rails_template_18f 0.8.0 → 0.8.2

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -4,26 +4,39 @@ This directory holds the terraform modules for maintaining your complete persist
 
 Prerequisite: install the `jq` JSON processor: `brew bundle` or `brew install jq`
 
-## Initial setup
+## Initial project setup
 
-1. Manually run the bootstrap module following instructions under `Terraform State Credentials`
+These steps only need to be run once per project.
+
+1. Manually [bootstrap the state storage bucket](#bootstrapping-the-state-storage-s3-buckets-for-the-first-time) within the `bootstrap` directory
 1. Setup CI/CD Pipeline to run Terraform
-  1. Copy bootstrap credentials to your CI/CD secrets using the instructions in the base README
-  1. Create a cloud.gov SpaceDeployer by following the instructions under `SpaceDeployers`
-  1. Copy SpaceDeployer credentials to your CI/CD secrets using the instructions in the base README
+    1. Copy bootstrap credentials to your CI/CD secrets using the instructions in the base README
+    1. Create a cloud.gov SpaceDeployer by following the instructions under `SpaceDeployers`
+    1. Copy SpaceDeployer credentials to your CI/CD secrets using the instructions in the base README
 1. Manually Running Terraform
-  1. Follow instructions under `Set up a new environment` to create your infrastructure
+    1. Follow instructions under `Set up a new environment` to create your infrastructure
+
+## Initial developer setup
+
+These steps should be run for any developer that needs to start running terraform or who just moved to a new machine.
+
+They are not necessary for the developer who runs the [initial project setup](#initial-project-setup)
+
+1. Import the existing bootstrap resources to your local state with `./import.sh`
+1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
+
 
 ## Terraform State Credentials
 
-The bootstrap module is used to create an s3 bucket for later terraform runs to store their state in.
+The `bootstrap` module is used to create an s3 bucket for later terraform runs to store their state in.
 
 ### Bootstrapping the state storage s3 buckets for the first time
 
-1. Run `terraform init`
-1. Run `./run.sh plan` to verify that the changes are what you expect
+These steps are run once per project.
+
+1. Run `./run.sh init`
 1. Run `./run.sh apply` to set up the bucket and retrieve credentials
-1. Follow instructions under `Use bootstrap credentials`
+1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
 1. Ensure that `import.sh` includes a line and correct IDs for any resources created
 1. Run `./teardown_creds.sh` to remove the space deployer account used to create the s3 bucket
 
@@ -31,43 +44,35 @@ The bootstrap module is used to create an s3 bucket for later terraform runs to
 
 *This should not be necessary in most cases*
 
-1. Run `terraform init`
-1. If you don't have terraform state locally:
-    1. run `./import.sh`
-    1. optionally run `./run.sh apply` to include the existing outputs in the state file
 1. Make your changes
-1. Continue from step 2 of the boostrapping instructions
-
-### Retrieving existing bucket credentials
+1. Run `./run.sh plan` to verify the changes are what you expect
+1. Continue from step 2 of the [boostrapping instructions](#bootstrapping-the-state-storage-s3-buckets-for-the-first-time)
 
-1. Run `./run.sh show`
-1. Follow instructions under `Use bootstrap credentials`
-
-#### Use bootstrap credentials
+### Use bootstrap credentials
 
 1. Add the following to `~/.aws/credentials`
     ```
     [<%= app_name %>-terraform-backend]
-    aws_access_key_id = <access_key_id from bucket_credentials>
-    aws_secret_access_key = <secret_access_key from bucket_credentials>
+    aws_access_key_id = <AWS_ACCESS_KEY_ID from run.sh output>
+    aws_secret_access_key = <AWS_SECRET_ACCESS_KEY from run.sh output>
     ```
 
-1. Copy `bucket` from `bucket_credentials` output to the backend block of `staging/providers.tf` and `production/providers.tf`
+1. Copy `BUCKET` from `run.sh` output to the backend block of `staging/providers.tf` and `production/providers.tf`
 
 ## SpaceDeployers
 
 A [SpaceDeployer](https://cloud.gov/docs/services/cloud-gov-service-account/) account is required to run terraform or
 deploy the application from the CI/CD pipeline. Create a new account by running:
 
-`./create_space_deployer.sh <SPACE_NAME> <ACCOUNT_NAME>`
+`../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME>`
 
 ## Set up a new environment manually
 
-The below steps rely on you first configuring access to the Terraform state in s3 as described in [Terraform State Credentials](#terraform-state-credentials).
+The below steps rely on you first configuring access to the Terraform state in s3 as described in [initial project setup](#initial-project-setup) or [initial developer setup](#initial-developer-setup).
 
 1. `cd` to the environment you are working in
 
-1. Set up a SpaceDeployer
+1. Set up a SpaceDeployer and save the credentials in a file named `secrets.auto.tfvars`
     ```bash
     # create a space deployer service instance that can log in with just a username and password
     # the value of < SPACE_NAME > should be `staging` or `prod` depending on where you are working
@@ -75,12 +80,12 @@ The below steps rely on you first configuring access to the Terraform state in s
     # something that communicates the purpose of the deployer
     # for example: circleci-deployer for the credentials CircleCI uses to
     # deploy the application or <your_name>-terraform for credentials to run terraform manually
-    ../create_space_deployer.sh <SPACE_NAME> <ACCOUNT_NAME> > secrets.auto.tfvars
+    ../../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> > secrets.auto.tfvars
     ```
 
     The script will output the `username` (as `cf_user`) and `password` (as `cf_password`) for your `<ACCOUNT_NAME>`. Read more in the [cloud.gov service account documentation](https://cloud.gov/docs/services/cloud-gov-service-account/).
 
-    The easiest way to use this script is to redirect the output directly to the `secrets.auto.tfvars` file it needs to be used in
+    The easiest way to use this script locally is to redirect the output directly to the `secrets.auto.tfvars` file it needs to be used in
 
 1. Run terraform from your new environment directory with
     ```bash
@@ -90,15 +95,15 @@ The below steps rely on you first configuring access to the Terraform state in s
 
 1. Apply changes with `terraform apply`.
 
-1. Remove the space deployer service instance if it doesn't need to be used again, such as when manually running terraform once.
+1. Remove the space deployer service instance if it doesn't need to be used again, such as when manually running terraform plan before letting CI/CD apply the changes.
     ```bash
     # <SPACE_NAME> and <ACCOUNT_NAME> have the same values as used above.
-    ../destroy_space_deployer.sh <SPACE_NAME> <ACCOUNT_NAME>
+    ../../bin/ops/destroy_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME>
     ```
 
 ## Structure
 
-Each environment has its own module, which relies on a shared module for everything except the providers code and environment specific variables and settings.
+Each environment has its own module.
 
 ```
 - bootstrap/
@@ -111,38 +116,18 @@ Each environment has its own module, which relies on a shared module for everyth
 - <env>/
   |- main.tf
   |- providers.tf
-  |- secrets.auto.tfvars
   |- variables.tf
-- shared/
-  |- s3/
-     |- main.tf
-     |- providers.tf
-     |- variables.tf
-  |- database/
-     |- main.tf
-     |- providers.tf
-     |- variables.tf
-  |- domain/
-     |- main.tf
-     |- providers.tf
-     |- variables.tf
 ```
 
-In the shared modules:
-- `providers.tf` contains set up instructions for Terraform about Cloud Foundry and AWS
-- `main.tf` sets up the data and resources the application relies on
-- `variables.tf` lists the required variables and applicable default values
-
 In the environment-specific modules:
 - `providers.tf` lists the required providers
 - `main.tf` calls the shared Terraform code, but this is also a place where you can add any other services, resources, etc, which you would like to set up for that environment
 - `variables.tf` lists the variables that will be needed, either to pass through to the child module or for use in this module
-- `secrets.auto.tfvars` is a file which contains the information about the service-key and other secrets that should not be shared
 
 In the bootstrap module:
 - `providers.tf` lists the required providers
 - `main.tf` sets up s3 bucket to be shared across all environments. It lives in `prod` to communicate that it should not be deleted
 - `variables.tf` lists the variables that will be needed. Most values are hard-coded in this module
-- `run.sh` Helper script to set up a space deployer and run terraform. The terraform action (`show`/`plan`/`apply`/`destroy`) is passed as an argument
+- `run.sh` Helper script to set up a space deployer and run terraform. The terraform action (`init`/`show`/`plan`/`apply`/`destroy`) is passed as an argument
 - `teardown_creds.sh` Helper script to remove the space deployer setup as part of `run.sh`
-- `import.sh` Helper script to create a new local state file in case terraform changes are needed
+- `import.sh` Helper script to create a new local state file when new developers need to access the state file

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/import.sh

@@ -4,6 +4,7 @@ read -p "Are you sure you want to import terraform state (y/n)? " verify
 
 if [[ $verify == "y" ]]; then
   echo "Importing bootstrap state"
+  ./run.sh init
   ./run.sh import module.s3.cloudfoundry_service_instance.bucket TKTK
   ./run.sh import cloudfoundry_service_key.bucket_creds TKTK
   ./run.sh plan

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/main.tf.tt

@@ -1,18 +1,14 @@
 locals {
-  cf_api_url      = "https://api.fr.cloud.gov"
   s3_service_name = "<%= app_name %>-terraform-state"
 }
 
 module "s3" {
-  source = "../shared/s3"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
 
-  cf_api_url      = local.cf_api_url
-  cf_user         = var.cf_user
-  cf_password     = var.cf_password
-  cf_org_name     = "<%= cloud_gov_organization %>"
-  cf_space_name   = "<%= cloud_gov_production_space %>"
-  s3_service_name = local.s3_service_name<% if cloud_gov_organization == "sandbox-gsa" %>
-  s3_plan_name    = "basic-sandbox"<% end %>
+  cf_org_name   = "<%= cloud_gov_organization %>"
+  cf_space_name = "<%= cloud_gov_production_space %>"
+  name          = local.s3_service_name<% if cloud_gov_organization == "sandbox-gsa" %>
+  s3_plan_name  = "basic-sandbox"<% end %>
 }
 
 resource "cloudfoundry_service_key" "bucket_creds" {
@@ -21,5 +17,6 @@ resource "cloudfoundry_service_key" "bucket_creds" {
 }
 
 output "bucket_credentials" {
-  value = cloudfoundry_service_key.bucket_creds.credentials
+  value     = cloudfoundry_service_key.bucket_creds.credentials
+  sensitive = true
 }

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/providers.tf

@@ -3,14 +3,14 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
+      version = "0.53.1"
     }
   }
 }
 
 provider "cloudfoundry" {
-  api_url      = local.cf_api_url
+  api_url      = "https://api.fr.cloud.gov"
   user         = var.cf_user
   password     = var.cf_password
   app_logs_max = 30
-}
+}

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/run.sh.tt

@@ -1,12 +1,39 @@
 #!/usr/bin/env bash
 
+if ! command -v jq &> /dev/null
+then
+  echo "jq must be installed. Run 'brew bundle' to install everything in the Brewfile"
+  exit 1
+fi
+if ! command -v terraform &> /dev/null
+then
+  echo "terraform must be installed before running this script"
+  exit 1
+fi
+
+dig_output () {
+  dig_result=`cat terraform.tfstate | jq -r ".outputs.bucket_credentials.value.$1"`
+}
+
 if [[ ! -f "secrets.auto.tfvars" ]]; then
-  ../create_space_deployer.sh <%= cloud_gov_production_space %> config-bootstrap-deployer > secrets.auto.tfvars
+  ../../bin/ops/create_service_account.sh -s <%= cloud_gov_production_space %> -u config-bootstrap-deployer > secrets.auto.tfvars
 fi
 
 if [[ $# -gt 0 ]]; then
   echo "Running terraform $@"
   terraform $@
+  if [[ -f terraform.tfstate ]]; then
+    echo
+    echo "Credentials for terraform state bucket:"
+    dig_output "bucket"
+    echo "BUCKET=$dig_result"
+    dig_output "access_key_id"
+    echo "AWS_ACCESS_KEY_ID=$dig_result"
+    dig_output "secret_access_key"
+    echo "AWS_SECRET_ACCESS_KEY=$dig_result"
+    dig_output "region"
+    echo "AWS_REGION=$dig_result"
+  fi
 else
   echo "Not running terraform"
 fi

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/teardown_creds.sh.tt

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 
-../destroy_space_deployer.sh <%= cloud_gov_production_space %> config-bootstrap-deployer
+../../bin/ops/destroy_service_account.sh -s <%= cloud_gov_production_space %> -u config-bootstrap-deployer
 
 rm secrets.auto.tfvars

data/lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt

@@ -2,44 +2,35 @@ locals {
   cf_org_name      = "<%= cloud_gov_organization %>"
   cf_space_name    = "<%= cloud_gov_production_space %>"
   env              = "production"
-  recursive_delete = false
+  app_name         = "<%= app_name %>"
 }
 
 module "database" {
-  source = "../shared/database"
+  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.0.0"
 
-  cf_user          = var.cf_user
-  cf_password      = var.cf_password
-  cf_org_name      = local.cf_org_name
-  cf_space_name    = local.cf_space_name
-  env              = local.env
-  recursive_delete = local.recursive_delete
-  rds_plan_name    = "TKTK-production-rds-plan"
+  cf_org_name   = local.cf_org_name
+  cf_space_name = local.cf_space_name
+  name          = "${local.app_name}-rds-${local.env}"
+  rds_plan_name = "TKTK-production-rds-plan"
 }
 <% if has_active_job? %>
 module "redis" {
-  source = "../shared/redis"
+  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.0.0"
 
-  cf_user          = var.cf_user
-  cf_password      = var.cf_password
-  cf_org_name      = local.cf_org_name
-  cf_space_name    = local.cf_space_name
-  env              = local.env
-  recursive_delete = local.recursive_delete
-  redis_plan_name  = "TKTK-production-redis-plan"
+  cf_org_name     = local.cf_org_name
+  cf_space_name   = local.cf_space_name
+  name            = "${local.app_name}-redis-${local.env}"
+  redis_plan_name = "TKTK-production-redis-plan"
 }
 <% end %>
 <% if has_active_storage? %>
 module "s3" {
-  source = "../shared/s3"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
 
-  cf_user          = var.cf_user
-  cf_password      = var.cf_password
-  cf_org_name      = local.cf_org_name
-  cf_space_name    = local.cf_space_name
-  recursive_delete = local.recursive_delete
-  s3_service_name  = "<%= app_name %>-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
-  s3_plan_name     = "basic-sandbox"<% end %>
+  cf_org_name   = local.cf_org_name
+  cf_space_name = local.cf_space_name
+  name          = "${local.app_name}-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
+  s3_plan_name  = "basic-sandbox"<% end %>
 }
 
 ###########################################################################
@@ -49,15 +40,14 @@ module "s3" {
 # 2) Your organization has sufficient memory. Each clamav app requires 3GB
 ###########################################################################
 # module "clamav" {
-#   source = "../shared/clamav"
+#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.0.0"
 #
-#   cf_user       = var.cf_user
-#   cf_password   = var.cf_password
-#   cf_org_name   = local.cf_org_name
-#   cf_space_name = local.cf_space_name
-#   env           = local.env
-#   clamav_image  = "ajilaag/clamav-rest:20211229"
-#   max_file_size = "30M"
+#   cf_org_name    = local.cf_org_name
+#   cf_space_name  = local.cf_space_name
+#   app_name_or_id = "${local.app_name}-${local.env}"
+#   name           = "${local.app_name}-clamapi-${local.env}"
+#   clamav_image   = "ghcr.io/gsa-tts/clamav-rest/clamav:20240602"
+#   max_file_size  = "30M"
 # }
 <% end %>
 
@@ -69,14 +59,12 @@ module "s3" {
 #     `cf create-domain <%= cloud_gov_organization %> TKTK-production-domain-name`
 ###########################################################################
 # module "domain" {
-#   source = "../shared/domain"
+#   source = "github.com/gsa-tts/terraform-cloudgov//domain?ref=v1.0.0"
 #
-#   cf_user          = var.cf_user
-#   cf_password      = var.cf_password
-#   cf_org_name      = local.cf_org_name
-#   cf_space_name    = local.cf_space_name
-#   env              = local.env
-#   recursive_delete = local.recursive_delete
-#   cdn_plan_name    = "domain"
-#   domain_name      = "TKTK-production-domain-name"
+#   cf_org_name    = local.cf_org_name
+#   cf_space_name  = local.cf_space_name
+#   app_name_or_id = "${local.app_name}-${local.env}"
+#   cdn_plan_name  = "domain"
+#   domain_name    = "TKTK-production-domain-name"
+#   host_name      = "TKTK-production-hostname (optional)"
 # }

data/lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
+      version = "0.53.1"
     }
   }
 
@@ -15,3 +15,10 @@ terraform {
     profile = "<%= app_name %>-terraform-backend"
   }
 }
+
+provider "cloudfoundry" {
+  api_url      = "https://api.fr.cloud.gov"
+  user         = var.cf_user
+  password     = var.cf_password
+  app_logs_max = 30
+}

data/lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt

@@ -2,44 +2,35 @@ locals {
   cf_org_name      = "<%= cloud_gov_organization %>"
   cf_space_name    = "<%= cloud_gov_staging_space %>"
   env              = "staging"
-  recursive_delete = true
+  app_name         = "<%= app_name %>"
 }
 
 module "database" {
-  source = "../shared/database"
+  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.0.0"
 
-  cf_user          = var.cf_user
-  cf_password      = var.cf_password
-  cf_org_name      = local.cf_org_name
-  cf_space_name    = local.cf_space_name
-  env              = local.env
-  recursive_delete = local.recursive_delete
-  rds_plan_name    = "micro-psql"
+  cf_org_name   = local.cf_org_name
+  cf_space_name = local.cf_space_name
+  name          = "${local.app_name}-rds-${local.env}"
+  rds_plan_name = "micro-psql"
 }
 <% if has_active_job? %>
 module "redis" {
-  source = "../shared/redis"
+  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.0.0"
 
-  cf_user          = var.cf_user
-  cf_password      = var.cf_password
-  cf_org_name      = local.cf_org_name
-  cf_space_name    = local.cf_space_name
-  env              = local.env
-  recursive_delete = local.recursive_delete
-  redis_plan_name  = "redis-dev"
+  cf_org_name     = local.cf_org_name
+  cf_space_name   = local.cf_space_name
+  name            = "${local.app_name}-redis-${local.env}"
+  redis_plan_name = "redis-dev"
 }
 <% end %>
 <% if has_active_storage? %>
 module "s3" {
-  source = "../shared/s3"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
 
-  cf_user          = var.cf_user
-  cf_password      = var.cf_password
-  cf_org_name      = local.cf_org_name
-  cf_space_name    = local.cf_space_name
-  recursive_delete = local.recursive_delete
-  s3_service_name  = "<%= app_name %>-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
-  s3_plan_name     = "basic-sandbox"<% end %>
+  cf_org_name   = local.cf_org_name
+  cf_space_name = local.cf_space_name
+  name          = "${local.app_name}-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
+  s3_plan_name  = "basic-sandbox"<% end %>
 }
 
 ###########################################################################
@@ -49,14 +40,13 @@ module "s3" {
 # 2) Your organization has sufficient memory. Each clamav app requires 3GB
 ###########################################################################
 # module "clamav" {
-#   source = "../shared/clamav"
+#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.0.0"
 #
-#   cf_user       = var.cf_user
-#   cf_password   = var.cf_password
-#   cf_org_name   = local.cf_org_name
-#   cf_space_name = local.cf_space_name
-#   env           = local.env
-#   clamav_image  = "ajilaag/clamav-rest:20211229"
-#   max_file_size = "30M"
+#   cf_org_name    = local.cf_org_name
+#   cf_space_name  = local.cf_space_name
+#   app_name_or_id = "${local.app_name}-${local.env}"
+#   name           = "${local.app_name}-clamapi-${local.env}"
+#   clamav_image   = "ghcr.io/gsa-tts/clamav-rest/clamav:20240602"
+#   max_file_size  = "30M"
 # }
 <% end %>

data/lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
+      version = "0.53.1"
     }
   }
 
@@ -15,3 +15,10 @@ terraform {
     profile = "<%= app_name %>-terraform-backend"
   }
 }
+
+provider "cloudfoundry" {
+  api_url      = "https://api.fr.cloud.gov"
+  user         = var.cf_user
+  password     = var.cf_password
+  app_logs_max = 30
+}

data/lib/generators/rails_template18f/terraform/terraform_generator.rb

@@ -15,20 +15,10 @@ module RailsTemplate18f
 
       def install
         directory "terraform", mode: :preserve
-        chmod "terraform/set_space_egress.sh", 0o755
         chmod "terraform/bootstrap/run.sh", 0o755
         chmod "terraform/bootstrap/teardown_creds.sh", 0o755
       end
 
-      def install_jq
-        append_to_file "Brewfile", <<~EOB
-
-          # used in terraform/create_space_deployer.sh
-          brew "jq"
-        EOB
-        insert_into_file "README.md", indent("* [jq](https://stedolan.github.io/jq/)\n"), after: /\* Install homebrew dependencies: `brew bundle`\n/
-      end
-
       def ignore_files
         unless skip_git?
           append_to_file ".gitignore", <<~EOM

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "0.8.0"
+  VERSION = "0.8.2"
 end

data/template.rb

@@ -58,6 +58,15 @@ compliance_template_submodule = compliance_template && yes?("Clone #{compliance_
 if compliance_template_submodule
   compliance_template_repo = ask("What is the git clone address of your compliance-template fork?")
 end
+if compliance_template_repo.blank?
+  register_announcement("OSCAL Documentation", <<~EOM)
+    Skipping OSCAL files as the compliance-template fork was left blank.
+
+    Re-run the oscal generator after creating your template fork to get started with OSCAL.
+  EOM
+  compliance_template = false
+  compliance_template_submodule = false
+end
 
 terraform = yes?("Create terraform files for cloud.gov services? (y/n)")
 @cloud_gov_organization = ask("What is your cloud.gov organization name? (Leave blank to fill in later)")
@@ -141,6 +150,9 @@ end
 
 # setup pa11y and owasp scanning
 directory "bin", mode: :preserve
+chmod "bin/ops/create_service_account.sh", 0o755
+chmod "bin/ops/destroy_service_account.sh", 0o755
+chmod "bin/ops/set_space_egress.sh", 0o755
 copy_file "pa11yci", ".pa11yci"
 copy_file "editorconfig", ".editorconfig"
 copy_file "zap.conf"
@@ -234,7 +246,7 @@ end
 # setup USWDS and asset pipeline
 copy_file "browserslistrc", ".browserslistrc" if webpack?
 after_bundle do
-  run 'npm set-script build:css "postcss ./app/assets/stylesheets/application.postcss.scss -o ./app/assets/builds/application.css"'
+  run 'npm pkg set scripts.build:css="postcss ./app/assets/stylesheets/application.postcss.scss -o ./app/assets/builds/application.css"'
   # include verbose flag for dev postcss output
   gsub_file "Procfile.dev", "yarn build:css --watch", "yarn build:css --verbose --watch"
   # Replace postcss-nesting with sass since USWDS uses sass
@@ -430,6 +442,11 @@ if @circleci_pipeline
     ]
     generate "rails_template18f:circleci", *generator_arguments
   end
+  if cloud_gov_org_tktk?
+    register_announcement("CircleCI", <<~EOM)
+      * Fill in the cloud.gov organization information in .circleci/config.yml
+    EOM
+  end
   register_announcement("CircleCI", <<~EOM)
     * Create project environment variables for deploy users as defined in the Deployment section of the README
   EOM

data/templates/Brewfile

@@ -7,6 +7,9 @@ brew "postgresql@12", link: true
 # used in bin/with-server script
 brew "dockerize"
 
+# used in bin/ops/create_service_account.sh
+brew "jq"
+
 # helper scripts for creating new ADRs
 brew "adr-tools"
 

data/templates/README.md.tt

@@ -15,6 +15,7 @@ guide for an introduction to the framework.
 * Install homebrew dependencies: `brew bundle`
   * [PostgreSQL](https://www.postgresql.org/)
   * [Dockerize](https://github.com/jwilder/dockerize)
+  * [jq](https://stedolan.github.io/jq/)
   * [ADR Tools](https://github.com/npryce/adr-tools)
   * [Chromedriver](https://sites.google.com/chromium.org/driver/)
     * Chromedriver must be allowed to run. You can either do that by: