get-Secret -Vault "Logic.Monitor" -Name $CachedAccountName -AsPlainText | ConvertTo-SecureString
                 }
@@ -199,7 +202,8 @@ function Connect-LMAccount {
                     $CachedAccountName = $CachedAccountSecrets[$StoredCredentialIndex].Name
                     $AccessId = $CachedAccountSecrets[$StoredCredentialIndex].Metadata["Id"]
                     $Type = $CachedAccountSecrets[$StoredCredentialIndex].Metadata["Type"]
-                    if ($Type -eq "LMv1") {
+                    $CachedGovCloud = $CachedAccountSecrets[$StoredCredentialIndex].Metadata["GovCloud"]
+                    if (($Type -eq "LMv1") -or ($null -eq $Type)) {
                         [SecureString]$AccessKey = Get-Secret -Vault "Logic.Monitor" -Name $CachedAccountName -AsPlainText | ConvertTo-SecureString
                     }
                     elseif ($Type -eq "Bearer") {
@@ -248,6 +252,7 @@ function Connect-LMAccount {
     if (!$Type) {
         $Type = "LMv1"
     }
+    $UseGovCloud = $GovCloud.IsPresent -or ($CachedGovCloud -eq 'True')
     $Version = Get-LMPortalVersion -ErrorAction SilentlyContinue
 
     #Create Credential Object for reuse in other functions
@@ -259,7 +264,7 @@ function Connect-LMAccount {
         Valid       = $true
         Type        = $Type
         Logging     = !$DisableConsoleLogging.IsPresent
-        GovCloud    = $GovCloud.IsPresent
+        GovCloud    = $UseGovCloud
         Version     = $Version
     }
 
diff --git a/Public/Get-LMCachedAccount.ps1 b/Public/Get-LMCachedAccount.ps1
@@ -23,7 +23,7 @@ This function requires access to the Logic.Monitor vault where credentials are s
 None. You cannot pipe objects to this command.
 
 .OUTPUTS
-Returns an array of custom objects containing cached account information including CachedAccountName, Portal, Id, Modified date, and Type.
+Returns an array of custom objects containing cached account information including CachedAccountName, Portal, Id, Modified date, Type, and GovCloud.
 
 .LINK
 Get-SecretInfo
@@ -49,6 +49,7 @@ function Get-LMCachedAccount {
             Id                = if (!$Secret.Metadata["Id"]) { "N/A" }else { $Secret.Metadata["Id"] }
             Modified          = $Secret.Metadata["Modified"]
             Type              = if (!$Secret.Metadata["Type"]) { "LMv1" }else { $Secret.Metadata["Type"] }
+            GovCloud          = $Secret.Metadata["GovCloud"] -eq 'True'
         }
     }
     return $CachedAccounts
diff --git a/Public/New-LMCachedAccount.ps1 b/Public/New-LMCachedAccount.ps1
@@ -23,6 +23,9 @@ The name to use for the cached account. Defaults to AccountName.
 .PARAMETER OverwriteExisting
 Whether to overwrite an existing cached account. Defaults to false.
 
+.PARAMETER GovCloud
+Connect using the LM GovCloud (FedRAMP) portal when this cached account is used.
+
 .EXAMPLE
 #Cache LMv1 credentials
 New-LMCachedAccount -AccessId "id123" -AccessKey "key456" -AccountName "company"
@@ -31,6 +34,10 @@ New-LMCachedAccount -AccessId "id123" -AccessKey "key456" -AccountName "company"
 #Cache Bearer token
 New-LMCachedAccount -BearerToken "token123" -AccountName "company" -CachedAccountName "prod"
 
+.EXAMPLE
+#Cache FedRAMP GovCloud credentials
+New-LMCachedAccount -AccessId "id123" -AccessKey "key456" -AccountName "agency" -GovCloud
+
 .NOTES
 This command creates a secure vault to store credentials if one doesn't exist.
 
@@ -60,7 +67,9 @@ function New-LMCachedAccount {
 
         [String]$CachedAccountName = $AccountName,
 
-        [Boolean]$OverwriteExisting = $false
+        [Boolean]$OverwriteExisting = $false,
+
+        [Switch]$GovCloud
     )
 
     try {
@@ -84,6 +93,7 @@ function New-LMCachedAccount {
             Id       = "$($BearerToken.Substring(0,20))****"
             Modified = [DateTime]$CurrentDate
             Type     = "Bearer"
+            GovCloud = [String]$GovCloud.IsPresent
         }
     }
     else {
@@ -93,6 +103,7 @@ function New-LMCachedAccount {
             Id       = [String]$AccessId
             Modified = [DateTime]$CurrentDate
             Type     = "LMv1"
+            GovCloud = [String]$GovCloud.IsPresent
         }
     }
     $Message = "CachedAccountName: $CachedAccountName | Portal: $AccountName"
diff --git a/README.md b/README.md
@@ -72,50 +72,24 @@ Connect-LMAccount -UseCachedCredential
 ```
 
 # Change List
-## 7.9.3
+## 7.9.4
 ### Bug Fixes
-- **Set-LMWebsite**: Fixed an issue where `-WebsiteSteps` was omitted from the API request payload, so multi-step web check updates appeared to succeed but did not apply the supplied steps.
-- **Set-LMOpsNote**: Fixed an issue where scope updates (`-DeviceIds`, `-WebsiteIds`, `-DeviceGroupIds`) were not included in the request payload.
-- **Set-LMRole**: Fixed an issue where permission updates were omitted from the request payload when changing role privileges.
-- **Set-LMRecipientGroup**: Fixed `-Recipients` to accept an array of recipient objects instead of only binding a single recipient.
+- **Connect-LMAccount / New-LMCachedAccount / Get-LMCachedAccount**: Fixed an issue where cached credentials did not work for FedRAMP (GovCloud) portals on `lmgov.us`. `New-LMCachedAccount` now supports `-GovCloud` to persist the portal type in cached metadata, `Connect-LMAccount` restores that setting when connecting via `-UseCachedCredential` or `-CachedAccountName`, and `Get-LMCachedAccount` now includes a `GovCloud` property. Existing FedRAMP cached entries must be re-cached with `-GovCloud -OverwriteExisting $true`.
 
-## 7.9.2
-### Bug Fixes
-- **SDT timezone compatibility with PowerShell 5.1**: Fixed an issue introduced in v7.9.1 where SDT commands would fail on PowerShell 5.1 with `Invalid timezone` errors due to .NET Framework not supporting IANA timezone IDs (e.g. `America/New_York`) directly.
-- **Cross-platform timezone support**: SDT commands now accept both IANA timezone IDs (e.g. `America/New_York`) and Windows standard timezone names (e.g. `Eastern Standard Time`). The module automatically resolves the input to the correct format for the API regardless of PowerShell version or operating system.
-
-## 7.9.1
-
-### Bug Fixes & Changes
-- **SDT timezone consistency**: Added timezone-aware behavior across `New-LMDeviceSDT`, `New-LMDeviceGroupSDT`, `New-LMDeviceDatasourceSDT`, and `New-LMDeviceDatasourceInstanceSDT` so schedules are no longer interpreted based on the machine running the script.
-- **Portal timezone default for SDTs**: If `-Timezone` is omitted, SDT commands now resolve and use the portal timezone by default.
-- **Timezone validation improvements**: Replaced legacy commented timezone lists with active validation for timezone IDs and clearer error messages for invalid values.
-- **Set-LMSDT update alignment**: Added timezone handling and validation improvements for one-time SDT updates in `Set-LMSDT`.
-
-### Major Changes in v7:
- - **API Headers**: Updated all API request headers to use a custom User-Agent (Logic.Monitor-PowerShell-Module/Version) for usage reporting on versions deployed.
-
-### Documentation Overhaul
-We're excited to announce our new comprehensive documentation site at [https://logicmonitor.github.io/lm-powershell-module-docs/](https://logicmonitor.github.io/lm-powershell-module-docs/). The site includes:
-- Detailed command reference information
-- Code examples and snippets
-- Best practices guides
+### Migration Example (FedRAMP / GovCloud cached credentials)
+```powershell
+# Review existing cached accounts and confirm GovCloud is not set
+Get-LMCachedAccount
 
-### New Filter Wizard
-Introducing the Filter Wizard, a new interactive tool to help build complex filters:
-- Visual filter construction
-- Support for all filter operators
-- Real-time filter preview
-- Available through `Build-LMFilter` or `-FilterWizard` parameter
+# Re-cache FedRAMP credentials with GovCloud enabled (overwrite the existing entry)
+New-LMCachedAccount -AccessId "lm_access_id" -AccessKey "lm_access_key" -AccountName "agency" -CachedAccountName "agency-fedramp" -GovCloud -OverwriteExisting $true
 
-```powershell
-# Use the standalone filter builder
-Build-LMFilter
+# Verify GovCloud is now stored in metadata
+Get-LMCachedAccount -CachedAccountName "agency-fedramp"
 
-# Use built-in filter wizard parameter
-Get-LMDeviceGroup -FilterWizard
+# Connect using the updated cached credential
+Connect-LMAccount -CachedAccountName "agency-fedramp"
 ```
-![Filter Wizard Example](https://logicmonitor.github.io/lm-powershell-module-docs/_astro/LMFilter.4g625cq9_1boMAv.webp)
 
 [Previous Release Notes](RELEASENOTES.md)
 
diff --git a/RELEASENOTES.md b/RELEASENOTES.md
@@ -1,5 +1,49 @@
 # Previous module release notes
 
+## 7.9.3
+### Bug Fixes
+- **Set-LMWebsite**: Fixed an issue where `-WebsiteSteps` was omitted from the API request payload, so multi-step web check updates appeared to succeed but did not apply the supplied steps.
+- **Set-LMOpsNote**: Fixed an issue where scope updates (`-DeviceIds`, `-WebsiteIds`, `-DeviceGroupIds`) were not included in the request payload.
+- **Set-LMRole**: Fixed an issue where permission updates were omitted from the request payload when changing role privileges.
+- **Set-LMRecipientGroup**: Fixed `-Recipients` to accept an array of recipient objects instead of only binding a single recipient.
+
+## 7.9.2
+### Bug Fixes
+- **SDT timezone compatibility with PowerShell 5.1**: Fixed an issue introduced in v7.9.1 where SDT commands would fail on PowerShell 5.1 with `Invalid timezone` errors due to .NET Framework not supporting IANA timezone IDs (e.g. `America/New_York`) directly.
+- **Cross-platform timezone support**: SDT commands now accept both IANA timezone IDs (e.g. `America/New_York`) and Windows standard timezone names (e.g. `Eastern Standard Time`). The module automatically resolves the input to the correct format for the API regardless of PowerShell version or operating system.
+
+## 7.9.1
+### Bug Fixes & Changes
+- **SDT timezone consistency**: Added timezone-aware behavior across `New-LMDeviceSDT`, `New-LMDeviceGroupSDT`, `New-LMDeviceDatasourceSDT`, and `New-LMDeviceDatasourceInstanceSDT` so schedules are no longer interpreted based on the machine running the script.
+- **Portal timezone default for SDTs**: If `-Timezone` is omitted, SDT commands now resolve and use the portal timezone by default.
+- **Timezone validation improvements**: Replaced legacy commented timezone lists with active validation for timezone IDs and clearer error messages for invalid values.
+- **Set-LMSDT update alignment**: Added timezone handling and validation improvements for one-time SDT updates in `Set-LMSDT`.
+
+### Major Changes in v7:
+ - **API Headers**: Updated all API request headers to use a custom User-Agent (Logic.Monitor-PowerShell-Module/Version) for usage reporting on versions deployed.
+
+### Documentation Overhaul
+We're excited to announce our new comprehensive documentation site at [https://logicmonitor.github.io/lm-powershell-module-docs/](https://logicmonitor.github.io/lm-powershell-module-docs/). The site includes:
+- Detailed command reference information
+- Code examples and snippets
+- Best practices guides
+
+### New Filter Wizard
+Introducing the Filter Wizard, a new interactive tool to help build complex filters:
+- Visual filter construction
+- Support for all filter operators
+- Real-time filter preview
+- Available through `Build-LMFilter` or `-FilterWizard` parameter
+
+```powershell
+# Use the standalone filter builder
+Build-LMFilter
+
+# Use built-in filter wizard parameter
+Get-LMDeviceGroup -FilterWizard
+```
+![Filter Wizard Example](https://logicmonitor.github.io/lm-powershell-module-docs/_astro/LMFilter.4g625cq9_1boMAv.webp)
+
 ## 7.9
 
 ### New Cmdlets
diff --git a/Tests/LMCachedAccount.Tests.ps1 b/Tests/LMCachedAccount.Tests.ps1
@@ -0,0 +1,119 @@
+Describe 'Connect-LMAccount cached GovCloud metadata' {
+    BeforeAll {
+        function Update-LogicMonitorModule { }
+        function Get-LMPortalVersion { return $null }
+        function New-MockCachedSecretInfo {
+            param (
+                [String]$Name,
+                [String]$Portal,
+                [String]$Id = 'test-access-id',
+                [String]$Type = 'LMv1',
+                [String]$GovCloud
+            )
+
+            $metadata = [ordered]@{
+                Portal   = $Portal
+                Id       = $Id
+                Modified = Get-Date
+                Type     = $Type
+            }
+            if ($PSBoundParameters.ContainsKey('GovCloud')) {
+                $metadata['GovCloud'] = $GovCloud
+            }
+
+            [PSCustomObject]@{
+                Name     = $Name
+                Metadata = $metadata
+            }
+        }
+
+        . "$PSScriptRoot/../Public/Connect-LMAccount.ps1"
+    }
+
+    BeforeEach {
+        Remove-Variable LMAuth -Scope Script -ErrorAction SilentlyContinue
+        Mock Get-SecretVault { }
+        Mock Update-LogicMonitorModule { }
+        Mock Get-Secret { 'cached-access-key' | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString }
+    }
+
+    It 'Sets GovCloud from cached metadata when GovCloud is True' {
+        $mockSecret = New-MockCachedSecretInfo -Name 'fedramp-account' -Portal 'agency' -GovCloud 'True'
+        Mock Get-SecretInfo { @($mockSecret) }
+
+        Connect-LMAccount -CachedAccountName 'fedramp-account' -SkipCredValidation -SkipVersionCheck -DisableConsoleLogging
+
+        $Script:LMAuth.GovCloud | Should -Be $true
+        $Script:LMAuth.Portal | Should -Be 'agency'
+    }
+
+    It 'Defaults GovCloud to false when cached metadata has no GovCloud key' {
+        $mockSecret = New-MockCachedSecretInfo -Name 'commercial-account' -Portal 'company'
+        Mock Get-SecretInfo { @($mockSecret) }
+
+        Connect-LMAccount -CachedAccountName 'commercial-account' -SkipCredValidation -SkipVersionCheck -DisableConsoleLogging
+
+        $Script:LMAuth.GovCloud | Should -Be $false
+    }
+
+    It 'Uses explicit -GovCloud switch when cached metadata has no GovCloud key' {
+        $mockSecret = New-MockCachedSecretInfo -Name 'commercial-account' -Portal 'company'
+        Mock Get-SecretInfo { @($mockSecret) }
+
+        Connect-LMAccount -CachedAccountName 'commercial-account' -GovCloud -SkipCredValidation -SkipVersionCheck -DisableConsoleLogging
+
+        $Script:LMAuth.GovCloud | Should -Be $true
+    }
+
+    It 'Uses explicit -GovCloud switch when cached metadata has GovCloud False' {
+        $mockSecret = New-MockCachedSecretInfo -Name 'commercial-account' -Portal 'company' -GovCloud 'False'
+        Mock Get-SecretInfo { @($mockSecret) }
+
+        Connect-LMAccount -CachedAccountName 'commercial-account' -GovCloud -SkipCredValidation -SkipVersionCheck -DisableConsoleLogging
+
+        $Script:LMAuth.GovCloud | Should -Be $true
+    }
+}
+
+Describe 'Get-LMCachedAccount GovCloud metadata' {
+    BeforeAll {
+        . "$PSScriptRoot/../Public/Get-LMCachedAccount.ps1"
+    }
+
+    It 'Returns GovCloud true when metadata GovCloud is True' {
+        Mock Get-SecretInfo {
+            [PSCustomObject]@{
+                Name     = 'fedramp-account'
+                Metadata = @{
+                    Portal   = 'agency'
+                    Id       = 'test-id'
+                    Modified = Get-Date
+                    Type     = 'LMv1'
+                    GovCloud = 'True'
+                }
+            }
+        }
+
+        $result = Get-LMCachedAccount -CachedAccountName 'fedramp-account'
+
+        $result.GovCloud | Should -Be $true
+    }
+
+    It 'Returns GovCloud false when metadata has no GovCloud key' {
+        Mock Get-SecretInfo {
+            [PSCustomObject]@{
+                Name     = 'commercial-account'
+                Metadata = @{
+                    Portal   = 'company'
+                    Id       = 'test-id'
+                    Modified = Get-Date
+                    Type     = 'LMv1'
+                }
+            }
+        }
+
+        $result = Get-LMCachedAccount -CachedAccountName 'commercial-account'
+
+        $result.GovCloud | Should -Be $false
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ This function requires access to the Logic.Monitor vault where credentials are s`
`23`	`23`	`None. You cannot pipe objects to this command.`
`24`	`24`
`25`	`25`	`.OUTPUTS`
`26`		`-Returns an array of custom objects containing cached account information including CachedAccountName, Portal, Id, Modified date, and Type.`
	`26`	`+Returns an array of custom objects containing cached account information including CachedAccountName, Portal, Id, Modified date, Type, and GovCloud.`
`27`	`27`
`28`	`28`	`.LINK`
`29`	`29`	`Get-SecretInfo`
`@@ -49,6 +49,7 @@ function Get-LMCachedAccount {`
`49`	`49`	`Id = if (!$Secret.Metadata["Id"]) { "N/A" }else { $Secret.Metadata["Id"] }`
`50`	`50`	`Modified = $Secret.Metadata["Modified"]`
`51`	`51`	`Type = if (!$Secret.Metadata["Type"]) { "LMv1" }else { $Secret.Metadata["Type"] }`
	`52`	`+ GovCloud = $Secret.Metadata["GovCloud"] -eq 'True'`
`52`	`53`	`}`
`53`	`54`	`}`
`54`	`55`	`return $CachedAccounts`