rails_template_18f 0.1.0

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml

@@ -0,0 +1,44 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+
+name: Brakeman Scan
+
+on:
+  push:
+    branches: [ main ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    # cron format: 'minute hour dayofmonth month dayofweek'
+    # this will run at noon UTC each Monday (7am EST / 8am EDT)
+    - cron: '0 12 * * 1'
+
+jobs:
+  brakeman-scan:
+    name: Brakeman Scan
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+    - uses: ./.github/actions/setup-languages
+
+    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+    - name: Scan
+      continue-on-error: true
+      run: |
+        bundle exec brakeman -f sarif -o output.sarif.json .
+
+    # Upload the SARIF file generated in the previous step
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: output.sarif.json

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/dependency-scans.yml

@@ -0,0 +1,39 @@
+name: Ruby and Javascript dependency scans
+
+on:
+  push:
+    branches: [ main ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # cron format: 'minute hour dayofmonth month dayofweek'
+    # this will run at noon UTC every day (7am EST / 8am EDT)
+    - cron: '0 12 * * *'
+
+jobs:
+  bundle-audit:
+    name: Bundle audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: ./.github/actions/setup-languages
+
+      - name: Update advisory database and run checks
+        run: bundle exec rake bundler:audit
+
+  yarn-audit:
+    name: Yarn audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: ./.github/actions/setup-languages
+
+      - name: Run yarn audit
+        run: bundle exec rake yarn:audit

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt

@@ -0,0 +1,53 @@
+name: Deploy Production
+
+on:
+  push:
+    branches: [ production ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+
+jobs:
+  deploy:
+    name: Deploy to production
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+      <% if terraform? %>
+      - name: Check for changes to Terraform
+        id: changed-terraform-files
+        uses: tj-actions/changed-files@v1.1.2
+        with:
+          files: |
+            terraform/shared
+            terraform/production
+      - name: Terraform init
+        if: steps.changed-terraform-files.outputs.any_changed == 'true'
+        working-directory: terraform/production
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+        run: terraform init
+      - name: Terraform apply
+        if: steps.changed-terraform-files.outputs.any_changed == 'true'
+        working-directory: terraform/production
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+        run: terraform apply -auto-approve -input=false
+      <% end %>
+      - name: Deploy app
+        uses: 18F/cg-deploy-action@main
+        env:
+          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: <%= cloud_gov_organization %>
+          cf_space: <%= cloud_gov_production_space %>
+          push_arguments: "--vars-file config/deployment/production.yml --var rails_master_key=$RAILS_MASTER_KEY"

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt

@@ -0,0 +1,53 @@
+name: Deploy Staging
+
+on:
+  push:
+    branches: [ main ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+
+jobs:
+  deploy:
+    name: Deploy to staging
+    runs-on: ubuntu-latest
+    environment: staging
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+      <% if terraform? %>
+      - name: Check for changes to Terraform
+        id: changed-terraform-files
+        uses: tj-actions/changed-files@v1.1.2
+        with:
+          files: |
+            terraform/shared
+            terraform/staging
+      - name: Terraform init
+        if: steps.changed-terraform-files.outputs.any_changed == 'true'
+        working-directory: terraform/staging
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+        run: terraform init
+      - name: Terraform apply
+        if: steps.changed-terraform-files.outputs.any_changed == 'true'
+        working-directory: terraform/staging
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+        run: terraform apply -auto-approve -input=false
+      <% end %>
+      - name: Deploy app
+        uses: 18F/cg-deploy-action@main
+        env:
+          RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: <%= cloud_gov_organization %>
+          cf_space: <%= cloud_gov_staging_space %>
+          push_arguments: "--vars-file config/deployment/staging.yml --var rails_master_key=$RAILS_MASTER_KEY"

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt

@@ -0,0 +1,44 @@
+name: OWASP ZAP daily scan
+
+on:
+  schedule:
+    # cron format: 'minute hour dayofmonth month dayofweek'
+    # this will run at noon UTC every day (7am EST / 8am EDT)
+    - cron: '0 12 * * *'
+
+jobs:
+  owasp-scan:
+    name: OWASP ZAP Scan
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports: ["5432:5432"]
+        env:
+          POSTGRES_DB: <%= app_name %>_test
+          POSTGRES_USER: cidbuser
+          POSTGRES_PASSWORD: postgres
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - id: setup
+        uses: ./.github/actions/setup-project
+
+      - uses: ./.github/actions/run-server
+        with:
+          database_url: ${{ steps.setup.outputs.database_url }}
+
+      - name: Run OWASP Full Scan
+        uses: zaproxy/action-full-scan@v0.3.0
+        with:
+          docker_name: 'owasp/zap2docker-weekly'
+          target: 'http://localhost:3000/'
+          fail_action: true
+          rules_file_name: 'zap.conf'
+          cmd_options: '-I'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt

@@ -0,0 +1,47 @@
+name: OWASP ZAP scan
+
+on:
+  push:
+    branches: [ main ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  owasp-scan:
+    name: OWASP ZAP Scan
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports: ["5432:5432"]
+        env:
+          POSTGRES_DB: <%= app_name %>_test
+          POSTGRES_USER: cidbuser
+          POSTGRES_PASSWORD: postgres
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - id: setup
+        uses: ./.github/actions/setup-project
+
+      - uses: ./.github/actions/run-server
+        with:
+          database_url: ${{ steps.setup.outputs.database_url }}
+
+      - name: Run OWASP Baseline Scan
+        uses: zaproxy/action-baseline@v0.6.1
+        with:
+          docker_name: 'owasp/zap2docker-weekly'
+          target: 'http://localhost:3000/'
+          fail_action: true
+          rules_file_name: 'zap.conf'
+          cmd_options: '-I'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/pa11y.yml.tt

@@ -0,0 +1,65 @@
+name: pa11y tests
+
+on: [pull_request]
+
+jobs:
+  pa11y_scan:
+    name: Pa11y Scan
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports: ["5432:5432"]
+        env:
+          POSTGRES_DB: <%= app_name %>_test
+          POSTGRES_USER: cidbuser
+          POSTGRES_PASSWORD: postgres
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - id: setup
+        uses: ./.github/actions/setup-project
+
+      - uses: ./.github/actions/run-server
+        with:
+          database_url: ${{ steps.setup.outputs.database_url }}
+
+      - name: Run pa11y-ci
+        shell: bash
+        run: |
+          set -o pipefail
+          yarn run pa11y-ci 2>&1 | tee pa11y_output.txt
+
+      - name: Read pa11y_output file.
+        if: failure()
+        id: pa11y_output
+        uses: juliangruber/read-file-action@v1
+        with:
+          path: ./pa11y_output.txt
+
+      - name: Comment on pull request
+        if: failure()
+        uses: actions/github-script@v4
+        with:
+          script: |
+            const output = `Pa11y Failures detected
+
+            <details><summary>Show failure message</summary>
+
+            \`\`\`\n
+            ${{ steps.pa11y_output.outputs.content }}
+            \`\`\`
+            </details>`;
+
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            });

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/rspec.yml.tt

@@ -0,0 +1,34 @@
+name: rspec tests
+
+on: [pull_request]
+
+jobs:
+  rspec:
+    name: Rspec
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports: ["5432:5432"]
+        env:
+          POSTGRES_DB: <%= app_name %>_test
+          POSTGRES_USER: cidbuser
+          POSTGRES_PASSWORD: postgres
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - id: setup
+        uses: ./.github/actions/setup-project
+        with:
+          rails_env: test
+
+      - name: Run rspec
+        env:
+          DATABASE_URL: ${{ steps.setup.outputs.database_url }}
+        run: bundle exec rspec

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml

@@ -0,0 +1,79 @@
+name: Run Terraform plan in production
+
+on:
+  pull_request:
+    branches: [ production ]
+    paths: [ 'terraform/**' ]
+
+defaults:
+  run:
+    working-directory: terraform/production
+
+jobs:
+  terraform:
+    name: Terraform plan
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Terraform format
+        id: format
+        run: terraform fmt -check
+
+      - name: Terraform init
+        id: init
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+        run: terraform init
+
+      - name: Terraform validate
+        id: validation
+        run: terraform validate -no-color
+
+      - name: Terraform plan
+        id: plan
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+        run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt
+
+      - name: Read Terraform plan output file
+        id: terraform_output
+        uses: juliangruber/read-file-action@v1
+        if: ${{ always() }}
+        with:
+          path: ./terraform/production/plan_output.txt
+
+      # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow
+      - name: Update PR
+        uses: actions/github-script@v4
+        # we would like to update the PR even when a prior step failed
+        if: ${{ always() }}
+        with:
+          script: |
+            const output = `Terraform Format and Style: ${{ steps.format.outcome }}
+            Terraform Initialization: ${{ steps.init.outcome }}
+            Terraform Validation: ${{ steps.validation.outcome }}
+            Terraform Plan: ${{ steps.plan.outcome }}
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`\n
+            ${{ steps.terraform_output.outputs.content }}
+            \`\`\`
+
+            </details>
+
+            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml

@@ -0,0 +1,79 @@
+name: Run Terraform plan in staging
+
+on:
+  pull_request:
+    branches: [ main ]
+    paths: [ 'terraform/**' ]
+
+defaults:
+  run:
+    working-directory: terraform/staging
+
+jobs:
+  terraform:
+    name: Terraform plan
+    runs-on: ubuntu-latest
+    environment: staging
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Terraform format
+        id: format
+        run: terraform fmt -check
+
+      - name: Terraform init
+        id: init
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+        run: terraform init
+
+      - name: Terraform validate
+        id: validation
+        run: terraform validate -no-color
+
+      - name: Terraform plan
+        id: plan
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+        run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt
+
+      - name: Read Terraform plan output file
+        id: terraform_output
+        uses: juliangruber/read-file-action@v1
+        if: ${{ always() }}
+        with:
+          path: ./terraform/staging/plan_output.txt
+
+      # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow
+      - name: Update PR
+        uses: actions/github-script@v4
+        # we would like to update the PR even when a prior step failed
+        if: ${{ always() }}
+        with:
+          script: |
+            const output = `Terraform Format and Style: ${{ steps.format.outcome }}
+            Terraform Initialization: ${{ steps.init.outcome }}
+            Terraform Validation: ${{ steps.validation.outcome }}
+            Terraform Plan: ${{ steps.plan.outcome }}
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`\n
+            ${{ steps.terraform_output.outputs.content }}
+            \`\`\`
+
+            </details>
+
+            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })

data/lib/rails_template18f/terraform_options.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module RailsTemplate18f
+  module TerraformOptions
+    extend ActiveSupport::Concern
+
+    included do
+      class_option :cg_org, desc: "cloud.gov organization name"
+      class_option :cg_staging, desc: "cloud.gov space name for staging"
+      class_option :cg_prod, desc: "cloud.gov space name for production"
+      class_option :terraform, type: :boolean, desc: "Generate actions for planning and applying terraform"
+    end
+
+    private
+
+    def ruby_version
+      RUBY_VERSION
+    end
+
+    def terraform?
+      options[:terraform].nil? ? terraform_dir_exists? : options[:terraform]
+    end
+
+    def cloud_gov_organization
+      if options[:cg_org].present?
+        return options[:cg_org]
+      elsif terraform_dir_exists?
+        staging_main = File.read(terraform_path.join("staging", "main.tf"))
+        if (matches = staging_main.match(/cf_org_name\s+= "(?<org_name>.*)"/))
+          return matches[:org_name]
+        end
+      end
+      "TKTK-cloud.gov-org-name"
+    end
+
+    def cloud_gov_staging_space
+      if options[:cg_staging].present?
+        return options[:cg_staging]
+      elsif terraform_dir_exists?
+        staging_main = File.read(terraform_path.join("staging", "main.tf"))
+        if (matches = staging_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
+          return matches[:space_name]
+        end
+      end
+      "staging"
+    end
+
+    def cloud_gov_production_space
+      if options[:cg_prod].present?
+        return options[:cg_prod]
+      elsif terraform_dir_exists?
+        prod_main = File.read(terraform_path.join("production", "main.tf"))
+        if (matches = prod_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
+          return matches[:space_name]
+        end
+      end
+      "prod"
+    end
+
+    def terraform_path
+      Pathname.new File.expand_path("terraform", destination_root)
+    end
+
+    def terraform_dir_exists?
+      Dir.exist? terraform_path
+    end
+  end
+end

data/lib/rails_template18f/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module RailsTemplate18f
+  VERSION = "0.1.0"
+end

data/lib/rails_template_18f.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require_relative "rails_template18f/version"
+
+module RailsTemplate18f
+  extend ActiveSupport::Autoload
+
+  autoload :TerraformOptions
+
+  class Error < StandardError; end
+
+  class Railtie < ::Rails::Railtie; end
+end

data/rails-template-18f.gemspec

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require_relative "lib/rails_template18f/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "rails_template_18f"
+  spec.version = RailsTemplate18f::VERSION
+  spec.authors = ["Ryan Ahearn"]
+  spec.email = ["ryan.ahearn@gsa.gov"]
+
+  spec.summary = "Generators for creating an 18F-flavored Rails app"
+  spec.homepage = "https://github.com/18f/rails-template"
+  spec.required_ruby_version = ">= 2.7.5"
+
+  spec.metadata["allowed_push_host"] = "https://rubygems.org/"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/18f/rails-template"
+  spec.metadata["changelog_uri"] = "https://github.com/18f/rails-template/blob/main/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  # For more information and examples about making a new gem, checkout our
+  # guide at: https://bundler.io/guides/creating_gem.html
+  spec.add_dependency "railties", "~> 7.0.0"
+  spec.add_dependency "activesupport", "~> 7.0.0"
+
+  spec.add_development_dependency "rspec", "~> 3.11"
+  spec.add_development_dependency "ammeter", "~> 1.1"
+  spec.add_development_dependency "standard", "~> 1.3"
+end

data/railsrc

@@ -0,0 +1,10 @@
+--skip-active-storage
+--skip-action-text
+--skip-action-cable
+--skip-action-mailbox
+--skip-hotwire
+--skip-test
+--javascript=webpack
+--css=postcss
+--template=template.rb
+--database=postgresql