RubyGems - rails_template_18f - Versions diffs - 1.2.0 → 2.0.0 - Mend

rails_template_18f 1.2.0 → 2.0.0

Files changed (85) hide show

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml ADDED Viewed

@@ -0,0 +1,72 @@
+name: Deploy Production
+on:
+  push:
+    branches: [ production ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: production
+          save_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
+  deploy:
+    name: Deploy to production
+    runs-on: ubuntu-latest
+    needs: build-assets
+    environment: production
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
+      - name: Terraform apply
+        uses: dflook/terraform-apply@v1
+        env:
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
+        with:
+          path: terraform
+          var_file: terraform/production.tfvars
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.production
+      - name: Save app zip for debugging
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-src-apply
+          path: terraform/dist/src.zip
+          compression-level: 0
+          retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml ADDED Viewed

@@ -0,0 +1,72 @@
+name: Deploy Staging
+on:
+  push:
+    branches: [ main ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: staging
+          save_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
+  deploy:
+    name: Deploy to staging
+    runs-on: ubuntu-latest
+    needs: build-assets
+    environment: staging
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
+      - name: Terraform apply
+        uses: dflook/terraform-apply@v1
+        env:
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
+        with:
+          path: terraform
+          var_file: terraform/staging.tfvars
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.staging
+      - name: Save app zip for debugging
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-src-apply
+          path: terraform/dist/src.zip
+          compression-level: 0
+          retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt CHANGED Viewed

@@ -31,6 +31,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
+      - name: Touch staging cache
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: staging
+      - name: Touch production cache
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: production
       - id: setup
         uses: ./.github/actions/setup-project
@@ -39,7 +48,7 @@ jobs:
           database_url: ${{ steps.setup.outputs.database_url }}
       - name: Run OWASP Full Scan
-        uses: zaproxy/action-full-scan@v0.10.0
+        uses: zaproxy/action-full-scan@v0.12.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt CHANGED Viewed

@@ -38,7 +38,7 @@ jobs:
           database_url: ${{ steps.setup.outputs.database_url }}
       - name: Run OWASP Baseline Scan
-        uses: zaproxy/action-baseline@v0.12.0
+        uses: zaproxy/action-baseline@v0.14.0
         with:
           docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
           target: 'http://localhost:3000/'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/pa11y.yml.tt CHANGED Viewed

@@ -49,7 +49,7 @@ jobs:
       - name: Comment on pull request
         if: failure()
-        uses: actions/github-script@v4
+        uses: actions/github-script@v7
         with:
           script: |
             const output = `Pa11y Failures detected
@@ -61,7 +61,7 @@ jobs:
             \`\`\`
             </details>`;
-            github.issues.createComment({
+            github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml CHANGED Viewed

@@ -9,9 +9,28 @@ permissions:
   pull-requests: write
 jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: production
+          # you may want to enable the next line to surface issues with missing assets,
+          # but not until after you've deployed once and the cache has been created
+          # fail_on_missing_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
   terraform:
     name: Terraform plan
     runs-on: ubuntu-latest
+    needs: build-assets
     environment: production
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -22,20 +41,44 @@ jobs:
       - name: terraform validate
         uses: dflook/terraform-validate@v1
         with:
-          path: terraform/production
+          path: terraform
       - name: terraform fmt
         uses: dflook/terraform-fmt-check@v1
         with:
-          path: terraform/production
+          path: terraform
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
         with:
-          path: terraform/production
+          path: terraform
+          var_file: terraform/production.tfvars
+          add_github_comment: changes-only
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.production
+      # Uncomment this step if you need to debug issues
+      # with mismatched app checksum between plan and apply
+      # - name: Save app zip for debugging
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: app-src-plan
+      #     path: terraform/dist/src.zip
+      #     compression-level: 0
+      #     retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml CHANGED Viewed

@@ -9,9 +9,28 @@ permissions:
   pull-requests: write
 jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: staging
+          # you may want to enable the next line to surface issues with missing assets,
+          # but not until after you've deployed once and the cache has been created
+          # fail_on_missing_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
   terraform:
     name: Terraform plan
     runs-on: ubuntu-latest
+    needs: build-assets
     environment: staging
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -22,20 +41,44 @@ jobs:
       - name: terraform validate
         uses: dflook/terraform-validate@v1
         with:
-          path: terraform/staging
+          path: terraform
       - name: terraform fmt
         uses: dflook/terraform-fmt-check@v1
         with:
-          path: terraform/staging
+          path: terraform
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
         with:
-          path: terraform/staging
+          path: terraform
+          var_file: terraform/staging.tfvars
+          add_github_comment: changes-only
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.staging
+      # Uncomment this step if you need to debug issues
+      # with mismatched app checksum between plan and apply
+      # - name: Save app zip for debugging
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: app-src-plan
+      #     path: terraform/dist/src.zip
+      #     compression-level: 0
+      #     retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/validate-ssp.yml CHANGED Viewed

@@ -31,14 +31,14 @@ jobs:
       - name: Comment on pull request
         if: failure()
-        uses: actions/github-script@v4
+        uses: actions/github-script@v7
         with:
           script: |
             const output = `SSP assembly detected changes that aren't checked in.
             Run \`bin/trestle assemble-ssp-json\` to ensure markdown changes are reflected in your SSP`;
-            github.issues.createComment({
+            github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,

data/lib/generators/rails_template18f/i18n_js/i18n_js_generator.rb CHANGED Viewed

@@ -12,37 +12,29 @@ module RailsTemplate18f
           Install and configure i18n-js gem to provide translations to JS code.
           By default, will only export translations with keys that match `*.js.*`
+          To use, add the following to your js code:
+          1. `import { i18n } from './i18n';`
+          2. `i18n.t('path.to.translation.key')`
       DESC
-      def install_gem_and_tasks
-        return if gem_installed?("i18n-js")
-        gem "i18n-js", "~> 3.9"
+      def install_gems
+        gem "i18n-js", "~> 4.2" unless gem_installed?("i18n-js")
+        gem "listen", "~> 3.9", group: :development unless gem_installed?("listen")
         bundle_install do
           run "yarn add i18n-js"
-          generate "i18n:js:config"
         end
       end
       def configure_translation_yaml
-        append_to_file "config/i18n-js.yml", <<~EOYAML
-          # remove `only` to include all translations
-          translations:
-            - file: "app/assets/builds/translations.js"
-              only: "*.js.*"
-        EOYAML
+        copy_file "config/i18n-js.yml"
       end
       def configure_asset_pipeline
         copy_file "lib/tasks/i18n.rake"
-        environment "config.middleware.use I18n::JS::Middleware", env: :development
-        insert_into_file "app/views/layouts/application.html.erb", indent(<<~EOHTML, 4), after: /<%= stylesheet_link_tag "application".*$\n/
-          <%= javascript_include_tag "i18n", "data-turbo-track": "reload" %>
-          <%= javascript_include_tag "translations", "data-turbo-track": "reload" %>
-        EOHTML
-        append_to_file "app/assets/config/manifest.js", <<~EOJS
-          //= link i18n.js
-          //= link translations.js
-        EOJS
+        copy_file "config/initializers/i18n_js.rb"
+        copy_file "app/javascript/i18n/index.js"
       end
       def ignore_generated_file
@@ -50,7 +42,7 @@ module RailsTemplate18f
           append_to_file ".gitignore", <<~EOM
             # Generated by i18n-js
-            /public/javascripts/i18n.js
+            /app/javascript/i18n/translations.json
           EOM
         end
       end

data/lib/generators/rails_template18f/i18n_js/templates/app/javascript/i18n/index.js ADDED Viewed

@@ -0,0 +1,11 @@
+import { I18n } from 'i18n-js';
+import translations from './translations.json';
+const userLocale = document.documentElement.lang;
+export const i18n = new I18n();
+i18n.store(translations);
+i18n.defaultLocale = "en";
+i18n.enableFallback = true;
+i18n.locale = userLocale;

data/lib/generators/rails_template18f/i18n_js/templates/config/i18n-js.yml ADDED Viewed

@@ -0,0 +1,4 @@
+translations:
+  - file: "app/javascript/i18n/translations.json"
+    patterns:
+      - "*.js.*"

data/lib/generators/rails_template18f/i18n_js/templates/config/initializers/i18n_js.rb ADDED Viewed

@@ -0,0 +1,5 @@
+Rails.application.config.after_initialize do
+  require "i18n-js/listen"
+  # This will only run in development
+  I18nJS.listen config_file: Rails.root.join("config/i18n-js.yml")
+end

data/lib/generators/rails_template18f/i18n_js/templates/lib/tasks/i18n.rake CHANGED Viewed

@@ -1,9 +1,10 @@
 # export translations as part of asset precompile
-Rake::Task["assets:precompile"].enhance(["i18n:js:export"])
-if Rake::Task.task_defined?("test:prepare")
-  Rake::Task["test:prepare"].enhance(["i18n:js:export"])
-elsif Rake::Task.task_defined?("db:test:prepare")
-  Rake::Task["db:test:prepare"].enhance(["i18n:js:export"])
+namespace "i18n:js" do
+  desc "Call the i18n-js export method"
+  task :export do
+    require "i18n-js"
+    I18nJS.call(config_file: "config/i18n-js.yml")
+  end
 end
+Rake::Task["javascript:build"].enhance(["i18n:js:export"])

data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb CHANGED Viewed

@@ -24,7 +24,7 @@ module RailsTemplate18f
       def install_gem
         return if gem_installed?("newrelic_rpm")
-        gem "newrelic_rpm", "~> 9.12"
+        gem "newrelic_rpm", "~> 9.16"
         bundle_install
       end
@@ -33,7 +33,9 @@ module RailsTemplate18f
       end
       def update_cloud_gov_manifest
-        insert_into_file "manifest.yml", "    NEW_RELIC_LOG: stdout\n", before: /^\s+processes:/
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "environment = {\n"
+    NEW_RELIC_LOG = "stdout"
+EOT
       end
       def update_readme

data/lib/generators/rails_template18f/public_egress/public_egress_generator.rb ADDED Viewed

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+require "rails/generators"
+require "colorize"
+module RailsTemplate18f
+  module Generators
+    class PublicEgressGenerator < ::Rails::Generators::Base
+      include Base
+      include CloudGovParsing
+      desc <<~DESC
+        Description:
+          Install files for running cg-egress-proxy in <env>-egress cloud.gov spaces
+          Prerequisite: the terraform generator has been run already
+      DESC
+      def check_terraform_exists
+        unless terraform_dir_exists?
+          fail "Run `rails g rails_template18f:terraform` before running this generator"
+        end
+      end
+      def use_terraform_module
+        append_to_file file_path("terraform/main.tf"), terraform_module
+        append_to_file file_path("terraform/variables.tf"), <<~EOT
+          variable "egress_allowlist" {
+            type        = set(string)
+            default     = []
+            description = "The set of hostnames that the application is allowed to connect to"
+          }
+        EOT
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "environment = {\n"
+    no_proxy                 = "apps.internal,s3-fips.us-gov-west-1.amazonaws.com"
+EOT
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "service_bindings = [\n"
+    { service_instance = "egress-proxy-${var.env}-credentials" },
+EOT
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "depends_on = [\n"
+    cloudfoundry_service_instance.egress_proxy_credentials,
+EOT
+      end
+      def setup_terraform_provider
+        insert_into_file file_path("terraform/providers.tf"), after: "required_providers {\n" do
+          <<-EOT
+    cloudfoundry-community = {
+      source  = "cloudfoundry-community/cloudfoundry"
+      version = "0.53.1"
+    }
+          EOT
+        end
+        append_to_file file_path("terraform/providers.tf"), <<~EOT
+          provider "cloudfoundry-community" {
+            api_url  = "https://api.fr.cloud.gov"
+            user     = var.cf_user
+            password = var.cf_password
+          }
+        EOT
+      end
+      def setup_proxy_vars
+        create_file ".profile", <<~EOP unless file_exists?(".profile")
+          ##
+          # Cloud Foundry app initialization script
+          # https://docs.cloudfoundry.org/devguide/deploy-apps/deploy-app.html#profile
+          ##
+        EOP
+        insert_into_file ".profile", <<~EOP
+          proxy_creds=$(echo "$VCAP_SERVICES" | jq --arg service_name "egress-proxy-$RAILS_ENV-credentials" '.[][] | select(.name == $service_name) | .credentials')
+          export http_proxy=$(echo "$proxy_creds" | jq --raw-output ".http_uri")
+          export https_proxy=$(echo "$proxy_creds" | jq --raw-output ".https_uri")
+        EOP
+      end
+      def update_readme
+        insert_into_file "README.md", readme_content, before: "## Documentation"
+      end
+      def update_boundary_diagram
+        boundary_filename = "doc/compliance/apps/application.boundary.md"
+        insert_into_file boundary_filename, <<EOB, after: "System_Boundary(inventory, \"Application\") {\n"
+                Boundary(restricted_space, "Restricted egress space") {
+                }
+                Boundary(egress_space, "Public egress space") {
+                    Container(proxy, "<&layers> Egress Proxy", "Caddy, cg-egress-proxy", "Proxy with allow-list of external connections")
+                }
+EOB
+        insert_into_file boundary_filename, <<~EOB, before: "@enduml"
+          Rel(app, proxy, "Proxy outbound connections", "https (443)")
+        EOB
+        puts "\n ================ TODO ================ \n".yellow
+        puts "Update your application boundary to:"
+        puts "1. Place application and services within the Restricted egress space"
+        puts "2. Connect outbound connections through the egress proxy"
+      end
+      def update_oscal_doc
+        copy_remote_oscal_component "cg-egress-proxy", "https://raw.githubusercontent.com/GSA-TTS/cg-egress-proxy/refs/heads/main/docs/compliance/component-definitions/cg-egress-proxy/component-definition.json"
+      end
+      no_tasks do
+        def readme_content
+          <<~README
+            ### Public Egress Proxy
+            Traffic to be delivered to the public internet must be proxied through the [cg-egress-proxy](https://github.com/GSA-TTS/cg-egress-proxy) app. Hostnames that the app should be able to
+            reach should be added to the `egress_allowlist` terraform variable in `terraform/production.tfvars` and `terraform/staging.tfvars`
+            See the [ruby troubleshooting doc](https://github.com/GSA-TTS/cg-egress-proxy/blob/main/docs/ruby.md) first if you have any problems making outbound connections through the proxy.
+          README
+        end
+        def terraform_module
+          <<~EOT
+            module "egress_space" {
+              source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.1.0"
+              cf_org_name          = local.cf_org_name
+              cf_space_name        = "${var.cf_space_name}-egress"
+              allow_ssh            = var.allow_space_ssh
+              deployers            = local.space_deployers
+              developers           = var.space_developers
+              security_group_names = ["public_networks_egress"]
+            }
+            module "egress_proxy" {
+              source = "github.com/gsa-tts/terraform-cloudgov//egress_proxy?ref=v2.1.0"
+              cf_org_name     = local.cf_org_name
+              cf_egress_space = module.egress_space.space
+              name            = "egress-proxy-${var.env}"
+              allowlist       = var.egress_allowlist
+              # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+              depends_on = [module.app_space, module.egress_space]
+            }
+            resource "cloudfoundry_network_policy" "egress_routing" {
+              provider = cloudfoundry-community
+              policy {
+                source_app      = cloudfoundry_app.app.id
+                destination_app = module.egress_proxy.app_id
+                port            = "61443"
+              }
+              policy {
+                source_app      = cloudfoundry_app.app.id
+                destination_app = module.egress_proxy.app_id
+                port            = "8080"
+              }
+            }
+            resource "cloudfoundry_service_instance" "egress_proxy_credentials" {
+              name        = "egress-proxy-${var.env}-credentials"
+              space       = module.app_space.space_id
+              type        = "user-provided"
+              credentials = module.egress_proxy.json_credentials
+              # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+              depends_on = [module.app_space]
+            }
+          EOT
+        end
+      end
+    end
+  end
+end