rails_template_18f 0.1.0

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -0,0 +1,413 @@
+version: 2.1
+
+orbs:
+  ruby: circleci/ruby@1.3.0
+  node: circleci/node@5.0.0
+  browser-tools: circleci/browser-tools@1.2.3<% if terraform? %>
+  terraform: circleci/terraform@3.0.0<% end %>
+
+commands:
+  setup-project:
+    steps:
+      - checkout
+      - ruby/install-deps
+      - node/install:
+          install-yarn: true
+      - node/install-packages:
+          cache-only-lockfile: false
+          pkg-manager: yarn
+  cg-deploy:
+    description: "Login to cloud foundry space with service account credentials
+      and push application using deployment configuration file."
+    parameters:
+      cloudgov_username:
+        description: "Name of CircleCI project environment variable that
+          holdes deployer username for cloudgov space"
+        type: env_var_name
+      cloudgov_password:
+        description: "Name of CircleCI project environment variable that
+          holds deployer password for cloudgov space"
+        type: env_var_name
+      cloudgov_org:
+        description: "cloud.gov organization name"
+        type: string
+      cloudgov_space:
+        description: "cloud.gov space name"
+        type: string
+      deploy_config_file:
+        description: "Path to deployment configuration file"
+        type: string
+      rails_master_key:
+        description: "Name of CircleCI project environment variable holding the RAILS_MASTER_KEY"
+        type: env_var_name
+    steps:
+      - run:
+          name: Vendor gems
+          command: bundle cache --all
+      - run:
+          name: Install Cloud Foundry CLI
+          command: |
+            curl -v -L -o cf-cli_amd64.deb 'https://packages.cloudfoundry.org/stable?release=debian64&version=v7&source=github'
+            sudo dpkg -i cf-cli_amd64.deb
+      - run:
+          name: Login with service account
+          command: |
+            cf login -a api.fr.cloud.gov \
+              -u ${<< parameters.cloudgov_username >>} \
+              -p ${<< parameters.cloudgov_password >>} \
+              -o << parameters.cloudgov_org >> \
+              -s << parameters.cloudgov_space >>
+      - run:
+          name: Push application with deployment vars
+          command: |
+            cf push --strategy rolling \
+              --vars-file << parameters.deploy_config_file >> \
+              --var rails_master_key=${<< parameters.rails_master_key >>}
+
+jobs:
+  build:
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+    steps:
+      - setup-project
+
+  test:
+    parallelism: 3
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+      - image: cimg/postgres:12.9
+        environment:
+          POSTGRES_USER: circleci
+          POSTGRES_DB: <%= app_name %>_test
+          POSTGRES_PASSWORD: ""
+    environment:
+      BUNDLE_JOBS: "3"
+      BUNDLE_RETRY: "3"
+      PGHOST: 127.0.0.1
+      PGUSER: circleci
+      PGPASSWORD: ""
+      RAILS_ENV: test
+    steps:
+      - setup-project
+      - browser-tools/install-chrome
+      - browser-tools/install-chromedriver
+      - run:
+          name: Wait for DB
+          command: dockerize -wait tcp://localhost:5432 -timeout 1m
+      - run:
+          name: Database setup
+          command: bundle exec rails db:schema:load --trace
+
+      # Precompile assets
+      # Load assets from cache if possible, precompile assets then save cache
+      # Multiple caches are used to increase the chance of a cache hit
+      # https://circleci.com/docs/2.0/caching/#full-example-of-saving-and-restoring-cache
+      - restore_cache:
+          keys:
+            - asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}-{{ .Environment.CIRCLE_SHA1 }}
+            - asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}
+            - asset-cache-v1-{{ .Environment.RAILS_ENV }}
+
+      - run: bundle exec rake assets:precompile
+
+      - save_cache:
+          key: asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}-{{ .Environment.CIRCLE_SHA1 }}
+          paths:
+            - public/assets
+            - tmp/cache/assets/sprockets
+
+      - ruby/rspec-test
+
+  static_security_scans:
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+    steps:
+      - setup-project
+      - run:
+          name: Run Brakeman scan
+          command: bundle exec brakeman
+      - run:
+          name: Bundle audit
+          command: bundle exec rake bundler:audit
+      - run:
+          name: Yarn audit
+          command: bundle exec rake yarn:audit
+
+  owasp_scan:
+    machine:
+      image: ubuntu-2004:202111-02
+    steps:
+      - checkout
+
+      # attempt to restore cache from build step to speed up local server startup time
+      # This will need to be updated if the cache key for the `install-(deps|packages)` steps changes
+      - restore_cache:
+          keys:
+            - gems-v1-{{ checksum "Gemfile.lock"  }}-{{ .Branch }}
+      - restore_cache:
+          keys:
+            - node-deps-{{ arch }}-v1-{{ .Branch }}-{{ checksum "package.json" }}-{{ checksum "yarn.lock" }}
+
+      - run:
+          name: Start up local server
+          command: docker-compose -f docker-compose.ci.yml up -d
+      - run:
+          name: Create reports directory
+          command: mkdir reports
+      - run:
+          name: Run OWASP Zap
+          command: |
+            docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
+              --user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
+              zap-baseline.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
+      - store_artifacts:
+          path: reports/owasp_report.html
+
+  owasp_full_scan:
+    machine:
+      image: ubuntu-2004:202111-02
+    steps:
+      - checkout
+
+      # attempt to restore cache from build step to speed up local server startup time
+      # This will need to be updated if the cache key for the `install-(deps|packages)` steps changes
+      - restore_cache:
+          keys:
+            - gems-v1-{{ checksum "Gemfile.lock"  }}-{{ .Branch }}
+      - restore_cache:
+          keys:
+            - node-deps-{{ arch }}-v1-{{ .Branch }}-{{ checksum "package.json" }}-{{ checksum "yarn.lock" }}
+
+      - run:
+          name: Start up local server
+          command: docker-compose -f docker-compose.ci.yml up -d
+      - run:
+          name: Create reports directory
+          command: mkdir reports
+      - run:
+          name: Run OWASP Zap
+          command: |
+            docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
+              --user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
+              zap-full-scan.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
+      - store_artifacts:
+          path: reports/owasp_report.html
+
+  a11y_scan:
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+      - image: cimg/postgres:12.9
+        environment:
+          POSTGRES_USER: circleci
+          POSTGRES_DB: <%= app_name %>_development
+          POSTGRES_PASSWORD: ""
+    environment:
+      BUNDLE_JOBS: "3"
+      BUNDLE_RETRY: "3"
+      PGHOST: 127.0.0.1
+      PGUSER: circleci
+      PGPASSWORD: ""
+      RAILS_ENV: ci
+    steps:
+      - setup-project
+      - browser-tools/install-chrome
+      - browser-tools/install-chromedriver
+      - run:
+          name: Wait for DB
+          command: dockerize -wait tcp://localhost:5432 -timeout 1m
+      - run:
+          name: Database setup
+          command: bundle exec rails db:schema:load --trace
+
+      # Precompile assets
+      # Load assets from cache if possible, precompile assets then save cache
+      # Multiple caches are used to increase the chance of a cache hit
+      # https://circleci.com/docs/2.0/caching/#full-example-of-saving-and-restoring-cache
+      - restore_cache:
+          keys:
+            - asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}-{{ .Environment.CIRCLE_SHA1 }}
+            - asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}
+            - asset-cache-v1-{{ .Environment.RAILS_ENV }}
+
+      - run: bundle exec rake assets:precompile
+
+      - save_cache:
+          key: asset-cache-v1-{{ .Environment.RAILS_ENV }}-{{ arch }}-{{ .Branch }}-{{ .Environment.CIRCLE_SHA1 }}
+          paths:
+            - public/assets
+            - tmp/cache/assets/sprockets
+
+      - run:
+          name: Start server
+          command: ./bin/rails server -p 3000
+          background: true
+
+      - run:
+          name: Wait for server
+          command: dockerize -wait http://localhost:3000 -timeout 1m
+
+      - run:
+          name: Run pa11y-ci
+          command: yarn run pa11y-ci
+<% if terraform? %>
+  terraform_plan_staging:
+    executor: terraform/default
+    steps:
+      - checkout
+      - terraform/init:
+          path: terraform/staging
+      - terraform/validate:
+          path: terraform/staging
+      - terraform/fmt:
+          path: terraform/staging
+      - run:
+          name: Set terraform variables
+          working_directory: terraform/staging
+          command: echo -e "cf_user = \"$CF_STAGING_USERNAME\"\ncf_password = \"$CF_STAGING_PASSWORD\"" > secrets.auto.tfvars
+      - terraform/plan:
+          path: terraform/staging
+      - persist_to_workspace:
+          root: .
+          paths:
+            - ./terraform/staging
+  terraform_apply_staging:
+    executor: terraform/default
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - terraform/apply
+          path: terraform/staging
+  terraform_plan_production:
+    executor: terraform/default
+    steps:
+      - checkout
+      - terraform/init:
+          path: terraform/production
+      - terraform/validate:
+          path: terraform/production
+      - terraform/fmt:
+          path: terraform/production
+      - run:
+          name: Set terraform variables
+          working_directory: terraform/production
+          command: echo -e "cf_user = \"$CF_PRODUCTION_USERNAME\"\ncf_password = \"$CF_PRODUCTION_PASSWORD\"" > secrets.auto.tfvars
+      - terraform/plan:
+          path: terraform/production
+      - persist_to_workspace:
+          root: .
+          paths:
+            - ./terraform/production
+  terraform_apply_production:
+    executor: terraform/default
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - terraform/apply
+          path: terraform/production
+<% end %>
+  deploy_staging:
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+    steps:
+      - setup-project
+      - cg-deploy:
+          cloudgov_username: CF_STAGING_USERNAME
+          cloudgov_password: CF_STAGING_PASSWORD
+          cloudgov_org: <%= cloud_gov_organization %>
+          cloudgov_space: <%= cloud_gov_staging_space %>
+          deploy_config_file: config/deployment/staging.yml
+          rails_master_key: RAILS_MASTER_KEY
+  deploy_production:
+    docker:
+      - image: cimg/ruby:<%= ruby_version %>
+    steps:
+      - setup-project
+      - cg-deploy:
+          cloudgov_username: CF_PRODUCTION_USERNAME
+          cloudgov_password: CF_PRODUCTION_PASSWORD
+          cloudgov_org: <%= cloud_gov_organization %>
+          cloudgov_space: <%= cloud_gov_production_space %>
+          deploy_config_file: config/deployment/production.yml
+          rails_master_key: PRODUCTION_RAILS_MASTER_KEY
+
+workflows:
+  version: 2.1
+  build_and_test:
+    jobs:
+      - build
+      - test:
+          requires:
+            - build
+      - static_security_scans:
+          requires:
+            - build
+      - owasp_scan:
+          requires:
+            - build
+      - a11y_scan:
+          requires:
+            - build<% if terraform? %>
+      - terraform_plan_staging:
+          filters:
+            branches:
+              ignore: production
+      - terraform_apply_staging:
+          filters:
+            branches:
+              only: main
+          requires:
+            - terraform_plan_staging
+      - terraform_plan_production
+      - approve_production_terraform:
+          type: approval
+          filters:
+            branches:
+              only: production
+          requires:
+            - terraform_plan_production
+      - terraform_apply_production:
+          filters:
+            branches:
+              only: production
+          requires:
+            - approve_production_terraform<% end %>
+      - deploy_staging:
+          filters:
+            branches:
+              only: main
+          requires:
+            - test
+            - static_security_scans
+            - owasp_scan
+            - a11y_scan<% if terraform? %>
+            - terraform_apply_staging<% end %>
+      - deploy_production:
+          filters:
+            branches:
+              only: production
+          requires:
+            - test
+            - static_security_scans
+            - owasp_scan
+            - a11y_scan<% if terraform? %>
+            - terraform_apply_production<% end %>
+  daily_scan:
+    triggers:
+      - schedule:
+          cron: "0 12 * * *"
+          filters:
+            branches:
+              only:
+                - dev
+                - main
+                - production
+    jobs:
+      - build
+      - static_security_scans:
+          requires:
+            - build
+      - owasp_full_scan:
+          requires:
+            - build

data/lib/generators/rails_template18f/circleci/templates/docker-compose.ci.yml

@@ -0,0 +1,26 @@
+version: "3.2"
+services:
+  web:
+    build:
+      context: .
+    user: ${CURRENT_USER:-root}
+    networks:
+      - ci_network
+    ports:
+      - "3000:3000"
+    depends_on:
+      - db
+    environment:
+      RAILS_ENV: ci
+      DATABASE_URL: postgres://circleci:notasecret@db:5432/ci_db
+      RAILS_MASTER_KEY: $RAILS_MASTER_KEY
+  db:
+    image: cimg/postgres:12.9
+    environment:
+      POSTGRES_USER: circleci
+      POSTGRES_DB: ci_db
+      POSTGRES_PASSWORD: notasecret
+    networks:
+      - ci_network
+networks:
+  ci_network:

data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+module RailsTemplate18f
+  module Generators
+    class GithubActionsGenerator < ::Rails::Generators::Base
+      include ::Rails::Generators::AppName
+      include RailsTemplate18f::TerraformOptions
+
+      class_option :node_version, desc: "Node version to test against in actions"
+
+      desc <<~DESC
+        Description:
+          Install Github Actions workflow files
+      DESC
+
+      def self.source_root
+        @source_root ||= File.expand_path("templates", __dir__)
+      end
+
+      def install_actions
+        directory "github", ".github"
+        if !terraform?
+          remove_file ".github/workflows/terraform-staging.yml"
+          remove_file ".github/workflows/terraform-production.yml"
+        end
+      end
+
+      def update_readme
+        insert_into_file "README.md", readme_cicd, after: "## CI/CD\n"
+        insert_into_file "README.md", readme_staging_deploy, after: "#### Staging\n"
+        insert_into_file "README.md", readme_prod_deploy, after: "#### Production\n"
+        insert_into_file "README.md", readme_credentials, after: "#### Credentials and other Secrets\n"
+      end
+
+      def update_boundary_diagram
+        boundary_filename = "doc/compliance/apps/application.boundary.md"
+        insert_into_file boundary_filename, <<EOB, after: "Boundary(cicd, \"CI/CD Pipeline\") {\n"
+    System_Ext(githuball, "GitHub w/ Github Actions", "GSA-controlled code repository and Continuous Integration Service")
+EOB
+        insert_into_file boundary_filename, <<~EOB, before: "@enduml"
+          Rel(developer, githuball, "Publish code", "git ssh (22)")
+          Rel(githuball, cg_api, "Deploy App", "Auth: SpaceDeployer Service Account, https (443)")
+        EOB
+      end
+
+      def update_terraform_readme
+        return unless terraform?
+        readme_filename = "terraform/README.md"
+        insert_into_file readme_filename, "  |- .force-action-apply\n", after: "  |- secrets.auto.tfvars\n"
+        insert_into_file readme_filename, <<~EOM, after: /- `secrets.auto.tfvars`.*$/
+          - `.force-action-apply` is a file that can be updated to force GitHub Actions to run `terraform apply` during the deploy phase
+        EOM
+      end
+
+      no_tasks do
+        def readme_cicd
+          <<~EOM
+
+            GitHub actions are used to run all tests and scans as part of pull requests.
+
+            Security scans are also run on a scheduled basis. Weekly for static code scans, and daily for dependency scans.
+          EOM
+        end
+
+        def readme_staging_deploy
+          <<~EOM
+
+            Deploys to staging#{terraform? ? ", including applying changes in terraform," : ""} happen
+            on every push to the `main` branch in Github.
+
+            The following secrets must be set within the `staging` [environment secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
+            to enable a deploy to work:
+
+            | Secret Name | Description |
+            | ----------- | ----------- |
+            | `CF_USERNAME` | cloud.gov SpaceDeployer username |
+            | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+            | `RAILS_MASTER_KEY` | `config/master.key` |
+            #{terraform_secret_values}
+          EOM
+        end
+
+        def readme_prod_deploy
+          <<~EOM
+
+            Deploys to production#{terraform? ? ", including applying changes in terraform," : ""} happen
+            on every push to the `production` branch in Github.
+
+            The following secrets must be set within the `production` [environment secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
+            to enable a deploy to work:
+
+            | Secret Name | Description |
+            | ----------- | ----------- |
+            | `CF_USERNAME` | cloud.gov SpaceDeployer username |
+            | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+            | `RAILS_MASTER_KEY` | `config/credentials/production.key` |
+            #{terraform_secret_values}
+          EOM
+        end
+
+        def readme_credentials
+          <<~EOM
+
+            1. Store variables that must be secret using [GitHub Environment Secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
+            1. Add the secret to the `env:` block of the deploy action [as in this example](https://github.com/OHS-Hosting-Infrastructure/complaint-tracker/blob/a9e8d22aae2023a0afb631a6182251c04f597f7e/.github/workflows/deploy-stage.yml#L20)
+            1. Add the appropriate `--var` addition to the `push_arguments` line on the deploy action [as in this example](https://github.com/OHS-Hosting-Infrastructure/complaint-tracker/blob/a9e8d22aae2023a0afb631a6182251c04f597f7e/.github/workflows/deploy-stage.yml#L27)
+          EOM
+        end
+      end
+
+      private
+
+      def terraform_secret_values
+        if terraform?
+          <<~EOM
+            | `TERRAFORM_STATE_ACCESS_KEY` | Access key for terraform state bucket |
+            | `TERRAFORM_STATE_SECRET_ACCESS_KEY` | Secret key for terraform state bucket |
+          EOM
+        end
+      end
+
+      def node_version
+        if options[:node_version].present?
+          options[:node_version]
+        elsif File.exist?(nvmrc_path)
+          File.read(nvmrc_path).strip
+        else
+          "16.13"
+        end
+      end
+
+      def nvmrc_path
+        @nvmrc_path ||= File.expand_path(".nvmrc", destination_root)
+      end
+    end
+  end
+end

data/lib/generators/rails_template18f/github_actions/templates/github/actions/run-server/action.yml

@@ -0,0 +1,28 @@
+name: "Run rails server"
+description: "Run rails server in the background for scans to access"
+inputs:
+  rails_env:
+    description: RAILS_ENV to set. Defaults to ci
+    required: false
+    default: ci
+  database_url:
+    description: DATABASE_URL to set
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: "Start server in background"
+      shell: bash
+      env:
+        RAILS_ENV: ${{ inputs.rails_env }}
+        DATABASE_URL: ${{ inputs.database_url }}
+        SECRET_KEY_BASE: not-actually-secret
+      run: bundle exec rails server &
+
+    - name: "Wait for startup"
+      shell: bash
+      run: sleep 5
+
+    - name: "Verify response working"
+      shell: bash
+      run: curl http://localhost:3000 -I

data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-languages/action.yml.tt

@@ -0,0 +1,20 @@
+name: Set up languages
+description: Set up ruby, javascript, and dependencies
+runs:
+  using: composite
+  steps:
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        # bundler-cache automatically installs gems
+        bundler-cache: true
+        cache-version: 1
+
+    - name: Set up node
+      uses: actions/setup-node@v2
+      with:
+        node-version: '<%= node_version %>'
+        cache: 'yarn'
+    - name: Install yarn dependencies
+      shell: bash
+      run: yarn install --frozen-lockfile

data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-project/action.yml.tt

@@ -0,0 +1,33 @@
+name: Set up project with database
+description: Setup Ruby, Javascript, and load the database schema into a running postgres db
+inputs:
+  rails_env:
+    description: RAILS_ENV to set. Defaults to ci
+    required: false
+    default: ci
+  database_url:
+    description: DATABASE_URL to set
+    required: false
+    default: postgres://cidbuser:postgres@localhost:5432/<%= app_name %>_test
+outputs:
+  database_url:
+    value: ${{ inputs.database_url }}
+runs:
+  using: composite
+  steps:
+    - name: Set up Ruby & Javascript
+      uses: ./.github/actions/setup-languages
+
+    - name: Precompile assets
+      env:
+        RAILS_ENV: ${{ inputs.rails_env }}
+        SECRET_KEY_BASE: not-actually-secret
+      shell: bash
+      run: bundle exec rake assets:precompile
+
+    - name: Set up database
+      env:
+        RAILS_ENV: ${{ inputs.rails_env }}
+        DATABASE_URL: ${{ inputs.database_url }}
+      shell: bash
+      run: bundle exec rake db:schema:load