rails_template_18f 0.8.0 → 0.8.1

data/template.rb

@@ -58,6 +58,15 @@ compliance_template_submodule = compliance_template && yes?("Clone #{compliance_
 if compliance_template_submodule
   compliance_template_repo = ask("What is the git clone address of your compliance-template fork?")
 end
+if compliance_template_repo.blank?
+  register_announcement("OSCAL Documentation", <<~EOM)
+    Skipping OSCAL files as the compliance-template fork was left blank.
+
+    Re-run the oscal generator after creating your template fork to get started with OSCAL.
+  EOM
+  compliance_template = false
+  compliance_template_submodule = false
+end
 
 terraform = yes?("Create terraform files for cloud.gov services? (y/n)")
 @cloud_gov_organization = ask("What is your cloud.gov organization name? (Leave blank to fill in later)")
@@ -141,6 +150,9 @@ end
 
 # setup pa11y and owasp scanning
 directory "bin", mode: :preserve
+chmod "bin/ops/create_service_account.sh", 0o755
+chmod "bin/ops/destroy_service_account.sh", 0o755
+chmod "bin/ops/set_space_egress.sh", 0o755
 copy_file "pa11yci", ".pa11yci"
 copy_file "editorconfig", ".editorconfig"
 copy_file "zap.conf"
@@ -234,7 +246,7 @@ end
 # setup USWDS and asset pipeline
 copy_file "browserslistrc", ".browserslistrc" if webpack?
 after_bundle do
-  run 'npm set-script build:css "postcss ./app/assets/stylesheets/application.postcss.scss -o ./app/assets/builds/application.css"'
+  run 'npm pkg set scripts.build:css="postcss ./app/assets/stylesheets/application.postcss.scss -o ./app/assets/builds/application.css"'
   # include verbose flag for dev postcss output
   gsub_file "Procfile.dev", "yarn build:css --watch", "yarn build:css --verbose --watch"
   # Replace postcss-nesting with sass since USWDS uses sass
@@ -430,6 +442,11 @@ if @circleci_pipeline
     ]
     generate "rails_template18f:circleci", *generator_arguments
   end
+  if cloud_gov_org_tktk?
+    register_announcement("CircleCI", <<~EOM)
+      * Fill in the cloud.gov organization information in .circleci/config.yml
+    EOM
+  end
   register_announcement("CircleCI", <<~EOM)
     * Create project environment variables for deploy users as defined in the Deployment section of the README
   EOM

data/templates/Brewfile

@@ -7,6 +7,9 @@ brew "postgresql@12", link: true
 # used in bin/with-server script
 brew "dockerize"
 
+# used in bin/ops/create_service_account.sh
+brew "jq"
+
 # helper scripts for creating new ADRs
 brew "adr-tools"
 

data/templates/README.md.tt

@@ -15,6 +15,7 @@ guide for an introduction to the framework.
 * Install homebrew dependencies: `brew bundle`
   * [PostgreSQL](https://www.postgresql.org/)
   * [Dockerize](https://github.com/jwilder/dockerize)
+  * [jq](https://stedolan.github.io/jq/)
   * [ADR Tools](https://github.com/npryce/adr-tools)
   * [Chromedriver](https://sites.google.com/chromium.org/driver/)
     * Chromedriver must be allowed to run. You can either do that by:

data/templates/bin/ops/create_service_account.sh.tt

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+
+org="<%= @cloud_gov_organization %>"
+
+usage="
+$0: Create a Service User Account for a given space
+
+Usage:
+  $0 -h
+  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>]
+
+Options:
+-h: show help and exit
+-s <SPACE NAME>: configure the space to act on. Required
+-u <USER NAME>: set the service user name. Required
+-r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
+-o <ORG NAME>: configure the organization to act on. Default: $org
+"
+
+set -e
+set -o pipefail
+
+space=""
+service=""
+role="space-deployer"
+
+while getopts ":hs:u:r:o:" opt; do
+  case "$opt" in
+    s)
+      space=${OPTARG}
+      ;;
+    u)
+      service=${OPTARG}
+      ;;
+    r)
+      role=${OPTARG}
+      ;;
+    o)
+      org=${OPTARG}
+      ;;
+    h)
+      echo "$usage"
+      exit 0
+      ;;
+  esac
+done
+
+if [[ $space = "" || $service = "" ]]; then
+  echo "$usage"
+  exit 1
+fi
+
+cf target -o $org -s $space 1>&2
+
+# create user account service
+cf create-service cloud-gov-service-account $role $service 1>&2
+
+# create service key
+cf create-service-key $service service-account-key 1>&2
+
+# output service key to stdout in secrets.auto.tfvars format
+creds=`cf service-key $service service-account-key | tail -n 4`
+username=`echo $creds | jq '.username'`
+password=`echo $creds | jq '.password'`
+
+cat << EOF
+# generated with $0 -s $space -u $service -r $role -o $org
+# revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org
+
+cf_user = $username
+cf_password = $password
+EOF

data/templates/bin/ops/destroy_service_account.sh.tt

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+org="<%= @cloud_gov_organization %>"
+
+usage="
+$0: Destroy a Service User Account in a given space
+
+Usage:
+  $0 -h
+  $0 -s <SPACE NAME> -u <USER NAME> [-o <ORG NAME>]
+
+Options:
+-h: show help and exit
+-s <SPACE NAME>: configure the space to act on. Required
+-u <USER NAME>: configure the service user name to destroy. Required
+-o <ORG NAME>: configure the organization to act on. Default: $org
+"
+
+set -e
+
+space=""
+service=""
+
+while getopts ":hs:u:o:" opt; do
+  case "$opt" in
+    s)
+      space=${OPTARG}
+      ;;
+    u)
+      service=${OPTARG}
+      ;;
+    o)
+      org=${OPTARG}
+      ;;
+    h)
+      echo "$usage"
+      exit 0
+      ;;
+  esac
+done
+
+if [[ $space = "" || $service = "" ]]; then
+  echo "$usage"
+  exit 1
+fi
+
+cf target -o $org -s $space
+
+# destroy service key
+cf delete-service-key $service service-account-key -f
+
+# destroy service
+cf delete-service $service -f

data/{lib/generators/rails_template18f/terraform/templates/terraform → templates/bin/ops}/set_space_egress.sh.tt

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-org="<%= cloud_gov_organization %>"
+org="<%= @cloud_gov_organization %>"
 
 usage="
 $0: Set egress rules for given space

data/templates/config/environments/ci.rb

@@ -1,4 +1,4 @@
-require_relative "./production"
+require_relative "production"
 
 Rails.application.configure do
   config.public_file_server.enabled = true

data/templates/config/environments/staging.rb

@@ -1,4 +1,4 @@
-require_relative "./production"
+require_relative "production"
 
 Rails.application.configure do
   # insert any staging overrides here

data/templates/doc/compliance/TODO.md

@@ -0,0 +1,37 @@
+Compliance Tasks
+================
+
+This file contains a list of some tasks that can make your compliance journey a bit easier.
+
+These instructions assume that your application is being hosted on cloud.gov.
+
+Egress Spaces
+-------------
+
+If your application requires outbound communication to services outside of cloud.gov:
+
+1. Set up `<env>-egress` spaces for each environment.
+1. Set that space to public egress with `bin/ops/set_space_egress.sh -s <env>-egress -p`
+1. Run [cg-egress-proxy](https://github.com/GSA/cg-egress-proxy#deploying-proxies-for-a-bunch-of-apps-automatically) in that space
+1. Send all outbound traffic from your app through the proxy
+1. Document this use under the SC-7 security control
+
+Log Drains
+----------
+
+Follow these directions to send your logs to an external consumer, such an S3 bucket for GSA SOC to ingest or New Relic
+
+1. Deploy the [logstash-shipper](https://github.com/GSA/datagov-logstack#setup) app in a management space. The management space could be its own space, or `<env>-egress`
+1. Deploy a [space-drain](https://github.com/GSA/datagov-logstack/blob/main/create-space-drain.sh) so that any app deployed to that space automatically has its logs shipped
+
+Drift Detection
+---------------
+
+1. Deploy [Watchtower](https://github.com/18F/watchtower) for drift detection
+
+Future Good Ideas
+-----------------
+
+Other things that would be useful, but without decent implementations yet:
+
+* For RA-5, deploy a Monit sidecar buildpack to restart app if any anomalys are detected

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_template_18f
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.8.1
 platform: ruby
 authors:
 - Ryan Ahearn
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-07-14 00:00:00.000000000 Z
+date: 2024-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -178,27 +178,9 @@ files:
 - lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/run.sh.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/teardown_creds.sh.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/create_space_deployer.sh
-- lib/generators/rails_template18f/terraform/templates/terraform/destroy_space_deployer.sh
 - lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/production/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/set_space_egress.sh.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/database/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/database/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/database/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/main.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/variables.tf
 - lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/staging/variables.tf
@@ -223,6 +205,9 @@ files:
 - templates/app/views/application/_demo_site_banner.html.erb
 - templates/app/views/application/_header.html.erb
 - templates/app/views/application/_usa_banner.html.erb
+- templates/bin/ops/create_service_account.sh.tt
+- templates/bin/ops/destroy_service_account.sh.tt
+- templates/bin/ops/set_space_egress.sh.tt
 - templates/bin/owasp-scan
 - templates/bin/pa11y-scan
 - templates/bin/with-server
@@ -236,6 +221,7 @@ files:
 - templates/doc/adr/0003-security-scans.md.tt
 - templates/doc/adr/0004-rails-csp-compliant-script-tag-helpers.md.tt
 - templates/doc/compliance/README.md
+- templates/doc/compliance/TODO.md
 - templates/doc/compliance/apps/application.boundary.md.tt
 - templates/doc/compliance/rendered/apps/.keep
 - templates/editorconfig
@@ -268,7 +254,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.5.9
 signing_key:
 specification_version: 4
 summary: Generators for creating an 18F-flavored Rails app

data/lib/generators/rails_template18f/terraform/templates/terraform/create_space_deployer.sh

@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-set -o pipefail
-
-if [[ $# -lt 2 ]]; then
-  echo "$0 <<SPACE_NAME>> <<ACCOUNT_NAME>>"
-  exit 1;
-fi
-
-space=$1
-service=$2
-
-cf target -s $space 1>&2
-
-# create space deployer service
-cf create-service cloud-gov-service-account space-deployer $service 1>&2
-
-# create service key
-cf create-service-key $service space-deployer-key 1>&2
-
-# output service key to stdout in secrets.auto.tfvars format
-creds=`cf service-key $service space-deployer-key | tail -n 4`
-username=`echo $creds | jq '.username'`
-password=`echo $creds | jq '.password'`
-
-cat << EOF
-# generated with $0 $space $service
-# revoke with $(dirname $0)/destroy_space_deployer.sh $space $service
-
-cf_user = $username
-cf_password = $password
-EOF

data/lib/generators/rails_template18f/terraform/templates/terraform/destroy_space_deployer.sh

@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-if [[ $# -ne 2 ]]; then
-  echo "$0 <<SPACE_NAME>> <<ACCOUNT_NAME>>"
-  exit 1;
-fi
-
-space=$1
-service=$2
-
-cf target -s $space
-
-# destroy service key
-cf delete-service-key $service space-deployer-key -f
-
-# destroy service
-cf delete-service $service -f

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/main.tf.tt

@@ -1,50 +0,0 @@
-###
-# Target space/org
-###
-
-data "cloudfoundry_space" "space" {
-  org_name = var.cf_org_name
-  name     = var.cf_space_name
-}
-
-data "cloudfoundry_domain" "internal" {
-  name = "apps.internal"
-}
-
-data "cloudfoundry_app" "app" {
-  name_or_id = "<%= app_name %>-${var.env}"
-  space = data.cloudfoundry_space.space.id
-}
-
-###
-# ClamAV API app
-###
-
-resource "cloudfoundry_route" "clamav_route" {
-  space    = data.cloudfoundry_space.space.id
-  domain   = data.cloudfoundry_domain.internal.id
-  hostname = "<%= app_name %>-clamapi-${var.env}"
-}
-
-resource "cloudfoundry_app" "clamav_api" {
-  name         = "<%= app_name %>-clamav-api-${var.env}"
-  space        = data.cloudfoundry_space.space.id
-  memory       = var.clamav_memory
-  disk_quota   = 2048
-  timeout      = 600
-  docker_image = var.clamav_image
-  routes {
-    route = cloudfoundry_route.clamav_route.id
-  }
-  environment = {
-    MAX_FILE_SIZE = var.max_file_size
-  }
-}
-
-resource "cloudfoundry_network_policy" "clamav_routing" {
-  policy {
-    source_app      = data.cloudfoundry_app.app.id
-    destination_app = cloudfoundry_app.clamav_api.id
-    port            = "9443"
-  }
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/providers.tf

@@ -1,16 +0,0 @@
-terraform {
-  required_version = "~> 1.0"
-  required_providers {
-    cloudfoundry = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
-    }
-  }
-}
-
-provider "cloudfoundry" {
-  api_url      = var.cf_api_url
-  user         = var.cf_user
-  password     = var.cf_password
-  app_logs_max = 30
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/variables.tf

@@ -1,47 +0,0 @@
-variable "cf_api_url" {
-  type        = string
-  description = "cloud.gov api url"
-  default     = "https://api.fr.cloud.gov"
-}
-
-variable "cf_user" {
-  type        = string
-  description = "cloud.gov deployer account user"
-}
-
-variable "cf_password" {
-  type        = string
-  description = "secret; cloud.gov deployer account password"
-  sensitive   = true
-}
-
-variable "cf_org_name" {
-  type        = string
-  description = "cloud.gov organization name"
-}
-
-variable "cf_space_name" {
-  type        = string
-  description = "cloud.gov space name (staging or prod)"
-}
-
-variable "env" {
-  type        = string
-  description = "deployment environment (staging, production)"
-}
-
-variable "clamav_image" {
-  type        = string
-  description = "Docker image to deploy the clamav api app"
-}
-
-variable "clamav_memory" {
-  type        = number
-  description = "Memory in MB to allocate to clamav app"
-  default     = 3072
-}
-
-variable "max_file_size" {
-  type        = string
-  description = "Maximum file size the API will accept for scanning"
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/database/main.tf.tt

@@ -1,23 +0,0 @@
-###
-# Target space/org
-###
-
-data "cloudfoundry_space" "space" {
-  org_name = var.cf_org_name
-  name     = var.cf_space_name
-}
-
-###
-# RDS instance
-###
-
-data "cloudfoundry_service" "rds" {
-  name = "aws-rds"
-}
-
-resource "cloudfoundry_service_instance" "rds" {
-  name             = "<%= app_name %>-rds-${var.env}"
-  space            = data.cloudfoundry_space.space.id
-  service_plan     = data.cloudfoundry_service.rds.service_plans[var.rds_plan_name]
-  recursive_delete = var.recursive_delete
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/database/providers.tf

@@ -1,16 +0,0 @@
-terraform {
-  required_version = "~> 1.0"
-  required_providers {
-    cloudfoundry = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
-    }
-  }
-}
-
-provider "cloudfoundry" {
-  api_url      = var.cf_api_url
-  user         = var.cf_user
-  password     = var.cf_password
-  app_logs_max = 30
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/database/variables.tf

@@ -1,42 +0,0 @@
-variable "cf_api_url" {
-  type        = string
-  description = "cloud.gov api url"
-  default     = "https://api.fr.cloud.gov"
-}
-
-variable "cf_user" {
-  type        = string
-  description = "cloud.gov deployer account user"
-}
-
-variable "cf_password" {
-  type        = string
-  description = "secret; cloud.gov deployer account password"
-  sensitive   = true
-}
-
-variable "cf_org_name" {
-  type        = string
-  description = "cloud.gov organization name"
-}
-
-variable "cf_space_name" {
-  type        = string
-  description = "cloud.gov space name (staging or prod)"
-}
-
-variable "env" {
-  type        = string
-  description = "deployment environment (staging, production)"
-}
-
-variable "recursive_delete" {
-  type        = bool
-  description = "when true, deletes service bindings attached to the resource (not recommended for production)"
-  default     = false
-}
-
-variable "rds_plan_name" {
-  type        = string
-  description = "name of the service plan name to create"
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/main.tf.tt

@@ -1,46 +0,0 @@
-###
-# Target space/org
-###
-
-data "cloudfoundry_space" "space" {
-  org_name = var.cf_org_name
-  name     = var.cf_space_name
-}
-
-###
-# Route mapping and CDN instance
-###
-
-data "cloudfoundry_app" "app" {
-  name_or_id = "<%= app_name %>-${var.env}"
-  space      = data.cloudfoundry_space.space.id
-}
-
-###########################################################################
-# Route must be manually created by an OrgManager before terraform is run:
-#
-# cf create-domain <%= cloud_gov_organization %> TKTK-production-domain-name
-###########################################################################
-data "cloudfoundry_domain" "origin_url" {
-  name = var.domain_name
-}
-
-resource "cloudfoundry_route" "origin_route" {
-  domain = data.cloudfoundry_domain.origin_url.id
-  space  = data.cloudfoundry_space.space.id
-  target {
-    app = data.cloudfoundry_app.app.id
-  }
-}
-
-data "cloudfoundry_service" "external_domain" {
-  name = "external-domain"
-}
-
-resource "cloudfoundry_service_instance" "external_domain_instance" {
-  name             = "<%= app_name %>-domain-${var.env}"
-  space            = data.cloudfoundry_space.space.id
-  service_plan     = data.cloudfoundry_service.external_domain.service_plans[var.cdn_plan_name]
-  recursive_delete = var.recursive_delete
-  json_params      = "{\"domains\": \"${var.domain_name}\"}"
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/providers.tf

@@ -1,16 +0,0 @@
-terraform {
-  required_version = "~> 1.0"
-  required_providers {
-    cloudfoundry = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
-    }
-  }
-}
-
-provider "cloudfoundry" {
-  api_url      = var.cf_api_url
-  user         = var.cf_user
-  password     = var.cf_password
-  app_logs_max = 30
-}