rails_template_18f 0.8.1 → 1.0.0

data/lib/generators/rails_template18f/i18n/templates/config/locales/fr.yml

@@ -16,4 +16,6 @@ fr:
       demo_banner: SITE DE TEST - N’utilisez pas de véritables données personnelles (il s’agit d’une démonstration seulement) - SITE DE TEST
       menu: Menu
       primary: Navigation primaire
+    languages:
+      selector: Langages
     skip_link: Passer au contenu principal

data/lib/generators/rails_template18f/i18n/templates/config/locales/zh.yml

@@ -13,4 +13,6 @@ zh:
       us_flag: 美国国旗
     header:
       primary: 主导航
+    languages:
+      selector: 语言
     skip_link: 跳转到主要内容

data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb

@@ -24,7 +24,7 @@ module RailsTemplate18f
 
       def install_gem
         return if gem_installed?("newrelic_rpm")
-        gem "newrelic_rpm", "~> 8.4"
+        gem "newrelic_rpm", "~> 9.10"
         bundle_install
       end
 
@@ -58,42 +58,7 @@ EOB
       end
 
       def update_oscal_doc
-        if oscal_dir_exists?
-          insert_into_oscal "si-4.md", <<~EOS, after: "## Implementation a.\n"
-            New Relic is used for the purposes of monitoring and analyzing #{app_name} application data. New Relic monitors each application within #{app_name} for
-            basic container utilization (CPU, memory, disk) as a baseline of provided metrics. New Relic dashboards are used by #{app_name} operations to obtain
-            near real-time views into the metrics obtained from each application. New Relic provides application metrics that give insight into request/response rates,
-            failure rates, etc. New Relic uses this data to detect anomalies (such as potential unauthorized activity) and alerts the #{app_name} team via <<INSERT NOTIFICATION CHANNEL>>
-            in the GSA Slack. Example: a spike in failed requests may indicate an unauthorized user has entered the system and is attempting to phish for PII.
-
-            1. A subset of relevant specific metrics #{app_name} is constantly monitoring include:
-              * Abnormal cpu, memory, and disk utilization (defined in New Relic alerting rules)
-              * Number of incoming requests
-              * Request response time
-              * Application crashes (for any reason)
-              * Response status codes (high numbers of failing requests would be abnormal)
-              * Applications (by name)
-              * Abnormally high request rates
-            1. Metrics that can be audited within #{app_name} include:
-              * SSH Sessions (disabled in production under normal circumstances)
-            1. A subset of relevant incidents #{app_name} will use these metrics to protect against include:
-              * Unauthorized Access / Intrusion to #{app_name} as an Administrator
-              * Denial of Service (DoS)
-              * Improper Usage
-              * Malicious Code
-              * System Uptime
-              * High Resource Usage
-
-            When suspicious activity is encountered #{app_name} Operations audit the event through the cloud.gov logs provided at logs.fr.cloud.gov
-            (a Kibana instance allowing users to access, filter, and search their cloud.gov logs. These logs are retained automatically by cloud.gov for 180 days after creation.
-          EOS
-          insert_into_oscal "si-4.md", "The #{app_name} application logs events to stdout and stderr which are ingested by cloud.gov and New Relic.", after: "## Implementation c.\n"
-          insert_into_oscal "si-4.md", "#{app_name} Operations are responsible for monitoring the New Relic dashboards that report on specific application events and performing follow-up investigations where necessary.", after: "## Implementation d.\n"
-          insert_into_oscal "si-4.2.md", <<~EOS
-            #{app_name} is monitored using New Relic Application Performance Monitoring (APM),
-            Synthetics and Logs, which detects and alerts on abnormal responses from #{app_name} applications.
-          EOS
-        end
+        copy_oscal_component "newrelic"
       end
 
       no_tasks do

data/lib/generators/rails_template18f/newrelic/templates/oscal/component-definitions/newrelic/component-definition.json.tt

@@ -0,0 +1,113 @@
+{
+  "component-definition": {
+    "uuid": "7bbcdbff-c3d8-497f-a0fc-3ec96f4acc2d",
+    "metadata": {
+      "title": "New Relic System Monitoring Component Definition.",
+      "last-modified": "2024-06-11T12:51:11.662524+00:00",
+      "version": "0.0.1",
+      "oscal-version": "1.1.2"
+    },
+    "components": [
+      {
+        "uuid": "8eb58925-2761-4de3-86cb-72af189fe378",
+        "type": "service",
+        "title": "New Relic",
+        "description": "New Relic Application Performance Monitoring",
+        "props": [
+          {
+            "name": "Rule_Id",
+            "value": "properly-configured",
+            "remarks": "rule-config"
+          },
+          {
+            "name": "Rule_Description",
+            "value": "System Owner has configured the system to properly utilize New Relic",
+            "remarks": "rule-config"
+          }
+        ],
+        "control-implementations": [
+          {
+            "uuid": "7ba2642f-5cfa-431c-a030-afffc4e6a8d4",
+            "source": "trestle://profiles/lato/profile.json",
+            "description": "",
+            "implemented-requirements": [
+              {
+                "uuid": "fae8766e-7bf2-4d77-9c88-db5b2e9a8bfd",
+                "control-id": "si-4",
+                "description": "REPLACE_ME",
+                "props": [
+                  {
+                    "name": "implementation-status",
+                    "value": "planned"
+                  }
+                ],
+                "statements": [
+                  {
+                    "statement-id": "si-4_smt.a",
+                    "uuid": "850fcb05-724a-46a3-9faf-2574624ef1ee",
+                    "description": "New Relic is used for the purposes of monitoring and analyzing <%= app_name %> application data. New Relic monitors each application within <%= app_name %> for basic container utilization (CPU, memory, disk) as a baseline of provided metrics. New Relic dashboards are used by <%= app_name %> operations to obtain near real-time views into the metrics obtained from each application. New Relic provides application metrics that give insight into request/response rates, failure rates, etc. New Relic uses this data to detect anomalies (such as potential unauthorized activity) and alerts the <%= app_name %> team via <<INSERT NOTIFICATION CHANNEL>> in the GSA Slack. Example: a spike in failed requests may indicate an unauthorized user has entered the system and is attempting to phish for PII.\n\n1. A subset of relevant specific metrics <%= app_name %> is constantly monitoring include:\n* Abnormal cpu, memory, and disk utilization (defined in New Relic alerting rules)\n* Number of incoming requests\n* Request response time\n* Application crashes (for any reason)\n* Response status codes (high numbers of failing requests would be abnormal)\n* Applications (by name)\n* Abnormally high request rates\n1. Metrics that can be audited within <%= app_name %> include:\n* SSH Sessions (disabled in production under normal circumstances)\n1. A subset of relevant incidents <%= app_name %> will use these metrics to protect against include:\n* Unauthorized Access / Intrusion to <%= app_name %> as an Administrator\n* Denial of Service (DoS)\n* Improper Usage\n* Malicious Code\n* System Uptime\n* High Resource Usage\n\nWhen suspicious activity is encountered <%= app_name %> Operations audit the event through the cloud.gov logs provided at logs.fr.cloud.gov\n(a Kibana instance allowing users to access, filter, and search their cloud.gov logs. These logs are retained automatically by cloud.gov for 180 days after creation.",
+                    "props": [
+                      {
+                        "name": "Rule_Id",
+                        "value": "properly-configured"
+                      },
+                      {
+                        "name": "implementation-status",
+                        "value": "implemented"
+                      }
+                    ]
+                  },
+                  {
+                    "statement-id": "si-4_smt.c",
+                    "uuid": "dddcc80f-f715-4ee8-acf0-e4d9df3576c5",
+                    "description": "The <%= app_name %> application logs events to stdout and stderr which are ingested by cloud.gov and New Relic.",
+                    "props": [
+                      {
+                        "name": "Rule_Id",
+                        "value": "properly-configured"
+                      },
+                      {
+                        "name": "implementation-status",
+                        "value": "implemented"
+                      }
+                    ]
+                  },
+                  {
+                    "statement-id": "si-4_smt.d",
+                    "uuid": "017e8dab-cbd3-4054-9185-cf24d6dcd6b9",
+                    "description": "\\<%= app_name %> Operations are responsible for monitoring the New Relic dashboards that report on specific application events and performing follow-up investigations where necessary.",
+                    "props": [
+                      {
+                        "name": "Rule_Id",
+                        "value": "properly-configured"
+                      },
+                      {
+                        "name": "implementation-status",
+                        "value": "implemented"
+                      }
+                    ]
+                  }
+                ]
+              },
+              {
+                "uuid": "fc6a4cb3-5160-4792-a835-bfdf92d97a33",
+                "control-id": "si-4.2",
+                "description": "\\<%= app_name %> is monitored using New Relic Application Performance Monitoring (APM), Synthetics and Logs, which detects and alerts on abnormal responses from <%= app_name %> applications in real time.",
+                "props": [
+                  {
+                    "name": "Rule_Id",
+                    "value": "properly-configured"
+                  },
+                  {
+                    "name": "implementation-status",
+                    "value": "implemented"
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}

data/lib/generators/rails_template18f/oscal/oscal_generator.rb

@@ -7,35 +7,41 @@ module RailsTemplate18f
     class OscalGenerator < ::Rails::Generators::Base
       include Base
 
-      class_option :oscal_repo, required: true, desc: "GitHub Repo containing Compliance-Template fork"
-      class_option :detach, type: :boolean, default: false, desc: "Copy OSCAL files into repo, rather than using a submodule"
-      class_option :branch, desc: "Name of the branch to switch to when using a submodule. Defaults to `app_name`"
+      class_option :oscal_repo, desc: "GitHub Repo to store compliance documents within. Leave blank to check docs into the app repo"
+      class_option :tag, desc: "Which docker-trestle tag to use. Defaults to `latest`"
+      class_option :branch, desc: "Name of the branch to switch to when using a submodule. Defaults to `main`"
 
       desc <<~DESC
         Description:
-          Add a fork of https://github.com/GSA-TTS/compliance-template.git as a
-          submodule for documenting security controls.
+          Set up doc/compliance/oscal as a working directory for use with https://github.com/GSA-TTS/docker-trestle.
 
           This generator is still experimental.
 
-          Prerequisite:
+          Optional Prerequisite:
 
-          Fork the compliance-template repo for your own use. Updates to the documentation
+          Set up a separate private repository to store the compliance documentation in if access control needs to be
+          tighter than for the code. This generator will set up the directory as a submodule so developers with access
+          can easily update documentation alongside code. Updates to the documentation
           will be pushed to this fork, not the rails app repository.
       DESC
 
-      def copy_template_files
-        if detach?
-          git clone: "#{options[:oscal_repo]} doc/compliance/oscal"
-          remove_dir "doc/compliance/oscal/.git"
-        else
+      def configure_compliance_files
+        if use_submodule?
           git submodule: "add #{options[:oscal_repo]} doc/compliance/oscal"
           inside "doc/compliance/oscal" do
             git switch: "-c #{branch_name}"
           end
+        else
+          create_file "doc/compliance/oscal/.keep"
         end
       end
 
+      def copy_templates
+        template "bin/trestle"
+        chmod "bin/trestle", 0o755
+        template "doc/compliance/oscal/trestle-config.yaml"
+      end
+
       def update_readme
         if file_content("README.md").match?("## Documentation")
           insert_into_file "README.md", readme_contents, after: "## Documentation\n"
@@ -45,7 +51,7 @@ module RailsTemplate18f
       end
 
       def configure_submodule
-        unless detach?
+        if use_submodule?
           git config: "-f .gitmodules submodule.\"doc/compliance/oscal\".branch #{branch_name}"
           git config: "diff.submodule log"
           git config: "status.submodulesummary 1"
@@ -53,9 +59,24 @@ module RailsTemplate18f
         end
       end
 
+      def configure_gitignore
+        unless skip_git? || use_submodule?
+          append_to_file ".gitignore", <<~EOM
+
+            # Trestle working files
+            doc/compliance/oscal/.trestle/_trash
+            doc/compliance/oscal/.trestle/cache
+          EOM
+        end
+      end
+
       no_tasks do
         def branch_name
-          options[:branch].present? ? options[:branch] : app_name
+          options[:branch].present? ? options[:branch] : "main"
+        end
+
+        def docker_trestle_tag
+          options[:tag].present? ? options[:tag] : "latest"
         end
 
         def readme_contents
@@ -64,8 +85,25 @@ module RailsTemplate18f
             ### Compliance Documentation
 
             Security Controls should be documented within doc/compliance/oscal.
+
+            * Run `bin/trestle` to start the trestle CLI.
+            * Run `bin/trestle SCRIPT_NAME` to run a single trestle script
+
+            #### Initial trestle setup.
+
+            These steps must happen once per project.
+
+            1. Docker desktop must be running
+            1. Start the trestle cli with `bin/trestle`
+            1. Copy the `cloud_gov` component to the local workspace with `copy-component -n cloud_gov`
+            1. Generate the initial markdown with `generate-ssp-markdown`
+
+            #### Ongoing use
+
+            See the [docker-trestle README](https://github.com/gsa-tts/docker-trestle) for help with the workflow
+            for using those scripts for editing the SSP.
           README
-          return content if detach?
+          return content unless use_submodule?
           <<~README
             #{content}
 
@@ -94,8 +132,8 @@ module RailsTemplate18f
           README
         end
 
-        def detach?
-          options[:detach]
+        def use_submodule?
+          options[:oscal_repo].present?
         end
       end
     end

data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt

@@ -0,0 +1,10 @@
+#! /usr/bin/env bash
+
+command="bash"
+if [ "$1" != "" ]; then
+    command=$1
+fi
+
+oscal_location="$(dirname "$(realpath "$0")")/../doc/compliance/oscal"
+
+docker run -it --rm -v $oscal_location:/app/docs:rw ghcr.io/gsa-tts/trestle:<%= docker_trestle_tag %> $command

data/lib/generators/rails_template18f/oscal/templates/doc/compliance/oscal/trestle-config.yaml.tt

@@ -0,0 +1,6 @@
+# docker-trestle configuration file
+# for ease of future rails_template18f generator use, keep the components list last in this file
+system-name: "<%= app_name %>"
+profile: lato
+components:
+  - cloud_gov

data/lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb

@@ -14,7 +14,7 @@ module RailsTemplate18f
 
       def install_gem
         return if gem_installed?("sidekiq")
-        gem "sidekiq", "~> 6.4"
+        gem "sidekiq", "~> 7.2"
         bundle_install
       end
 
@@ -24,7 +24,7 @@ module RailsTemplate18f
           # queue for sidekiq jobs
           brew "redis"
         EOB
-        insert_into_file "README.md", indent("* [redis]()\n"), after: /\* Install homebrew dependencies: `brew bundle`\n/
+        insert_into_file "README.md", indent("* [redis](https://redis.io/)\n"), after: /\* Install homebrew dependencies: `brew bundle`\n/
       end
 
       def configure_server_runner

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -4,26 +4,39 @@ This directory holds the terraform modules for maintaining your complete persist
 
 Prerequisite: install the `jq` JSON processor: `brew bundle` or `brew install jq`
 
-## Initial setup
+## Initial project setup
 
-1. Manually run the bootstrap module following instructions under `Terraform State Credentials`
+These steps only need to be run once per project.
+
+1. Manually [bootstrap the state storage bucket](#bootstrapping-the-state-storage-s3-buckets-for-the-first-time) within the `bootstrap` directory
 1. Setup CI/CD Pipeline to run Terraform
-  1. Copy bootstrap credentials to your CI/CD secrets using the instructions in the base README
-  1. Create a cloud.gov SpaceDeployer by following the instructions under `SpaceDeployers`
-  1. Copy SpaceDeployer credentials to your CI/CD secrets using the instructions in the base README
+    1. Copy bootstrap credentials to your CI/CD secrets using the instructions in the base README
+    1. Create a cloud.gov SpaceDeployer by following the instructions under `SpaceDeployers`
+    1. Copy SpaceDeployer credentials to your CI/CD secrets using the instructions in the base README
 1. Manually Running Terraform
-  1. Follow instructions under `Set up a new environment` to create your infrastructure
+    1. Follow instructions under `Set up a new environment` to create your infrastructure
+
+## Initial developer setup
+
+These steps should be run for any developer that needs to start running terraform or who just moved to a new machine.
+
+They are not necessary for the developer who runs the [initial project setup](#initial-project-setup)
+
+1. Import the existing bootstrap resources to your local state with `./import.sh`
+1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
+
 
 ## Terraform State Credentials
 
-The bootstrap module is used to create an s3 bucket for later terraform runs to store their state in.
+The `bootstrap` module is used to create an s3 bucket for later terraform runs to store their state in.
 
 ### Bootstrapping the state storage s3 buckets for the first time
 
-1. Run `terraform init`
-1. Run `./run.sh plan` to verify that the changes are what you expect
+These steps are run once per project.
+
+1. Run `./run.sh init`
 1. Run `./run.sh apply` to set up the bucket and retrieve credentials
-1. Follow instructions under `Use bootstrap credentials`
+1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
 1. Ensure that `import.sh` includes a line and correct IDs for any resources created
 1. Run `./teardown_creds.sh` to remove the space deployer account used to create the s3 bucket
 
@@ -31,28 +44,20 @@ The bootstrap module is used to create an s3 bucket for later terraform runs to
 
 *This should not be necessary in most cases*
 
-1. Run `terraform init`
-1. If you don't have terraform state locally:
-    1. run `./import.sh`
-    1. optionally run `./run.sh apply` to include the existing outputs in the state file
 1. Make your changes
-1. Continue from step 2 of the boostrapping instructions
-
-### Retrieving existing bucket credentials
+1. Run `./run.sh plan` to verify the changes are what you expect
+1. Continue from step 2 of the [boostrapping instructions](#bootstrapping-the-state-storage-s3-buckets-for-the-first-time)
 
-1. Run `./run.sh show`
-1. Follow instructions under `Use bootstrap credentials`
-
-#### Use bootstrap credentials
+### Use bootstrap credentials
 
 1. Add the following to `~/.aws/credentials`
     ```
     [<%= app_name %>-terraform-backend]
-    aws_access_key_id = <access_key_id from bucket_credentials>
-    aws_secret_access_key = <secret_access_key from bucket_credentials>
+    aws_access_key_id = <AWS_ACCESS_KEY_ID from run.sh output>
+    aws_secret_access_key = <AWS_SECRET_ACCESS_KEY from run.sh output>
     ```
 
-1. Copy `bucket` from `bucket_credentials` output to the backend block of `staging/providers.tf` and `production/providers.tf`
+1. Copy `BUCKET` from `run.sh` output to the backend block of `staging/providers.tf` and `production/providers.tf`
 
 ## SpaceDeployers
 
@@ -63,11 +68,11 @@ deploy the application from the CI/CD pipeline. Create a new account by running:
 
 ## Set up a new environment manually
 
-The below steps rely on you first configuring access to the Terraform state in s3 as described in [Terraform State Credentials](#terraform-state-credentials).
+The below steps rely on you first configuring access to the Terraform state in s3 as described in [initial project setup](#initial-project-setup) or [initial developer setup](#initial-developer-setup).
 
 1. `cd` to the environment you are working in
 
-1. Set up a SpaceDeployer
+1. Set up a SpaceDeployer and save the credentials in a file named `secrets.auto.tfvars`
     ```bash
     # create a space deployer service instance that can log in with just a username and password
     # the value of < SPACE_NAME > should be `staging` or `prod` depending on where you are working
@@ -80,17 +85,17 @@ The below steps rely on you first configuring access to the Terraform state in s
 
     The script will output the `username` (as `cf_user`) and `password` (as `cf_password`) for your `<ACCOUNT_NAME>`. Read more in the [cloud.gov service account documentation](https://cloud.gov/docs/services/cloud-gov-service-account/).
 
-    The easiest way to use this script is to redirect the output directly to the `secrets.auto.tfvars` file it needs to be used in
+    The easiest way to use this script locally is to redirect the output directly to the `secrets.auto.tfvars` file it needs to be used in
 
 1. Run terraform from your new environment directory with
     ```bash
-    terraform init
+    terraform init -backend-config="profile=<%= app_name %>-terraform-backend"
     terraform plan
     ```
 
 1. Apply changes with `terraform apply`.
 
-1. Remove the space deployer service instance if it doesn't need to be used again, such as when manually running terraform once.
+1. Remove the space deployer service instance if it doesn't need to be used again, such as when manually running terraform plan before letting CI/CD apply the changes.
     ```bash
     # <SPACE_NAME> and <ACCOUNT_NAME> have the same values as used above.
     ../../bin/ops/destroy_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME>
@@ -98,7 +103,7 @@ The below steps rely on you first configuring access to the Terraform state in s
 
 ## Structure
 
-Each environment has its own module, which relies on a shared module for everything except the providers code and environment specific variables and settings.
+Each environment has its own module.
 
 ```
 - bootstrap/
@@ -111,38 +116,18 @@ Each environment has its own module, which relies on a shared module for everyth
 - <env>/
   |- main.tf
   |- providers.tf
-  |- secrets.auto.tfvars
   |- variables.tf
-- shared/
-  |- s3/
-     |- main.tf
-     |- providers.tf
-     |- variables.tf
-  |- database/
-     |- main.tf
-     |- providers.tf
-     |- variables.tf
-  |- domain/
-     |- main.tf
-     |- providers.tf
-     |- variables.tf
 ```
 
-In the shared modules:
-- `providers.tf` contains set up instructions for Terraform about Cloud Foundry and AWS
-- `main.tf` sets up the data and resources the application relies on
-- `variables.tf` lists the required variables and applicable default values
-
 In the environment-specific modules:
 - `providers.tf` lists the required providers
 - `main.tf` calls the shared Terraform code, but this is also a place where you can add any other services, resources, etc, which you would like to set up for that environment
 - `variables.tf` lists the variables that will be needed, either to pass through to the child module or for use in this module
-- `secrets.auto.tfvars` is a file which contains the information about the service-key and other secrets that should not be shared
 
 In the bootstrap module:
 - `providers.tf` lists the required providers
 - `main.tf` sets up s3 bucket to be shared across all environments. It lives in `prod` to communicate that it should not be deleted
 - `variables.tf` lists the variables that will be needed. Most values are hard-coded in this module
-- `run.sh` Helper script to set up a space deployer and run terraform. The terraform action (`show`/`plan`/`apply`/`destroy`) is passed as an argument
+- `run.sh` Helper script to set up a space deployer and run terraform. The terraform action (`init`/`show`/`plan`/`apply`/`destroy`) is passed as an argument
 - `teardown_creds.sh` Helper script to remove the space deployer setup as part of `run.sh`
-- `import.sh` Helper script to create a new local state file in case terraform changes are needed
+- `import.sh` Helper script to create a new local state file when new developers need to access the state file

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/import.sh

@@ -4,6 +4,7 @@ read -p "Are you sure you want to import terraform state (y/n)? " verify
 
 if [[ $verify == "y" ]]; then
   echo "Importing bootstrap state"
+  ./run.sh init
   ./run.sh import module.s3.cloudfoundry_service_instance.bucket TKTK
   ./run.sh import cloudfoundry_service_key.bucket_creds TKTK
   ./run.sh plan

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/main.tf.tt

@@ -1,18 +1,14 @@
 locals {
-  cf_api_url      = "https://api.fr.cloud.gov"
   s3_service_name = "<%= app_name %>-terraform-state"
 }
 
 module "s3" {
-  source = "github.com/18f/terraform-cloudgov//s3"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
 
-  cf_api_url      = local.cf_api_url
-  cf_user         = var.cf_user
-  cf_password     = var.cf_password
-  cf_org_name     = "<%= cloud_gov_organization %>"
-  cf_space_name   = "<%= cloud_gov_production_space %>"
-  s3_service_name = local.s3_service_name<% if cloud_gov_organization == "sandbox-gsa" %>
-  s3_plan_name    = "basic-sandbox"<% end %>
+  cf_org_name   = "<%= cloud_gov_organization %>"
+  cf_space_name = "<%= cloud_gov_production_space %>"
+  name          = local.s3_service_name<% if cloud_gov_organization == "sandbox-gsa" %>
+  s3_plan_name  = "basic-sandbox"<% end %>
 }
 
 resource "cloudfoundry_service_key" "bucket_creds" {
@@ -21,5 +17,6 @@ resource "cloudfoundry_service_key" "bucket_creds" {
 }
 
 output "bucket_credentials" {
-  value = cloudfoundry_service_key.bucket_creds.credentials
+  value     = cloudfoundry_service_key.bucket_creds.credentials
+  sensitive = true
 }

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/providers.tf

@@ -3,14 +3,14 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.15.0"
+      version = "0.53.1"
     }
   }
 }
 
 provider "cloudfoundry" {
-  api_url      = local.cf_api_url
+  api_url      = "https://api.fr.cloud.gov"
   user         = var.cf_user
   password     = var.cf_password
   app_logs_max = 30
-}
+}

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/run.sh.tt

@@ -1,5 +1,20 @@
 #!/usr/bin/env bash
 
+if ! command -v jq &> /dev/null
+then
+  echo "jq must be installed. Run 'brew bundle' to install everything in the Brewfile"
+  exit 1
+fi
+if ! command -v terraform &> /dev/null
+then
+  echo "terraform must be installed before running this script"
+  exit 1
+fi
+
+dig_output () {
+  dig_result=`cat terraform.tfstate | jq -r ".outputs.bucket_credentials.value.$1"`
+}
+
 if [[ ! -f "secrets.auto.tfvars" ]]; then
   ../../bin/ops/create_service_account.sh -s <%= cloud_gov_production_space %> -u config-bootstrap-deployer > secrets.auto.tfvars
 fi
@@ -7,6 +22,18 @@ fi
 if [[ $# -gt 0 ]]; then
   echo "Running terraform $@"
   terraform $@
+  if [[ -f terraform.tfstate ]]; then
+    echo
+    echo "Credentials for terraform state bucket:"
+    dig_output "bucket"
+    echo "BUCKET=$dig_result"
+    dig_output "access_key_id"
+    echo "AWS_ACCESS_KEY_ID=$dig_result"
+    dig_output "secret_access_key"
+    echo "AWS_SECRET_ACCESS_KEY=$dig_result"
+    dig_output "region"
+    echo "AWS_REGION=$dig_result"
+  fi
 else
   echo "Not running terraform"
 fi