rails_template_18f 1.1.0 → 1.3.0

data/lib/generators/rails_template18f/public_egress/public_egress_generator.rb

@@ -0,0 +1,136 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "colorize"
+
+module RailsTemplate18f
+  module Generators
+    class PublicEgressGenerator < ::Rails::Generators::Base
+      include Base
+      include CloudGovParsing
+
+      desc <<~DESC
+        Description:
+          Install files for running cg-egress-proxy in <env>-egress cloud.gov spaces
+          Prerequisite: the terraform generator has been run already
+      DESC
+
+      def check_terraform_exists
+        unless terraform_dir_exists?
+          fail "Run `rails g rails_template18f:terraform` before running this generator"
+        end
+      end
+
+      def use_terraform_module
+        append_to_file file_path("terraform/staging/main.tf"), terraform_module
+        append_to_file file_path("terraform/production/main.tf"), terraform_module
+      end
+
+      def add_to_deploy_steps
+        if file_exists?(".github/workflows/deploy-staging.yml")
+          insert_into_file ".github/workflows/deploy-staging.yml", <<EOD, before: "      - name: Deploy app"
+      - name: Set public egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: #{cloud_gov_organization}
+          cf_space: #{cloud_gov_staging_space}-egress
+          cf_command: bind-security-group public_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
+EOD
+        end
+        if file_exists?(".github/workflows/deploy-production.yml")
+          insert_into_file ".github/workflows/deploy-production.yml", <<EOD, before: "      - name: Deploy app"
+      - name: Set public egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: #{cloud_gov_organization}
+          cf_space: #{cloud_gov_production_space}-egress
+          cf_command: bind-security-group public_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
+EOD
+        end
+        if file_exists?(".circleci/config.yml")
+          insert_into_file ".circleci/config.yml", <<EOD, before: "          name: Push application with deployment vars"
+          name: Set public egress
+          command: |
+            cf bind-security-group public_networks_egress << parameters.cloudgov_org >> \
+              --space << parameters.cloudgov_space >>-egress
+        - run:
+EOD
+        end
+      end
+
+      def update_readme
+        insert_into_file "README.md", readme_content, before: "## Documentation"
+      end
+
+      def update_boundary_diagram
+        boundary_filename = "doc/compliance/apps/application.boundary.md"
+        insert_into_file boundary_filename, <<EOB, after: "System_Boundary(inventory, \"Application\") {\n"
+                Boundary(restricted_space, "Restricted egress space") {
+                }
+                Boundary(egress_space, "Public egress space") {
+                    Container(proxy, "<&layers> Egress Proxy", "Caddy, cg-egress-proxy", "Proxy with allow-list of external connections")
+                }
+EOB
+        insert_into_file boundary_filename, <<~EOB, before: "@enduml"
+          Rel(app, proxy, "Proxy outbound connections", "https (443)")
+        EOB
+        puts "\n ================ TODO ================ \n".yellow
+        puts "Update your application boundary to:"
+        puts "1. Place application and services within the Restricted egress space"
+        puts "2. Connect outbound connections through the egress proxy"
+      end
+
+      def update_oscal_doc
+        copy_remote_oscal_component "cg-egress-proxy", "https://raw.githubusercontent.com/GSA-TTS/cg-egress-proxy/refs/heads/main/docs/compliance/component-definitions/cg-egress-proxy/component-definition.json"
+      end
+
+      no_tasks do
+        def readme_content
+          <<~README
+            ### Public Egress Proxy
+
+            Traffic to be delivered to the public internet must be proxied through the [cg-egress-proxy](https://github.com/GSA-TTS/cg-egress-proxy) app. Hostnames that the app should be able to
+            reach should be added to the `allowlist` terraform configuration in `terraform/staging/main.tf` and `terraform/production/main.tf`
+
+            See the [ruby troubleshooting doc](https://github.com/GSA-TTS/cg-egress-proxy/blob/main/docs/ruby.md) first if you have any problems making outbound connections through the proxy.
+          README
+        end
+
+        def terraform_module
+          <<~EOT
+
+            module "egress_space" {
+              source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v1.1.0"
+
+              cf_org_name   = local.cf_org_name
+              cf_space_name = "${local.cf_space_name}-egress"
+              # deployers should include any user or service account ID that will deploy the egress proxy
+              deployers = [
+                var.cf_user
+              ]
+            }
+
+            module "egress_proxy" {
+              source = "github.com/gsa-tts/terraform-cloudgov//egress_proxy?ref=v1.1.0"
+
+              cf_org_name   = local.cf_org_name
+              cf_space_name = module.egress_space.space_name
+              client_space  = local.cf_space_name
+              name          = "egress-proxy-${local.env}"
+              # comment out allowlist if this module is being deployed before the app has ever been deployed
+              allowlist = {
+                "${local.app_name}-${local.env}" = []
+              }
+              # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+              depends_on = [module.app_space, module.egress_space]
+            }
+          EOT
+        end
+      end
+    end
+  end
+end

data/lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb

@@ -14,7 +14,7 @@ module RailsTemplate18f
 
       def install_gem
         return if gem_installed?("sidekiq")
-        gem "sidekiq", "~> 7.2"
+        gem "sidekiq", "~> 7.3"
         bundle_install
       end
 

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -64,7 +64,7 @@ These steps are run once per project.
 A [SpaceDeployer](https://cloud.gov/docs/services/cloud-gov-service-account/) account is required to run terraform or
 deploy the application from the CI/CD pipeline. Create a new account by running:
 
-`../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME>`
+`../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> -m`
 
 ## Set up a new environment manually
 
@@ -80,7 +80,7 @@ The below steps rely on you first configuring access to the Terraform state in s
     # something that communicates the purpose of the deployer
     # for example: circleci-deployer for the credentials CircleCI uses to
     # deploy the application or <your_name>-terraform for credentials to run terraform manually
-    ../../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> > secrets.auto.tfvars
+    ../../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> -m > secrets.auto.tfvars
     ```
 
     The script will output the `username` (as `cf_user`) and `password` (as `cf_password`) for your `<ACCOUNT_NAME>`. Read more in the [cloud.gov service account documentation](https://cloud.gov/docs/services/cloud-gov-service-account/).

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/main.tf.tt

@@ -6,7 +6,7 @@ module "s3" {
   source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
 
   cf_org_name   = "<%= cloud_gov_organization %>"
-  cf_space_name = "<%= cloud_gov_production_space %>"
+  cf_space_name = "<%= cloud_gov_production_space %>-mgmt"
   name          = local.s3_service_name<% if cloud_gov_organization == "sandbox-gsa" %>
   s3_plan_name  = "basic-sandbox"<% end %>
 }

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/run.sh.tt

@@ -16,7 +16,8 @@ dig_output () {
 }
 
 if [[ ! -f "secrets.auto.tfvars" ]]; then
-  ../../bin/ops/create_service_account.sh -s <%= cloud_gov_production_space %> -u config-bootstrap-deployer > secrets.auto.tfvars
+  cf target -s <%= cloud_gov_production_space %>-mgmt || cf create-space <%= cloud_gov_production_space %>-mgmt && cf disallow-space-ssh <%= cloud_gov_production_space %>-mgmt
+  ../../bin/ops/create_service_account.sh -s <%= cloud_gov_production_space %>-mgmt -u config-bootstrap-deployer > secrets.auto.tfvars
 fi
 
 if [[ $# -gt 0 ]]; then

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/teardown_creds.sh.tt

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 
-../../bin/ops/destroy_service_account.sh -s <%= cloud_gov_production_space %> -u config-bootstrap-deployer
+../../bin/ops/destroy_service_account.sh -s <%= cloud_gov_production_space %>-mgmt -u config-bootstrap-deployer
 
 rm secrets.auto.tfvars

data/lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt

@@ -5,32 +5,48 @@ locals {
   app_name      = "<%= app_name %>"
 }
 
+module "app_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v1.1.0"
+
+  cf_org_name   = local.cf_org_name
+  cf_space_name = local.cf_space_name
+  deployers     = [var.cf_user]
+  # developers should include any users that will potentially need to run `cf ssh` on the app
+  developers = []
+}
+
 module "database" {
-  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.1.0"
 
   cf_org_name   = local.cf_org_name
   cf_space_name = local.cf_space_name
   name          = "${local.app_name}-rds-${local.env}"
   rds_plan_name = "TKTK-production-rds-plan"
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 <% if has_active_job? %>
 module "redis" {
-  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.1.0"
 
   cf_org_name     = local.cf_org_name
   cf_space_name   = local.cf_space_name
   name            = "${local.app_name}-redis-${local.env}"
   redis_plan_name = "TKTK-production-redis-plan"
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 <% end %>
 <% if has_active_storage? %>
 module "s3" {
-  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.1.0"
 
   cf_org_name   = local.cf_org_name
   cf_space_name = local.cf_space_name
   name          = "${local.app_name}-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
   s3_plan_name  = "basic-sandbox"<% end %>
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 
 ###########################################################################
@@ -40,7 +56,7 @@ module "s3" {
 # 2) Your organization has sufficient memory. Each clamav app requires 3GB
 ###########################################################################
 # module "clamav" {
-#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.0.0"
+#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.1.0"
 #
 #   cf_org_name    = local.cf_org_name
 #   cf_space_name  = local.cf_space_name
@@ -48,6 +64,8 @@ module "s3" {
 #   name           = "${local.app_name}-clamapi-${local.env}"
 #   clamav_image   = "ghcr.io/gsa-tts/clamav-rest/clamav:20240602"
 #   max_file_size  = "30M"
+#   # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+#   depends_on = [module.app_space]
 # }
 <% end %>
 
@@ -59,7 +77,7 @@ module "s3" {
 #     `cf create-domain <%= cloud_gov_organization %> TKTK-production-domain-name`
 ###########################################################################
 # module "domain" {
-#   source = "github.com/gsa-tts/terraform-cloudgov//domain?ref=v1.0.0"
+#   source = "github.com/gsa-tts/terraform-cloudgov//domain?ref=v1.1.0"
 #
 #   cf_org_name    = local.cf_org_name
 #   cf_space_name  = local.cf_space_name
@@ -67,4 +85,6 @@ module "s3" {
 #   cdn_plan_name  = "domain"
 #   domain_name    = "TKTK-production-domain-name"
 #   host_name      = "TKTK-production-hostname (optional)"
+#   # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+#   depends_on = [module.app_space]
 # }

data/lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt

@@ -5,32 +5,48 @@ locals {
   app_name      = "<%= app_name %>"
 }
 
+module "app_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v1.1.0"
+
+  cf_org_name   = local.cf_org_name
+  cf_space_name = local.cf_space_name
+  deployers     = [var.cf_user]
+  # developers should include any users that will potentially need to run `cf ssh` on the app
+  developers = []
+}
+
 module "database" {
-  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.1.0"
 
   cf_org_name   = local.cf_org_name
   cf_space_name = local.cf_space_name
   name          = "${local.app_name}-rds-${local.env}"
   rds_plan_name = "micro-psql"
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 <% if has_active_job? %>
 module "redis" {
-  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.1.0"
 
   cf_org_name     = local.cf_org_name
   cf_space_name   = local.cf_space_name
   name            = "${local.app_name}-redis-${local.env}"
   redis_plan_name = "redis-dev"
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 <% end %>
 <% if has_active_storage? %>
 module "s3" {
-  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.1.0"
 
   cf_org_name   = local.cf_org_name
   cf_space_name = local.cf_space_name
   name          = "${local.app_name}-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
   s3_plan_name  = "basic-sandbox"<% end %>
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 
 ###########################################################################
@@ -40,7 +56,7 @@ module "s3" {
 # 2) Your organization has sufficient memory. Each clamav app requires 3GB
 ###########################################################################
 # module "clamav" {
-#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.0.0"
+#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.1.0"
 #
 #   cf_org_name    = local.cf_org_name
 #   cf_space_name  = local.cf_space_name
@@ -48,5 +64,7 @@ module "s3" {
 #   name           = "${local.app_name}-clamapi-${local.env}"
 #   clamav_image   = "ghcr.io/gsa-tts/clamav-rest/clamav:20240602"
 #   max_file_size  = "30M"
+#   # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+#   depends_on = [module.app_space]
 # }
 <% end %>

data/lib/rails_template18f/generators/base.rb

@@ -59,6 +59,13 @@ module RailsTemplate18f
         Dir.exist? file_path("doc/compliance/oscal")
       end
 
+      def copy_remote_oscal_component(component_name, cd_url)
+        get cd_url, File.join(oscal_component_path, component_name, "component-definition.json")
+        if oscal_dir_exists?
+          insert_into_file "doc/compliance/oscal/trestle-config.yaml", "  - #{component_name}\n"
+        end
+      end
+
       def copy_oscal_component(component_name)
         template "oscal/component-definitions/#{component_name}/component-definition.json",
           File.join(oscal_component_path, component_name, "component-definition.json")

data/lib/rails_template18f/generators/cloud_gov_options.rb

@@ -4,6 +4,7 @@ module RailsTemplate18f
   module Generators
     module CloudGovOptions
       extend ActiveSupport::Concern
+      include CloudGovParsing
 
       included do
         class_option :cg_org, desc: "cloud.gov organization name"
@@ -14,39 +15,18 @@ module RailsTemplate18f
       private
 
       def cloud_gov_organization
-        if options[:cg_org].present?
-          return options[:cg_org]
-        elsif terraform_dir_exists?
-          staging_main = file_content("terraform/staging/main.tf")
-          if (matches = staging_main.match(/cf_org_name\s+= "(?<org_name>.*)"/))
-            return matches[:org_name]
-          end
-        end
-        "TKTK-cloud.gov-org-name"
+        return options[:cg_org] if options[:cg_org].present?
+        super
       end
 
       def cloud_gov_staging_space
-        if options[:cg_staging].present?
-          return options[:cg_staging]
-        elsif terraform_dir_exists?
-          staging_main = file_content("terraform/staging/main.tf")
-          if (matches = staging_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
-            return matches[:space_name]
-          end
-        end
-        "staging"
+        return options[:cg_staging] if options[:cg_staging].present?
+        super
       end
 
       def cloud_gov_production_space
-        if options[:cg_prod].present?
-          return options[:cg_prod]
-        elsif terraform_dir_exists?
-          prod_main = file_content("terraform/production/main.tf")
-          if (matches = prod_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
-            return matches[:space_name]
-          end
-        end
-        "prod"
+        return options[:cg_prod] if options[:cg_prod].present?
+        super
       end
     end
   end

data/lib/rails_template18f/generators/cloud_gov_parsing.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module RailsTemplate18f
+  module Generators
+    module CloudGovParsing
+      extend ActiveSupport::Concern
+
+      private
+
+      def cloud_gov_organization
+        if terraform_dir_exists?
+          staging_main = file_content("terraform/staging/main.tf")
+          if (matches = staging_main.match(/cf_org_name\s+= "(?<org_name>.*)"/))
+            return matches[:org_name]
+          end
+        end
+        "TKTK-cloud.gov-org-name"
+      end
+
+      def cloud_gov_staging_space
+        if terraform_dir_exists?
+          staging_main = file_content("terraform/staging/main.tf")
+          if (matches = staging_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
+            return matches[:space_name]
+          end
+        end
+        "staging"
+      end
+
+      def cloud_gov_production_space
+        if terraform_dir_exists?
+          prod_main = file_content("terraform/production/main.tf")
+          if (matches = prod_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
+            return matches[:space_name]
+          end
+        end
+        "prod"
+      end
+    end
+  end
+end

data/lib/rails_template18f/generators.rb

@@ -6,6 +6,7 @@ module RailsTemplate18f
 
     autoload :Base
     autoload :CloudGovOptions
+    autoload :CloudGovParsing
     autoload :PipelineOptions
   end
 end

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "1.1.0"
+  VERSION = "1.3.0"
 end

data/rails-template-18f.gemspec

@@ -31,12 +31,12 @@ Gem::Specification.new do |spec|
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html
-  spec.add_dependency "railties", "~> 7.1.0"
-  spec.add_dependency "activesupport", "~> 7.1.0"
+  spec.add_dependency "railties", "~> 7.2.0"
+  spec.add_dependency "activesupport", "~> 7.2.0"
   spec.add_dependency "thor", "~> 1.3"
   spec.add_dependency "colorize", "~> 1.1"
 
   spec.add_development_dependency "rspec", "~> 3.13"
   spec.add_development_dependency "ammeter", "~> 1.1"
-  spec.add_development_dependency "standard", "~> 1.36"
+  spec.add_development_dependency "standard", "~> 1.40"
 end

data/railsrc

@@ -9,3 +9,5 @@
 --css=postcss
 --template=template.rb
 --database=postgresql
+--skip-rubocop
+--skip-ci

data/railsrc-hotwire

@@ -7,3 +7,5 @@
 --css=postcss
 --template=template.rb
 --database=postgresql
+--skip-rubocop
+--skip-ci

data/template.rb

@@ -39,14 +39,16 @@ def print_announcements
   end
 end
 
-unless Gem::Dependency.new("rails", "~> 7.1.0").match?("rails", Rails.gem_version)
-  warn "This template requires Rails 7.1.x"
+unless Gem::Dependency.new("rails", "~> 7.2.0").match?("rails", Rails.gem_version)
+  warn "This template requires Rails 7.2.x"
   if Gem::Dependency.new("rails", "~> 6.1.0").match?("rails", Rails.gem_version)
     warn "See the rails-6 branch https://github.com/gsa-tts/rails-template/tree/rails-6"
   elsif Gem::Dependency.new("rails", "~> 7.0.0").match?("rails", Rails.gem_version)
     warn "See the rails-7.0 branch https://github.com/gsa-tts/rails-template/tree/rails-7.0"
-  elsif Gem::Dependency.new("rails", "~> 7.2.0").match?("rails", Rails.gem_version)
-    warn "We haven't updated the template for Rails 7.2 yet! Please file an issue so we can get the template updated"
+  elsif Gem::Dependency.new("rails", "~> 7.1.0").match?("rails", Rails.gem_version)
+    warn "See the rails-7.1 branch https://github.com/gsa-tts/rails-template/tree/rails-7.1"
+  elsif Gem::Dependency.new("rails", ">= 7.3.0").match?("rails", Rails.gem_version)
+    warn "We haven't updated the template for Rails >= 7.3 yet! Please file an issue so we can get the template updated"
   else
     warn "We didn't recognize the version of Rails you are using: #{Rails.version}"
   end
@@ -71,6 +73,9 @@ if compliance_trestle_submodule && compliance_trestle_repo.blank?
 end
 # only ask about auditree if we're also using docker-trestle
 auditree = compliance_trestle ? yes?("Run compliance checks with auditree? (y/n)") : false
+if auditree
+  auditree_evidence_repo = ask("What is the https address of your auditree evidence repo? (Leave blank to fill in later)")
+end
 
 terraform = yes?("Create terraform files for cloud.gov services? (y/n)")
 @cloud_gov_organization = ask("What is your cloud.gov organization name? (Leave blank to fill in later)")
@@ -111,9 +116,8 @@ EOM
 if compliance_trestle
   after_bundle do
     generator_arguments = []
-    if compliance_trestle_submodule
-      generator_arguments << "--oscal_repo=#{compliance_trestle_repo}"
-    end
+    generator_arguments << "--oscal_repo=#{compliance_trestle_repo}" if compliance_trestle_submodule
+    generator_arguments << "--ci=github" if @github_actions
     generate "rails_template18f:oscal", *generator_arguments
   end
   register_announcement("OSCAL Documentation", <<~EOM)
@@ -183,7 +187,7 @@ after_bundle do
 end
 
 # updates for OWASP scan to pass
-gem "secure_headers", "~> 6.3"
+gem "secure_headers", "~> 6.7"
 initializer "secure_headers.rb", <<~EOM
   SecureHeaders::Configuration.default do |config|
     # CSP settings are handled by Rails
@@ -224,9 +228,8 @@ uncomment_lines csp_initializer, "content_security_policy_nonce"
 gem_group :development, :test do
   gem "rspec-rails", "~> 6.1"
   gem "dotenv-rails", "~> 3.1"
-  gem "brakeman", "~> 6.1"
   gem "bundler-audit", "~> 0.9"
-  gem "standard", "~> 1.36"
+  gem "standard", "~> 1.40"
 end
 if ENV["RT_DEV"] == "true"
   gem "rails_template_18f", group: :development, path: ENV["PWD"]
@@ -462,8 +465,11 @@ end
 
 if auditree
   after_bundle do
-    generate "rails_template18f:auditree"
+    generate "rails_template18f:auditree", "--evidence_locker=#{auditree_evidence_repo}"
   end
+  register_announcement "Auditree", <<~EOM
+    * Don't forget to follow the initial setup instructions for Auditree in the main README
+  EOM
 end
 
 # setup production credentials file
@@ -495,7 +501,8 @@ EOM
 # ensure this is the very last step
 after_bundle do
   if run_db_setup
-    rails_command "db:setup"
+    rails_command "db:create"
+    rails_command "db:migrate"
   end
 
   # x86_64-linux is required to install gems on any linux system such as cloud.gov or CI pipelines

data/templates/bin/ops/create_service_account.sh.tt

@@ -7,14 +7,18 @@ $0: Create a Service User Account for a given space
 
 Usage:
   $0 -h
-  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>]
+  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>] [-m]
 
 Options:
 -h: show help and exit
 -s <SPACE NAME>: configure the space to act on. Required
 -u <USER NAME>: set the service user name. Required
 -r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
+-m: If provided, make the service user an OrgManager
 -o <ORG NAME>: configure the organization to act on. Default: $org
+
+Notes:
+* OrgManager is required for terraform to create <env>-egress spaces
 "
 
 set -e
@@ -23,8 +27,9 @@ set -o pipefail
 space=""
 service=""
 role="space-deployer"
+org_manager="false"
 
-while getopts ":hs:u:r:o:" opt; do
+while getopts ":hms:u:r:o:" opt; do
   case "$opt" in
     s)
       space=${OPTARG}
@@ -38,6 +43,9 @@ while getopts ":hs:u:r:o:" opt; do
     o)
       org=${OPTARG}
       ;;
+    m)
+      org_manager="true"
+      ;;
     h)
       echo "$usage"
       exit 0
@@ -69,6 +77,10 @@ creds=`cf service-key $service service-account-key | tail -n +2 | jq '.credentia
 username=`echo $creds | jq -r '.username'`
 password=`echo $creds | jq -r '.password'`
 
+if [[ "$org_manager" = "true" ]]; then
+  cf set-org-role $username $org OrgManager 1>&2
+fi
+
 cat << EOF
 # generated with $0 -s $space -u $service -r $role -o $org
 # revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org

data/templates/bin/ops/destroy_service_account.sh.tt

@@ -46,8 +46,5 @@ fi
 
 cf target -o $org -s $space
 
-# destroy service key
-cf delete-service-key $service service-account-key -f
-
 # destroy service
 cf delete-service $service -f

data/templates/lib/tasks/scanning.rake

@@ -2,7 +2,7 @@ desc "Run brakeman with potential non-0 return code"
 task :brakeman do
   # -z flag makes it return non-0 if there are any warnings
   # -q quiets output
-  unless system("brakeman -z -q") # system is true if return is 0, false otherwise
+  unless system("bin/brakeman -z -q") # system is true if return is 0, false otherwise
     abort("Brakeman detected one or more code problems, please run it manually and inspect the output.")
   end
 end