RubyGems - rails_template_18f - Versions diffs - 0.8.0 → 0.8.2 - Mend

rails_template_18f 0.8.0 → 0.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

data/templates/bin/ops/create_service_account.sh.tt ADDED Viewed

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+org="<%= @cloud_gov_organization %>"
+usage="
+$0: Create a Service User Account for a given space
+Usage:
+  $0 -h
+  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>]
+Options:
+-h: show help and exit
+-s <SPACE NAME>: configure the space to act on. Required
+-u <USER NAME>: set the service user name. Required
+-r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
+-o <ORG NAME>: configure the organization to act on. Default: $org
+"
+set -e
+set -o pipefail
+space=""
+service=""
+role="space-deployer"
+while getopts ":hs:u:r:o:" opt; do
+  case "$opt" in
+    s)
+      space=${OPTARG}
+      ;;
+    u)
+      service=${OPTARG}
+      ;;
+    r)
+      role=${OPTARG}
+      ;;
+    o)
+      org=${OPTARG}
+      ;;
+    h)
+      echo "$usage"
+      exit 0
+      ;;
+  esac
+done
+if ! command -v jq &> /dev/null
+then
+  echo "jq must be installed. Run 'brew bundle' to install everything in the Brewfile"
+  exit 1
+fi
+if [[ $space = "" || $service = "" ]]; then
+  echo "$usage"
+  exit 1
+fi
+cf target -o $org -s $space 1>&2
+# create user account service
+cf create-service cloud-gov-service-account $role $service 1>&2
+# create service key
+cf create-service-key $service service-account-key 1>&2
+# output service key to stdout in secrets.auto.tfvars format
+creds=`cf service-key $service service-account-key | tail -n +2 | jq '.credentials'`
+username=`echo $creds | jq -r '.username'`
+password=`echo $creds | jq -r '.password'`
+cat << EOF
+# generated with $0 -s $space -u $service -r $role -o $org
+# revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org
+cf_user = "$username"
+cf_password = "$password"
+EOF

data/templates/bin/ops/destroy_service_account.sh.tt ADDED Viewed

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+org="<%= @cloud_gov_organization %>"
+usage="
+$0: Destroy a Service User Account in a given space
+Usage:
+  $0 -h
+  $0 -s <SPACE NAME> -u <USER NAME> [-o <ORG NAME>]
+Options:
+-h: show help and exit
+-s <SPACE NAME>: configure the space to act on. Required
+-u <USER NAME>: configure the service user name to destroy. Required
+-o <ORG NAME>: configure the organization to act on. Default: $org
+"
+set -e
+space=""
+service=""
+while getopts ":hs:u:o:" opt; do
+  case "$opt" in
+    s)
+      space=${OPTARG}
+      ;;
+    u)
+      service=${OPTARG}
+      ;;
+    o)
+      org=${OPTARG}
+      ;;
+    h)
+      echo "$usage"
+      exit 0
+      ;;
+  esac
+done
+if [[ $space = "" || $service = "" ]]; then
+  echo "$usage"
+  exit 1
+fi
+cf target -o $org -s $space
+# destroy service key
+cf delete-service-key $service service-account-key -f
+# destroy service
+cf delete-service $service -f

data/{lib/generators/rails_template18f/terraform/templates/terraform → templates/bin/ops}/set_space_egress.sh.tt RENAMED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
-org="<%= cloud_gov_organization %>"
+org="<%= @cloud_gov_organization %>"
 usage="
 $0: Set egress rules for given space

data/templates/config/environments/ci.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require_relative "./production"
+require_relative "production"
 Rails.application.configure do
   config.public_file_server.enabled = true

data/templates/config/environments/staging.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require_relative "./production"
+require_relative "production"
 Rails.application.configure do
   # insert any staging overrides here

data/templates/doc/compliance/TODO.md ADDED Viewed

@@ -0,0 +1,37 @@
+Compliance Tasks
+================
+This file contains a list of some tasks that can make your compliance journey a bit easier.
+These instructions assume that your application is being hosted on cloud.gov.
+Egress Spaces
+-------------
+If your application requires outbound communication to services outside of cloud.gov:
+1. Set up `<env>-egress` spaces for each environment.
+1. Set that space to public egress with `bin/ops/set_space_egress.sh -s <env>-egress -p`
+1. Run [cg-egress-proxy](https://github.com/GSA/cg-egress-proxy#deploying-proxies-for-a-bunch-of-apps-automatically) in that space
+1. Send all outbound traffic from your app through the proxy
+1. Document this use under the SC-7 security control
+Log Drains
+----------
+Follow these directions to send your logs to an external consumer, such an S3 bucket for GSA SOC to ingest or New Relic
+1. Deploy the [logstash-shipper](https://github.com/GSA/datagov-logstack#setup) app in a management space. The management space could be its own space, or `<env>-egress`
+1. Deploy a [space-drain](https://github.com/GSA/datagov-logstack/blob/main/create-space-drain.sh) so that any app deployed to that space automatically has its logs shipped
+Drift Detection
+---------------
+1. Deploy [Watchtower](https://github.com/18F/watchtower) for drift detection
+Future Good Ideas
+-----------------
+Other things that would be useful, but without decent implementations yet:
+* For RA-5, deploy a Monit sidecar buildpack to restart app if any anomalys are detected

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_template_18f
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.8.2
 platform: ruby
 authors:
 - Ryan Ahearn
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-07-14 00:00:00.000000000 Z
+date: 2024-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -178,27 +178,9 @@ files:
 - lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/run.sh.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/teardown_creds.sh.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/create_space_deployer.sh
-- lib/generators/rails_template18f/terraform/templates/terraform/destroy_space_deployer.sh
 - lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/production/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/set_space_egress.sh.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/database/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/database/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/database/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/variables.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/main.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/providers.tf
-- lib/generators/rails_template18f/terraform/templates/terraform/shared/s3/variables.tf
 - lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/staging/variables.tf
@@ -223,6 +205,9 @@ files:
 - templates/app/views/application/_demo_site_banner.html.erb
 - templates/app/views/application/_header.html.erb
 - templates/app/views/application/_usa_banner.html.erb
+- templates/bin/ops/create_service_account.sh.tt
+- templates/bin/ops/destroy_service_account.sh.tt
+- templates/bin/ops/set_space_egress.sh.tt
 - templates/bin/owasp-scan
 - templates/bin/pa11y-scan
 - templates/bin/with-server
@@ -236,6 +221,7 @@ files:
 - templates/doc/adr/0003-security-scans.md.tt
 - templates/doc/adr/0004-rails-csp-compliant-script-tag-helpers.md.tt
 - templates/doc/compliance/README.md
+- templates/doc/compliance/TODO.md
 - templates/doc/compliance/apps/application.boundary.md.tt
 - templates/doc/compliance/rendered/apps/.keep
 - templates/editorconfig
@@ -268,7 +254,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.5.9
 signing_key:
 specification_version: 4
 summary: Generators for creating an 18F-flavored Rails app

data/lib/generators/rails_template18f/terraform/templates/terraform/create_space_deployer.sh DELETED Viewed

@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-set -e
-set -o pipefail
-if [[ $# -lt 2 ]]; then
-  echo "$0 <<SPACE_NAME>> <<ACCOUNT_NAME>>"
-  exit 1;
-fi
-space=$1
-service=$2
-cf target -s $space 1>&2
-# create space deployer service
-cf create-service cloud-gov-service-account space-deployer $service 1>&2
-# create service key
-cf create-service-key $service space-deployer-key 1>&2
-# output service key to stdout in secrets.auto.tfvars format
-creds=`cf service-key $service space-deployer-key | tail -n 4`
-username=`echo $creds | jq '.username'`
-password=`echo $creds | jq '.password'`
-cat << EOF
-# generated with $0 $space $service
-# revoke with $(dirname $0)/destroy_space_deployer.sh $space $service
-cf_user = $username
-cf_password = $password
-EOF

data/lib/generators/rails_template18f/terraform/templates/terraform/destroy_space_deployer.sh DELETED Viewed

@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-set -e
-if [[ $# -ne 2 ]]; then
-  echo "$0 <<SPACE_NAME>> <<ACCOUNT_NAME>>"
-  exit 1;
-fi
-space=$1
-service=$2
-cf target -s $space
-# destroy service key
-cf delete-service-key $service space-deployer-key -f
-# destroy service
-cf delete-service $service -f

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/main.tf.tt DELETED Viewed

@@ -1,50 +0,0 @@
-###
-# Target space/org
-###
-data "cloudfoundry_space" "space" {
-  org_name = var.cf_org_name
-  name     = var.cf_space_name
-}
-data "cloudfoundry_domain" "internal" {
-  name = "apps.internal"
-}
-data "cloudfoundry_app" "app" {
-  name_or_id = "<%= app_name %>-${var.env}"
-  space = data.cloudfoundry_space.space.id
-}
-###
-# ClamAV API app
-###
-resource "cloudfoundry_route" "clamav_route" {
-  space    = data.cloudfoundry_space.space.id
-  domain   = data.cloudfoundry_domain.internal.id
-  hostname = "<%= app_name %>-clamapi-${var.env}"
-}
-resource "cloudfoundry_app" "clamav_api" {
-  name         = "<%= app_name %>-clamav-api-${var.env}"
-  space        = data.cloudfoundry_space.space.id
-  memory       = var.clamav_memory
-  disk_quota   = 2048
-  timeout      = 600
-  docker_image = var.clamav_image
-  routes {
-    route = cloudfoundry_route.clamav_route.id
-  }
-  environment = {
-    MAX_FILE_SIZE = var.max_file_size
-  }
-}
-resource "cloudfoundry_network_policy" "clamav_routing" {
-  policy {
-    source_app      = data.cloudfoundry_app.app.id
-    destination_app = cloudfoundry_app.clamav_api.id
-    port            = "9443"
-  }
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/providers.tf DELETED Viewed

@@ -1,16 +0,0 @@
-terraform {
-  required_version = "~> 1.0"
-  required_providers {
-    cloudfoundry = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
-    }
-  }
-}
-provider "cloudfoundry" {
-  api_url      = var.cf_api_url
-  user         = var.cf_user
-  password     = var.cf_password
-  app_logs_max = 30
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/clamav/variables.tf DELETED Viewed

@@ -1,47 +0,0 @@
-variable "cf_api_url" {
-  type        = string
-  description = "cloud.gov api url"
-  default     = "https://api.fr.cloud.gov"
-}
-variable "cf_user" {
-  type        = string
-  description = "cloud.gov deployer account user"
-}
-variable "cf_password" {
-  type        = string
-  description = "secret; cloud.gov deployer account password"
-  sensitive   = true
-}
-variable "cf_org_name" {
-  type        = string
-  description = "cloud.gov organization name"
-}
-variable "cf_space_name" {
-  type        = string
-  description = "cloud.gov space name (staging or prod)"
-}
-variable "env" {
-  type        = string
-  description = "deployment environment (staging, production)"
-}
-variable "clamav_image" {
-  type        = string
-  description = "Docker image to deploy the clamav api app"
-}
-variable "clamav_memory" {
-  type        = number
-  description = "Memory in MB to allocate to clamav app"
-  default     = 3072
-}
-variable "max_file_size" {
-  type        = string
-  description = "Maximum file size the API will accept for scanning"
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/database/main.tf.tt DELETED Viewed

@@ -1,23 +0,0 @@
-###
-# Target space/org
-###
-data "cloudfoundry_space" "space" {
-  org_name = var.cf_org_name
-  name     = var.cf_space_name
-}
-###
-# RDS instance
-###
-data "cloudfoundry_service" "rds" {
-  name = "aws-rds"
-}
-resource "cloudfoundry_service_instance" "rds" {
-  name             = "<%= app_name %>-rds-${var.env}"
-  space            = data.cloudfoundry_space.space.id
-  service_plan     = data.cloudfoundry_service.rds.service_plans[var.rds_plan_name]
-  recursive_delete = var.recursive_delete
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/database/providers.tf DELETED Viewed

@@ -1,16 +0,0 @@
-terraform {
-  required_version = "~> 1.0"
-  required_providers {
-    cloudfoundry = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
-    }
-  }
-}
-provider "cloudfoundry" {
-  api_url      = var.cf_api_url
-  user         = var.cf_user
-  password     = var.cf_password
-  app_logs_max = 30
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/database/variables.tf DELETED Viewed

@@ -1,42 +0,0 @@
-variable "cf_api_url" {
-  type        = string
-  description = "cloud.gov api url"
-  default     = "https://api.fr.cloud.gov"
-}
-variable "cf_user" {
-  type        = string
-  description = "cloud.gov deployer account user"
-}
-variable "cf_password" {
-  type        = string
-  description = "secret; cloud.gov deployer account password"
-  sensitive   = true
-}
-variable "cf_org_name" {
-  type        = string
-  description = "cloud.gov organization name"
-}
-variable "cf_space_name" {
-  type        = string
-  description = "cloud.gov space name (staging or prod)"
-}
-variable "env" {
-  type        = string
-  description = "deployment environment (staging, production)"
-}
-variable "recursive_delete" {
-  type        = bool
-  description = "when true, deletes service bindings attached to the resource (not recommended for production)"
-  default     = false
-}
-variable "rds_plan_name" {
-  type        = string
-  description = "name of the service plan name to create"
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/main.tf.tt DELETED Viewed

@@ -1,46 +0,0 @@
-###
-# Target space/org
-###
-data "cloudfoundry_space" "space" {
-  org_name = var.cf_org_name
-  name     = var.cf_space_name
-}
-###
-# Route mapping and CDN instance
-###
-data "cloudfoundry_app" "app" {
-  name_or_id = "<%= app_name %>-${var.env}"
-  space      = data.cloudfoundry_space.space.id
-}
-###########################################################################
-# Route must be manually created by an OrgManager before terraform is run:
-#
-# cf create-domain <%= cloud_gov_organization %> TKTK-production-domain-name
-###########################################################################
-data "cloudfoundry_domain" "origin_url" {
-  name = var.domain_name
-}
-resource "cloudfoundry_route" "origin_route" {
-  domain = data.cloudfoundry_domain.origin_url.id
-  space  = data.cloudfoundry_space.space.id
-  target {
-    app = data.cloudfoundry_app.app.id
-  }
-}
-data "cloudfoundry_service" "external_domain" {
-  name = "external-domain"
-}
-resource "cloudfoundry_service_instance" "external_domain_instance" {
-  name             = "<%= app_name %>-domain-${var.env}"
-  space            = data.cloudfoundry_space.space.id
-  service_plan     = data.cloudfoundry_service.external_domain.service_plans[var.cdn_plan_name]
-  recursive_delete = var.recursive_delete
-  json_params      = "{\"domains\": \"${var.domain_name}\"}"
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/providers.tf DELETED Viewed

@@ -1,16 +0,0 @@
-terraform {
-  required_version = "~> 1.0"
-  required_providers {
-    cloudfoundry = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
-    }
-  }
-}
-provider "cloudfoundry" {
-  api_url      = var.cf_api_url
-  user         = var.cf_user
-  password     = var.cf_password
-  app_logs_max = 30
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/domain/variables.tf DELETED Viewed

@@ -1,47 +0,0 @@
-variable "cf_api_url" {
-  type        = string
-  description = "cloud.gov api url"
-  default     = "https://api.fr.cloud.gov"
-}
-variable "cf_user" {
-  type        = string
-  description = "cloud.gov deployer account user"
-}
-variable "cf_password" {
-  type        = string
-  description = "secret; cloud.gov deployer account password"
-  sensitive   = true
-}
-variable "cf_org_name" {
-  type        = string
-  description = "cloud.gov organization name"
-}
-variable "cf_space_name" {
-  type        = string
-  description = "cloud.gov space name (staging or prod)"
-}
-variable "env" {
-  type        = string
-  description = "deployment environment (staging, production)"
-}
-variable "recursive_delete" {
-  type        = bool
-  description = "when true, deletes service bindings attached to the resource (not recommended for production)"
-  default     = false
-}
-variable "cdn_plan_name" {
-  type        = string
-  description = "name of the service plan name to create"
-}
-variable "domain_name" {
-  type        = string
-  description = "DNS name users will be accessing site"
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/main.tf.tt DELETED Viewed

@@ -1,23 +0,0 @@
-###
-# Target space/org
-###
-data "cloudfoundry_space" "space" {
-  org_name = var.cf_org_name
-  name     = var.cf_space_name
-}
-###
-# RDS instance
-###
-data "cloudfoundry_service" "redis" {
-  name = "aws-elasticache-redis"
-}
-resource "cloudfoundry_service_instance" "redis" {
-  name             = "<%= app_name %>-redis-${var.env}"
-  space            = data.cloudfoundry_space.space.id
-  service_plan     = data.cloudfoundry_service.redis.service_plans[var.redis_plan_name]
-  recursive_delete = var.recursive_delete
-}

data/lib/generators/rails_template18f/terraform/templates/terraform/shared/redis/providers.tf DELETED Viewed

@@ -1,16 +0,0 @@
-terraform {
-  required_version = "~> 1.0"
-  required_providers {
-    cloudfoundry = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
-    }
-  }
-}
-provider "cloudfoundry" {
-  api_url      = var.cf_api_url
-  user         = var.cf_user
-  password     = var.cf_password
-  app_logs_max = 30
-}