rails_template_18f 0.7.2 → 0.8.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +14 -0
- data/Gemfile.lock +92 -70
- data/README.md +60 -63
- data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb +0 -43
- data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt +17 -0
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/dependency-scans.yml +17 -0
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt +3 -1
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt +3 -1
- data/lib/generators/rails_template18f/rails_erd/rails_erd_generator.rb +49 -0
- data/lib/generators/rails_template18f/rails_erd/templates/erdconfig +9 -0
- data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt +3 -3
- data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/main.tf.tt +1 -1
- data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/run.sh.tt +1 -1
- data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/teardown_creds.sh.tt +1 -1
- data/lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt +11 -6
- data/lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt +9 -5
- data/lib/generators/rails_template18f/terraform/terraform_generator.rb +0 -10
- data/lib/rails_template18f/generators/pipeline_options.rb +13 -4
- data/lib/rails_template18f/version.rb +1 -1
- data/template.rb +21 -2
- data/templates/Brewfile +3 -0
- data/templates/README.md.tt +1 -0
- data/templates/bin/ops/create_service_account.sh.tt +72 -0
- data/templates/bin/ops/destroy_service_account.sh.tt +53 -0
- data/{lib/generators/rails_template18f/terraform/templates/terraform → templates/bin/ops}/set_space_egress.sh.tt +1 -1
- data/templates/config/environments/ci.rb +1 -1
- data/templates/config/environments/staging.rb +1 -1
- data/templates/doc/compliance/README.md +7 -2
- data/templates/doc/compliance/TODO.md +37 -0
- metadata +9 -22
- data/lib/generators/rails_template18f/terraform/templates/terraform/create_space_deployer.sh +0 -33
- data/lib/generators/rails_template18f/terraform/templates/terraform/destroy_space_deployer.sh +0 -19
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/main.tf.tt +0 -50
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/providers.tf +0 -16
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/variables.tf +0 -47
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/database/main.tf.tt +0 -23
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/database/providers.tf +0 -16
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/database/variables.tf +0 -42
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/main.tf.tt +0 -46
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/providers.tf +0 -16
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/variables.tf +0 -47
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/main.tf.tt +0 -23
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/providers.tf +0 -16
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/variables.tf +0 -42
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/main.tf +0 -27
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/providers.tf +0 -16
- data/lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/variables.tf +0 -43
- data/templates/doc/compliance/apps/data.logical.md +0 -21
@@ -2,43 +2,46 @@ locals {
|
|
2
2
|
cf_org_name = "<%= cloud_gov_organization %>"
|
3
3
|
cf_space_name = "<%= cloud_gov_production_space %>"
|
4
4
|
env = "production"
|
5
|
+
app_name = "<%= app_name %>"
|
5
6
|
recursive_delete = false
|
6
7
|
}
|
7
8
|
|
8
9
|
module "database" {
|
9
|
-
source = "
|
10
|
+
source = "github.com/18f/terraform-cloudgov//database"
|
10
11
|
|
11
12
|
cf_user = var.cf_user
|
12
13
|
cf_password = var.cf_password
|
13
14
|
cf_org_name = local.cf_org_name
|
14
15
|
cf_space_name = local.cf_space_name
|
15
16
|
env = local.env
|
17
|
+
app_name = local.app_name
|
16
18
|
recursive_delete = local.recursive_delete
|
17
19
|
rds_plan_name = "TKTK-production-rds-plan"
|
18
20
|
}
|
19
21
|
<% if has_active_job? %>
|
20
22
|
module "redis" {
|
21
|
-
source = "
|
23
|
+
source = "github.com/18f/terraform-cloudgov//redis"
|
22
24
|
|
23
25
|
cf_user = var.cf_user
|
24
26
|
cf_password = var.cf_password
|
25
27
|
cf_org_name = local.cf_org_name
|
26
28
|
cf_space_name = local.cf_space_name
|
27
29
|
env = local.env
|
30
|
+
app_name = local.app_name
|
28
31
|
recursive_delete = local.recursive_delete
|
29
32
|
redis_plan_name = "TKTK-production-redis-plan"
|
30
33
|
}
|
31
34
|
<% end %>
|
32
35
|
<% if has_active_storage? %>
|
33
36
|
module "s3" {
|
34
|
-
source = "
|
37
|
+
source = "github.com/18f/terraform-cloudgov//s3"
|
35
38
|
|
36
39
|
cf_user = var.cf_user
|
37
40
|
cf_password = var.cf_password
|
38
41
|
cf_org_name = local.cf_org_name
|
39
42
|
cf_space_name = local.cf_space_name
|
40
43
|
recursive_delete = local.recursive_delete
|
41
|
-
s3_service_name = "
|
44
|
+
s3_service_name = "${local.app_name}-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
|
42
45
|
s3_plan_name = "basic-sandbox"<% end %>
|
43
46
|
}
|
44
47
|
|
@@ -49,13 +52,14 @@ module "s3" {
|
|
49
52
|
# 2) Your organization has sufficient memory. Each clamav app requires 3GB
|
50
53
|
###########################################################################
|
51
54
|
# module "clamav" {
|
52
|
-
# source = "
|
55
|
+
# source = "github.com/18f/terraform-cloudgov//clamav"
|
53
56
|
#
|
54
57
|
# cf_user = var.cf_user
|
55
58
|
# cf_password = var.cf_password
|
56
59
|
# cf_org_name = local.cf_org_name
|
57
60
|
# cf_space_name = local.cf_space_name
|
58
61
|
# env = local.env
|
62
|
+
# app_name = local.app_name
|
59
63
|
# clamav_image = "ajilaag/clamav-rest:20211229"
|
60
64
|
# max_file_size = "30M"
|
61
65
|
# }
|
@@ -69,13 +73,14 @@ module "s3" {
|
|
69
73
|
# `cf create-domain <%= cloud_gov_organization %> TKTK-production-domain-name`
|
70
74
|
###########################################################################
|
71
75
|
# module "domain" {
|
72
|
-
# source = "
|
76
|
+
# source = "github.com/18f/terraform-cloudgov//domain"
|
73
77
|
#
|
74
78
|
# cf_user = var.cf_user
|
75
79
|
# cf_password = var.cf_password
|
76
80
|
# cf_org_name = local.cf_org_name
|
77
81
|
# cf_space_name = local.cf_space_name
|
78
82
|
# env = local.env
|
83
|
+
# app_name = local.app_name
|
79
84
|
# recursive_delete = local.recursive_delete
|
80
85
|
# cdn_plan_name = "domain"
|
81
86
|
# domain_name = "TKTK-production-domain-name"
|
@@ -2,43 +2,46 @@ locals {
|
|
2
2
|
cf_org_name = "<%= cloud_gov_organization %>"
|
3
3
|
cf_space_name = "<%= cloud_gov_staging_space %>"
|
4
4
|
env = "staging"
|
5
|
+
app_name = "<%= app_name %>"
|
5
6
|
recursive_delete = true
|
6
7
|
}
|
7
8
|
|
8
9
|
module "database" {
|
9
|
-
source = "
|
10
|
+
source = "github.com/18f/terraform-cloudgov//database"
|
10
11
|
|
11
12
|
cf_user = var.cf_user
|
12
13
|
cf_password = var.cf_password
|
13
14
|
cf_org_name = local.cf_org_name
|
14
15
|
cf_space_name = local.cf_space_name
|
15
16
|
env = local.env
|
17
|
+
app_name = local.app_name
|
16
18
|
recursive_delete = local.recursive_delete
|
17
19
|
rds_plan_name = "micro-psql"
|
18
20
|
}
|
19
21
|
<% if has_active_job? %>
|
20
22
|
module "redis" {
|
21
|
-
source = "
|
23
|
+
source = "github.com/18f/terraform-cloudgov//redis"
|
22
24
|
|
23
25
|
cf_user = var.cf_user
|
24
26
|
cf_password = var.cf_password
|
25
27
|
cf_org_name = local.cf_org_name
|
26
28
|
cf_space_name = local.cf_space_name
|
27
29
|
env = local.env
|
30
|
+
app_name = local.app_name
|
28
31
|
recursive_delete = local.recursive_delete
|
29
32
|
redis_plan_name = "redis-dev"
|
30
33
|
}
|
31
34
|
<% end %>
|
32
35
|
<% if has_active_storage? %>
|
33
36
|
module "s3" {
|
34
|
-
source = "
|
37
|
+
source = "github.com/18f/terraform-cloudgov//s3"
|
35
38
|
|
36
39
|
cf_user = var.cf_user
|
37
40
|
cf_password = var.cf_password
|
38
41
|
cf_org_name = local.cf_org_name
|
39
42
|
cf_space_name = local.cf_space_name
|
40
43
|
recursive_delete = local.recursive_delete
|
41
|
-
s3_service_name = "
|
44
|
+
s3_service_name = "${local.app_name}-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
|
42
45
|
s3_plan_name = "basic-sandbox"<% end %>
|
43
46
|
}
|
44
47
|
|
@@ -49,13 +52,14 @@ module "s3" {
|
|
49
52
|
# 2) Your organization has sufficient memory. Each clamav app requires 3GB
|
50
53
|
###########################################################################
|
51
54
|
# module "clamav" {
|
52
|
-
# source = "
|
55
|
+
# source = "github.com/18f/terraform-cloudgov//clamav"
|
53
56
|
#
|
54
57
|
# cf_user = var.cf_user
|
55
58
|
# cf_password = var.cf_password
|
56
59
|
# cf_org_name = local.cf_org_name
|
57
60
|
# cf_space_name = local.cf_space_name
|
58
61
|
# env = local.env
|
62
|
+
# app_name = local.app_name
|
59
63
|
# clamav_image = "ajilaag/clamav-rest:20211229"
|
60
64
|
# max_file_size = "30M"
|
61
65
|
# }
|
@@ -15,20 +15,10 @@ module RailsTemplate18f
|
|
15
15
|
|
16
16
|
def install
|
17
17
|
directory "terraform", mode: :preserve
|
18
|
-
chmod "terraform/set_space_egress.sh", 0o755
|
19
18
|
chmod "terraform/bootstrap/run.sh", 0o755
|
20
19
|
chmod "terraform/bootstrap/teardown_creds.sh", 0o755
|
21
20
|
end
|
22
21
|
|
23
|
-
def install_jq
|
24
|
-
append_to_file "Brewfile", <<~EOB
|
25
|
-
|
26
|
-
# used in terraform/create_space_deployer.sh
|
27
|
-
brew "jq"
|
28
|
-
EOB
|
29
|
-
insert_into_file "README.md", indent("* [jq](https://stedolan.github.io/jq/)\n"), after: /\* Install homebrew dependencies: `brew bundle`\n/
|
30
|
-
end
|
31
|
-
|
32
22
|
def ignore_files
|
33
23
|
unless skip_git?
|
34
24
|
append_to_file ".gitignore", <<~EOM
|
@@ -17,14 +17,15 @@ module RailsTemplate18f
|
|
17
17
|
def update_cicd_oscal_docs(ci_name)
|
18
18
|
if oscal_dir_exists?
|
19
19
|
update_ca7_oscal_doc
|
20
|
-
update_cm2_oscal_doc(
|
21
|
-
update_cm3_oscal_doc(
|
20
|
+
update_cm2_oscal_doc(ci_name)
|
21
|
+
update_cm3_oscal_doc(ci_name)
|
22
22
|
update_ra5_oscal_doc
|
23
|
-
update_sa11_oscal_doc(
|
23
|
+
update_sa11_oscal_doc(ci_name)
|
24
24
|
update_sa22_oscal_doc
|
25
|
-
update_sc281_oscal_doc(
|
25
|
+
update_sc281_oscal_doc(ci_name)
|
26
26
|
update_si2_oscal_doc
|
27
27
|
update_si10_oscal_doc
|
28
|
+
update_sr3_oscal_doc(ci_name)
|
28
29
|
end
|
29
30
|
end
|
30
31
|
|
@@ -176,6 +177,14 @@ module RailsTemplate18f
|
|
176
177
|
that may lead to application vulnerabilities that are a result of improper input validation.
|
177
178
|
EOS
|
178
179
|
end
|
180
|
+
|
181
|
+
def update_sr3_oscal_doc(ci)
|
182
|
+
insert_into_oscal "sr-3.md", <<~EOS, after: "Implementation b.\n"
|
183
|
+
A complete Software Bill of Materials (SBOM) for all Ruby dependencies is automatically
|
184
|
+
generated by #{ci} on each push to GitHub as well as on a nightly basis. These can be downloaded
|
185
|
+
from the applicable artifact section for each CI job.
|
186
|
+
EOS
|
187
|
+
end
|
179
188
|
end
|
180
189
|
end
|
181
190
|
end
|
data/template.rb
CHANGED
@@ -58,6 +58,15 @@ compliance_template_submodule = compliance_template && yes?("Clone #{compliance_
|
|
58
58
|
if compliance_template_submodule
|
59
59
|
compliance_template_repo = ask("What is the git clone address of your compliance-template fork?")
|
60
60
|
end
|
61
|
+
if compliance_template_repo.blank?
|
62
|
+
register_announcement("OSCAL Documentation", <<~EOM)
|
63
|
+
Skipping OSCAL files as the compliance-template fork was left blank.
|
64
|
+
|
65
|
+
Re-run the oscal generator after creating your template fork to get started with OSCAL.
|
66
|
+
EOM
|
67
|
+
compliance_template = false
|
68
|
+
compliance_template_submodule = false
|
69
|
+
end
|
61
70
|
|
62
71
|
terraform = yes?("Create terraform files for cloud.gov services? (y/n)")
|
63
72
|
@cloud_gov_organization = ask("What is your cloud.gov organization name? (Leave blank to fill in later)")
|
@@ -141,6 +150,9 @@ end
|
|
141
150
|
|
142
151
|
# setup pa11y and owasp scanning
|
143
152
|
directory "bin", mode: :preserve
|
153
|
+
chmod "bin/ops/create_service_account.sh", 0o755
|
154
|
+
chmod "bin/ops/destroy_service_account.sh", 0o755
|
155
|
+
chmod "bin/ops/set_space_egress.sh", 0o755
|
144
156
|
copy_file "pa11yci", ".pa11yci"
|
145
157
|
copy_file "editorconfig", ".editorconfig"
|
146
158
|
copy_file "zap.conf"
|
@@ -234,7 +246,7 @@ end
|
|
234
246
|
# setup USWDS and asset pipeline
|
235
247
|
copy_file "browserslistrc", ".browserslistrc" if webpack?
|
236
248
|
after_bundle do
|
237
|
-
run 'npm set
|
249
|
+
run 'npm pkg set scripts.build:css="postcss ./app/assets/stylesheets/application.postcss.scss -o ./app/assets/builds/application.css"'
|
238
250
|
# include verbose flag for dev postcss output
|
239
251
|
gsub_file "Procfile.dev", "yarn build:css --watch", "yarn build:css --verbose --watch"
|
240
252
|
# Replace postcss-nesting with sass since USWDS uses sass
|
@@ -319,8 +331,10 @@ end
|
|
319
331
|
directory "doc"
|
320
332
|
register_announcement("Documentation", <<~EOM)
|
321
333
|
* Include a short description of your application in doc/compliance/apps/application.boundary.md
|
322
|
-
* Remember to keep your Logical Data Model up to date in doc/compliance/apps/data.logical.md
|
323
334
|
EOM
|
335
|
+
after_bundle do
|
336
|
+
generate "rails_template18f:rails_erd"
|
337
|
+
end
|
324
338
|
|
325
339
|
if compliance_template
|
326
340
|
after_bundle do
|
@@ -428,6 +442,11 @@ if @circleci_pipeline
|
|
428
442
|
]
|
429
443
|
generate "rails_template18f:circleci", *generator_arguments
|
430
444
|
end
|
445
|
+
if cloud_gov_org_tktk?
|
446
|
+
register_announcement("CircleCI", <<~EOM)
|
447
|
+
* Fill in the cloud.gov organization information in .circleci/config.yml
|
448
|
+
EOM
|
449
|
+
end
|
431
450
|
register_announcement("CircleCI", <<~EOM)
|
432
451
|
* Create project environment variables for deploy users as defined in the Deployment section of the README
|
433
452
|
EOM
|
data/templates/Brewfile
CHANGED
data/templates/README.md.tt
CHANGED
@@ -15,6 +15,7 @@ guide for an introduction to the framework.
|
|
15
15
|
* Install homebrew dependencies: `brew bundle`
|
16
16
|
* [PostgreSQL](https://www.postgresql.org/)
|
17
17
|
* [Dockerize](https://github.com/jwilder/dockerize)
|
18
|
+
* [jq](https://stedolan.github.io/jq/)
|
18
19
|
* [ADR Tools](https://github.com/npryce/adr-tools)
|
19
20
|
* [Chromedriver](https://sites.google.com/chromium.org/driver/)
|
20
21
|
* Chromedriver must be allowed to run. You can either do that by:
|
@@ -0,0 +1,72 @@
|
|
1
|
+
#!/usr/bin/env bash
|
2
|
+
|
3
|
+
org="<%= @cloud_gov_organization %>"
|
4
|
+
|
5
|
+
usage="
|
6
|
+
$0: Create a Service User Account for a given space
|
7
|
+
|
8
|
+
Usage:
|
9
|
+
$0 -h
|
10
|
+
$0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>]
|
11
|
+
|
12
|
+
Options:
|
13
|
+
-h: show help and exit
|
14
|
+
-s <SPACE NAME>: configure the space to act on. Required
|
15
|
+
-u <USER NAME>: set the service user name. Required
|
16
|
+
-r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
|
17
|
+
-o <ORG NAME>: configure the organization to act on. Default: $org
|
18
|
+
"
|
19
|
+
|
20
|
+
set -e
|
21
|
+
set -o pipefail
|
22
|
+
|
23
|
+
space=""
|
24
|
+
service=""
|
25
|
+
role="space-deployer"
|
26
|
+
|
27
|
+
while getopts ":hs:u:r:o:" opt; do
|
28
|
+
case "$opt" in
|
29
|
+
s)
|
30
|
+
space=${OPTARG}
|
31
|
+
;;
|
32
|
+
u)
|
33
|
+
service=${OPTARG}
|
34
|
+
;;
|
35
|
+
r)
|
36
|
+
role=${OPTARG}
|
37
|
+
;;
|
38
|
+
o)
|
39
|
+
org=${OPTARG}
|
40
|
+
;;
|
41
|
+
h)
|
42
|
+
echo "$usage"
|
43
|
+
exit 0
|
44
|
+
;;
|
45
|
+
esac
|
46
|
+
done
|
47
|
+
|
48
|
+
if [[ $space = "" || $service = "" ]]; then
|
49
|
+
echo "$usage"
|
50
|
+
exit 1
|
51
|
+
fi
|
52
|
+
|
53
|
+
cf target -o $org -s $space 1>&2
|
54
|
+
|
55
|
+
# create user account service
|
56
|
+
cf create-service cloud-gov-service-account $role $service 1>&2
|
57
|
+
|
58
|
+
# create service key
|
59
|
+
cf create-service-key $service service-account-key 1>&2
|
60
|
+
|
61
|
+
# output service key to stdout in secrets.auto.tfvars format
|
62
|
+
creds=`cf service-key $service service-account-key | tail -n 4`
|
63
|
+
username=`echo $creds | jq '.username'`
|
64
|
+
password=`echo $creds | jq '.password'`
|
65
|
+
|
66
|
+
cat << EOF
|
67
|
+
# generated with $0 -s $space -u $service -r $role -o $org
|
68
|
+
# revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org
|
69
|
+
|
70
|
+
cf_user = $username
|
71
|
+
cf_password = $password
|
72
|
+
EOF
|
@@ -0,0 +1,53 @@
|
|
1
|
+
#!/usr/bin/env bash
|
2
|
+
|
3
|
+
org="<%= @cloud_gov_organization %>"
|
4
|
+
|
5
|
+
usage="
|
6
|
+
$0: Destroy a Service User Account in a given space
|
7
|
+
|
8
|
+
Usage:
|
9
|
+
$0 -h
|
10
|
+
$0 -s <SPACE NAME> -u <USER NAME> [-o <ORG NAME>]
|
11
|
+
|
12
|
+
Options:
|
13
|
+
-h: show help and exit
|
14
|
+
-s <SPACE NAME>: configure the space to act on. Required
|
15
|
+
-u <USER NAME>: configure the service user name to destroy. Required
|
16
|
+
-o <ORG NAME>: configure the organization to act on. Default: $org
|
17
|
+
"
|
18
|
+
|
19
|
+
set -e
|
20
|
+
|
21
|
+
space=""
|
22
|
+
service=""
|
23
|
+
|
24
|
+
while getopts ":hs:u:o:" opt; do
|
25
|
+
case "$opt" in
|
26
|
+
s)
|
27
|
+
space=${OPTARG}
|
28
|
+
;;
|
29
|
+
u)
|
30
|
+
service=${OPTARG}
|
31
|
+
;;
|
32
|
+
o)
|
33
|
+
org=${OPTARG}
|
34
|
+
;;
|
35
|
+
h)
|
36
|
+
echo "$usage"
|
37
|
+
exit 0
|
38
|
+
;;
|
39
|
+
esac
|
40
|
+
done
|
41
|
+
|
42
|
+
if [[ $space = "" || $service = "" ]]; then
|
43
|
+
echo "$usage"
|
44
|
+
exit 1
|
45
|
+
fi
|
46
|
+
|
47
|
+
cf target -o $org -s $space
|
48
|
+
|
49
|
+
# destroy service key
|
50
|
+
cf delete-service-key $service service-account-key -f
|
51
|
+
|
52
|
+
# destroy service
|
53
|
+
cf delete-service $service -f
|
@@ -1,13 +1,18 @@
|
|
1
1
|
# Compliance artifacts
|
2
2
|
|
3
|
-
## What is this?
|
4
|
-
|
5
3
|
In order to maintain and revise compliance materials with minimal fuss, we store all artifacts as text source (eg Markdown, PlantUML, OSCAL), then generate rendered materials for consumption by downstream entities in the assessment and authorization process.
|
6
4
|
|
7
5
|
This directory initially just contains system architecture diagrams corresponding to sections 1-12 of a typical System Security Plan (SSP) document.
|
8
6
|
|
9
7
|
The source for other things (OSCAL for control descriptions, evidence generation scripts, etc) will appear here over time.
|
10
8
|
|
9
|
+
## Documents
|
10
|
+
|
11
|
+
### Application Boundary
|
12
|
+
|
13
|
+
The UML source of the application boundary is stored at doc/compliance/apps/application.boundary.md.
|
14
|
+
The rendered output is saved to doc/compliance/rendered/apps/application.boundary.svg
|
15
|
+
|
11
16
|
## Development
|
12
17
|
|
13
18
|
These plugins may be helpful for editing diagrams.
|
@@ -0,0 +1,37 @@
|
|
1
|
+
Compliance Tasks
|
2
|
+
================
|
3
|
+
|
4
|
+
This file contains a list of some tasks that can make your compliance journey a bit easier.
|
5
|
+
|
6
|
+
These instructions assume that your application is being hosted on cloud.gov.
|
7
|
+
|
8
|
+
Egress Spaces
|
9
|
+
-------------
|
10
|
+
|
11
|
+
If your application requires outbound communication to services outside of cloud.gov:
|
12
|
+
|
13
|
+
1. Set up `<env>-egress` spaces for each environment.
|
14
|
+
1. Set that space to public egress with `bin/ops/set_space_egress.sh -s <env>-egress -p`
|
15
|
+
1. Run [cg-egress-proxy](https://github.com/GSA/cg-egress-proxy#deploying-proxies-for-a-bunch-of-apps-automatically) in that space
|
16
|
+
1. Send all outbound traffic from your app through the proxy
|
17
|
+
1. Document this use under the SC-7 security control
|
18
|
+
|
19
|
+
Log Drains
|
20
|
+
----------
|
21
|
+
|
22
|
+
Follow these directions to send your logs to an external consumer, such an S3 bucket for GSA SOC to ingest or New Relic
|
23
|
+
|
24
|
+
1. Deploy the [logstash-shipper](https://github.com/GSA/datagov-logstack#setup) app in a management space. The management space could be its own space, or `<env>-egress`
|
25
|
+
1. Deploy a [space-drain](https://github.com/GSA/datagov-logstack/blob/main/create-space-drain.sh) so that any app deployed to that space automatically has its logs shipped
|
26
|
+
|
27
|
+
Drift Detection
|
28
|
+
---------------
|
29
|
+
|
30
|
+
1. Deploy [Watchtower](https://github.com/18F/watchtower) for drift detection
|
31
|
+
|
32
|
+
Future Good Ideas
|
33
|
+
-----------------
|
34
|
+
|
35
|
+
Other things that would be useful, but without decent implementations yet:
|
36
|
+
|
37
|
+
* For RA-5, deploy a Monit sidecar buildpack to restart app if any anomalys are detected
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails_template_18f
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.8.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Ryan Ahearn
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-06-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: railties
|
@@ -167,6 +167,8 @@ files:
|
|
167
167
|
- lib/generators/rails_template18f/newrelic/newrelic_generator.rb
|
168
168
|
- lib/generators/rails_template18f/newrelic/templates/config/newrelic.yml.tt
|
169
169
|
- lib/generators/rails_template18f/oscal/oscal_generator.rb
|
170
|
+
- lib/generators/rails_template18f/rails_erd/rails_erd_generator.rb
|
171
|
+
- lib/generators/rails_template18f/rails_erd/templates/erdconfig
|
170
172
|
- lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb
|
171
173
|
- lib/generators/rails_template18f/sidekiq/templates/config/initializers/redis.rb
|
172
174
|
- lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt
|
@@ -176,27 +178,9 @@ files:
|
|
176
178
|
- lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/run.sh.tt
|
177
179
|
- lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/teardown_creds.sh.tt
|
178
180
|
- lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/variables.tf
|
179
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/create_space_deployer.sh
|
180
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/destroy_space_deployer.sh
|
181
181
|
- lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt
|
182
182
|
- lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf.tt
|
183
183
|
- lib/generators/rails_template18f/terraform/templates/terraform/production/variables.tf
|
184
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/set_space_egress.sh.tt
|
185
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/main.tf.tt
|
186
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/providers.tf
|
187
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/variables.tf
|
188
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/database/main.tf.tt
|
189
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/database/providers.tf
|
190
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/database/variables.tf
|
191
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/main.tf.tt
|
192
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/providers.tf
|
193
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/variables.tf
|
194
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/main.tf.tt
|
195
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/providers.tf
|
196
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/variables.tf
|
197
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/main.tf
|
198
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/providers.tf
|
199
|
-
- lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/variables.tf
|
200
184
|
- lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt
|
201
185
|
- lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf.tt
|
202
186
|
- lib/generators/rails_template18f/terraform/templates/terraform/staging/variables.tf
|
@@ -221,6 +205,9 @@ files:
|
|
221
205
|
- templates/app/views/application/_demo_site_banner.html.erb
|
222
206
|
- templates/app/views/application/_header.html.erb
|
223
207
|
- templates/app/views/application/_usa_banner.html.erb
|
208
|
+
- templates/bin/ops/create_service_account.sh.tt
|
209
|
+
- templates/bin/ops/destroy_service_account.sh.tt
|
210
|
+
- templates/bin/ops/set_space_egress.sh.tt
|
224
211
|
- templates/bin/owasp-scan
|
225
212
|
- templates/bin/pa11y-scan
|
226
213
|
- templates/bin/with-server
|
@@ -234,8 +221,8 @@ files:
|
|
234
221
|
- templates/doc/adr/0003-security-scans.md.tt
|
235
222
|
- templates/doc/adr/0004-rails-csp-compliant-script-tag-helpers.md.tt
|
236
223
|
- templates/doc/compliance/README.md
|
224
|
+
- templates/doc/compliance/TODO.md
|
237
225
|
- templates/doc/compliance/apps/application.boundary.md.tt
|
238
|
-
- templates/doc/compliance/apps/data.logical.md
|
239
226
|
- templates/doc/compliance/rendered/apps/.keep
|
240
227
|
- templates/editorconfig
|
241
228
|
- templates/env
|
@@ -267,7 +254,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
267
254
|
- !ruby/object:Gem::Version
|
268
255
|
version: '0'
|
269
256
|
requirements: []
|
270
|
-
rubygems_version: 3.
|
257
|
+
rubygems_version: 3.5.9
|
271
258
|
signing_key:
|
272
259
|
specification_version: 4
|
273
260
|
summary: Generators for creating an 18F-flavored Rails app
|
data/lib/generators/rails_template18f/terraform/templates/terraform/create_space_deployer.sh
DELETED
@@ -1,33 +0,0 @@
|
|
1
|
-
#!/usr/bin/env bash
|
2
|
-
|
3
|
-
set -e
|
4
|
-
set -o pipefail
|
5
|
-
|
6
|
-
if [[ $# -lt 2 ]]; then
|
7
|
-
echo "$0 <<SPACE_NAME>> <<ACCOUNT_NAME>>"
|
8
|
-
exit 1;
|
9
|
-
fi
|
10
|
-
|
11
|
-
space=$1
|
12
|
-
service=$2
|
13
|
-
|
14
|
-
cf target -s $space 1>&2
|
15
|
-
|
16
|
-
# create space deployer service
|
17
|
-
cf create-service cloud-gov-service-account space-deployer $service 1>&2
|
18
|
-
|
19
|
-
# create service key
|
20
|
-
cf create-service-key $service space-deployer-key 1>&2
|
21
|
-
|
22
|
-
# output service key to stdout in secrets.auto.tfvars format
|
23
|
-
creds=`cf service-key $service space-deployer-key | tail -n 4`
|
24
|
-
username=`echo $creds | jq '.username'`
|
25
|
-
password=`echo $creds | jq '.password'`
|
26
|
-
|
27
|
-
cat << EOF
|
28
|
-
# generated with $0 $space $service
|
29
|
-
# revoke with $(dirname $0)/destroy_space_deployer.sh $space $service
|
30
|
-
|
31
|
-
cf_user = $username
|
32
|
-
cf_password = $password
|
33
|
-
EOF
|
data/lib/generators/rails_template18f/terraform/templates/terraform/destroy_space_deployer.sh
DELETED
@@ -1,19 +0,0 @@
|
|
1
|
-
#!/usr/bin/env bash
|
2
|
-
|
3
|
-
set -e
|
4
|
-
|
5
|
-
if [[ $# -ne 2 ]]; then
|
6
|
-
echo "$0 <<SPACE_NAME>> <<ACCOUNT_NAME>>"
|
7
|
-
exit 1;
|
8
|
-
fi
|
9
|
-
|
10
|
-
space=$1
|
11
|
-
service=$2
|
12
|
-
|
13
|
-
cf target -s $space
|
14
|
-
|
15
|
-
# destroy service key
|
16
|
-
cf delete-service-key $service space-deployer-key -f
|
17
|
-
|
18
|
-
# destroy service
|
19
|
-
cf delete-service $service -f
|