RubyGems - rails_template_18f - Versions diffs - 1.3.0 → 2.0.0 - Mend

rails_template_18f 1.3.0 → 2.0.0

Files changed (82) hide show

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml ADDED Viewed

@@ -0,0 +1,72 @@
+name: Deploy Production
+on:
+  push:
+    branches: [ production ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: production
+          save_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
+  deploy:
+    name: Deploy to production
+    runs-on: ubuntu-latest
+    needs: build-assets
+    environment: production
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
+      - name: Terraform apply
+        uses: dflook/terraform-apply@v1
+        env:
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
+        with:
+          path: terraform
+          var_file: terraform/production.tfvars
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.production
+      - name: Save app zip for debugging
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-src-apply
+          path: terraform/dist/src.zip
+          compression-level: 0
+          retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml ADDED Viewed

@@ -0,0 +1,72 @@
+name: Deploy Staging
+on:
+  push:
+    branches: [ main ]
+    paths-ignore:
+      - 'doc/**'
+      - 'README.md'
+permissions:
+  contents: read
+  pull-requests: write
+jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: staging
+          save_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
+  deploy:
+    name: Deploy to staging
+    runs-on: ubuntu-latest
+    needs: build-assets
+    environment: staging
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
+      - name: Terraform apply
+        uses: dflook/terraform-apply@v1
+        env:
+          TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
+        with:
+          path: terraform
+          var_file: terraform/staging.tfvars
+          backend_config: >
+            access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+            secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.staging
+      - name: Save app zip for debugging
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-src-apply
+          path: terraform/dist/src.zip
+          compression-level: 0
+          retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt CHANGED Viewed

@@ -31,6 +31,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
+      - name: Touch staging cache
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: staging
+      - name: Touch production cache
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: production
       - id: setup
         uses: ./.github/actions/setup-project
@@ -39,7 +48,7 @@ jobs:
           database_url: ${{ steps.setup.outputs.database_url }}
       - name: Run OWASP Full Scan
-        uses: zaproxy/action-full-scan@v0.10.0
+        uses: zaproxy/action-full-scan@v0.12.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt CHANGED Viewed

@@ -38,7 +38,7 @@ jobs:
           database_url: ${{ steps.setup.outputs.database_url }}
       - name: Run OWASP Baseline Scan
-        uses: zaproxy/action-baseline@v0.12.0
+        uses: zaproxy/action-baseline@v0.14.0
         with:
           docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
           target: 'http://localhost:3000/'

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/pa11y.yml.tt CHANGED Viewed

@@ -49,7 +49,7 @@ jobs:
       - name: Comment on pull request
         if: failure()
-        uses: actions/github-script@v4
+        uses: actions/github-script@v7
         with:
           script: |
             const output = `Pa11y Failures detected
@@ -61,7 +61,7 @@ jobs:
             \`\`\`
             </details>`;
-            github.issues.createComment({
+            github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml CHANGED Viewed

@@ -9,9 +9,28 @@ permissions:
   pull-requests: write
 jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: production
+          # you may want to enable the next line to surface issues with missing assets,
+          # but not until after you've deployed once and the cache has been created
+          # fail_on_missing_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
   terraform:
     name: Terraform plan
     runs-on: ubuntu-latest
+    needs: build-assets
     environment: production
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -22,20 +41,44 @@ jobs:
       - name: terraform validate
         uses: dflook/terraform-validate@v1
         with:
-          path: terraform/production
+          path: terraform
       - name: terraform fmt
         uses: dflook/terraform-fmt-check@v1
         with:
-          path: terraform/production
+          path: terraform
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: production-assets
+          path: public/assets
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
         with:
-          path: terraform/production
+          path: terraform
+          var_file: terraform/production.tfvars
+          add_github_comment: changes-only
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.production
+      # Uncomment this step if you need to debug issues
+      # with mismatched app checksum between plan and apply
+      # - name: Save app zip for debugging
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: app-src-plan
+      #     path: terraform/dist/src.zip
+      #     compression-level: 0
+      #     retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml CHANGED Viewed

@@ -9,9 +9,28 @@ permissions:
   pull-requests: write
 jobs:
+  build-assets:
+    name: Compile and clean assets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Compile assets
+        uses: ./.github/actions/compile-assets
+        with:
+          rails_env: staging
+          # you may want to enable the next line to surface issues with missing assets,
+          # but not until after you've deployed once and the cache has been created
+          # fail_on_missing_cache: true
+      - name: Upload assets
+        uses: actions/upload-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
   terraform:
     name: Terraform plan
     runs-on: ubuntu-latest
+    needs: build-assets
     environment: staging
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -22,20 +41,44 @@ jobs:
       - name: terraform validate
         uses: dflook/terraform-validate@v1
         with:
-          path: terraform/staging
+          path: terraform
       - name: terraform fmt
         uses: dflook/terraform-fmt-check@v1
         with:
-          path: terraform/staging
+          path: terraform
+      - name: Download assets
+        uses: actions/download-artifact@v4
+        with:
+          name: staging-assets
+          path: public/assets
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
           TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
+          TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
+          TERRAFORM_PRE_RUN: |
+            apt-get update
+            apt-get install -y zip
         with:
-          path: terraform/staging
+          path: terraform
+          var_file: terraform/staging.tfvars
+          add_github_comment: changes-only
           backend_config: >
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+            bucket=${{ secrets.TERRAFORM_STATE_BUCKET_NAME }}
+            key=terraform.tfstate.staging
+      # Uncomment this step if you need to debug issues
+      # with mismatched app checksum between plan and apply
+      # - name: Save app zip for debugging
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: app-src-plan
+      #     path: terraform/dist/src.zip
+      #     compression-level: 0
+      #     retention-days: 1

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/validate-ssp.yml CHANGED Viewed

@@ -31,14 +31,14 @@ jobs:
       - name: Comment on pull request
         if: failure()
-        uses: actions/github-script@v4
+        uses: actions/github-script@v7
         with:
           script: |
             const output = `SSP assembly detected changes that aren't checked in.
             Run \`bin/trestle assemble-ssp-json\` to ensure markdown changes are reflected in your SSP`;
-            github.issues.createComment({
+            github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,

data/lib/generators/rails_template18f/i18n_js/i18n_js_generator.rb CHANGED Viewed

@@ -34,7 +34,7 @@ module RailsTemplate18f
       def configure_asset_pipeline
         copy_file "lib/tasks/i18n.rake"
         copy_file "config/initializers/i18n_js.rb"
-        copy_file "app/javascript/i18n.js"
+        copy_file "app/javascript/i18n/index.js"
       end
       def ignore_generated_file
@@ -42,7 +42,7 @@ module RailsTemplate18f
           append_to_file ".gitignore", <<~EOM
             # Generated by i18n-js
-            /app/javascript/generated
+            /app/javascript/i18n/translations.json
           EOM
         end
       end

data/lib/generators/rails_template18f/i18n_js/templates/app/javascript/{i18n.js → i18n/index.js} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { I18n } from 'i18n-js';
-import translations from './generated/translations.json';
+import translations from './translations.json';
 const userLocale = document.documentElement.lang;

data/lib/generators/rails_template18f/i18n_js/templates/config/i18n-js.yml CHANGED Viewed

@@ -1,4 +1,4 @@
 translations:
-  - file: "app/javascript/generated/translations.json"
+  - file: "app/javascript/i18n/translations.json"
     patterns:
       - "*.js.*"

data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb CHANGED Viewed

@@ -24,7 +24,7 @@ module RailsTemplate18f
       def install_gem
         return if gem_installed?("newrelic_rpm")
-        gem "newrelic_rpm", "~> 9.12"
+        gem "newrelic_rpm", "~> 9.16"
         bundle_install
       end
@@ -33,7 +33,9 @@ module RailsTemplate18f
       end
       def update_cloud_gov_manifest
-        insert_into_file "manifest.yml", "    NEW_RELIC_LOG: stdout\n", before: /^\s+processes:/
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "environment = {\n"
+    NEW_RELIC_LOG = "stdout"
+EOT
       end
       def update_readme

data/lib/generators/rails_template18f/public_egress/public_egress_generator.rb CHANGED Viewed

@@ -22,44 +22,56 @@ module RailsTemplate18f
       end
       def use_terraform_module
-        append_to_file file_path("terraform/staging/main.tf"), terraform_module
-        append_to_file file_path("terraform/production/main.tf"), terraform_module
+        append_to_file file_path("terraform/main.tf"), terraform_module
+        append_to_file file_path("terraform/variables.tf"), <<~EOT
+          variable "egress_allowlist" {
+            type        = set(string)
+            default     = []
+            description = "The set of hostnames that the application is allowed to connect to"
+          }
+        EOT
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "environment = {\n"
+    no_proxy                 = "apps.internal,s3-fips.us-gov-west-1.amazonaws.com"
+EOT
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "service_bindings = [\n"
+    { service_instance = "egress-proxy-${var.env}-credentials" },
+EOT
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "depends_on = [\n"
+    cloudfoundry_service_instance.egress_proxy_credentials,
+EOT
       end
-      def add_to_deploy_steps
-        if file_exists?(".github/workflows/deploy-staging.yml")
-          insert_into_file ".github/workflows/deploy-staging.yml", <<EOD, before: "      - name: Deploy app"
-      - name: Set public egress
-        uses: cloud-gov/cg-cli-tools@main
-        with:
-          cf_username: ${{ secrets.CF_USERNAME }}
-          cf_password: ${{ secrets.CF_PASSWORD }}
-          cf_org: #{cloud_gov_organization}
-          cf_space: #{cloud_gov_staging_space}-egress
-          cf_command: bind-security-group public_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
-EOD
-        end
-        if file_exists?(".github/workflows/deploy-production.yml")
-          insert_into_file ".github/workflows/deploy-production.yml", <<EOD, before: "      - name: Deploy app"
-      - name: Set public egress
-        uses: cloud-gov/cg-cli-tools@main
-        with:
-          cf_username: ${{ secrets.CF_USERNAME }}
-          cf_password: ${{ secrets.CF_PASSWORD }}
-          cf_org: #{cloud_gov_organization}
-          cf_space: #{cloud_gov_production_space}-egress
-          cf_command: bind-security-group public_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
-EOD
-        end
-        if file_exists?(".circleci/config.yml")
-          insert_into_file ".circleci/config.yml", <<EOD, before: "          name: Push application with deployment vars"
-          name: Set public egress
-          command: |
-            cf bind-security-group public_networks_egress << parameters.cloudgov_org >> \
-              --space << parameters.cloudgov_space >>-egress
-        - run:
-EOD
+      def setup_terraform_provider
+        insert_into_file file_path("terraform/providers.tf"), after: "required_providers {\n" do
+          <<-EOT
+    cloudfoundry-community = {
+      source  = "cloudfoundry-community/cloudfoundry"
+      version = "0.53.1"
+    }
+          EOT
         end
+        append_to_file file_path("terraform/providers.tf"), <<~EOT
+          provider "cloudfoundry-community" {
+            api_url  = "https://api.fr.cloud.gov"
+            user     = var.cf_user
+            password = var.cf_password
+          }
+        EOT
+      end
+      def setup_proxy_vars
+        create_file ".profile", <<~EOP unless file_exists?(".profile")
+          ##
+          # Cloud Foundry app initialization script
+          # https://docs.cloudfoundry.org/devguide/deploy-apps/deploy-app.html#profile
+          ##
+        EOP
+        insert_into_file ".profile", <<~EOP
+          proxy_creds=$(echo "$VCAP_SERVICES" | jq --arg service_name "egress-proxy-$RAILS_ENV-credentials" '.[][] | select(.name == $service_name) | .credentials')
+          export http_proxy=$(echo "$proxy_creds" | jq --raw-output ".http_uri")
+          export https_proxy=$(echo "$proxy_creds" | jq --raw-output ".https_uri")
+        EOP
       end
       def update_readme
@@ -94,9 +106,10 @@ EOB
             ### Public Egress Proxy
             Traffic to be delivered to the public internet must be proxied through the [cg-egress-proxy](https://github.com/GSA-TTS/cg-egress-proxy) app. Hostnames that the app should be able to
-            reach should be added to the `allowlist` terraform configuration in `terraform/staging/main.tf` and `terraform/production/main.tf`
+            reach should be added to the `egress_allowlist` terraform variable in `terraform/production.tfvars` and `terraform/staging.tfvars`
             See the [ruby troubleshooting doc](https://github.com/GSA-TTS/cg-egress-proxy/blob/main/docs/ruby.md) first if you have any problems making outbound connections through the proxy.
           README
         end
@@ -104,30 +117,49 @@ EOB
           <<~EOT
             module "egress_space" {
-              source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v1.1.0"
-              cf_org_name   = local.cf_org_name
-              cf_space_name = "${local.cf_space_name}-egress"
-              # deployers should include any user or service account ID that will deploy the egress proxy
-              deployers = [
-                var.cf_user
-              ]
+              source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.1.0"
+              cf_org_name          = local.cf_org_name
+              cf_space_name        = "${var.cf_space_name}-egress"
+              allow_ssh            = var.allow_space_ssh
+              deployers            = local.space_deployers
+              developers           = var.space_developers
+              security_group_names = ["public_networks_egress"]
             }
             module "egress_proxy" {
-              source = "github.com/gsa-tts/terraform-cloudgov//egress_proxy?ref=v1.1.0"
-              cf_org_name   = local.cf_org_name
-              cf_space_name = module.egress_space.space_name
-              client_space  = local.cf_space_name
-              name          = "egress-proxy-${local.env}"
-              # comment out allowlist if this module is being deployed before the app has ever been deployed
-              allowlist = {
-                "${local.app_name}-${local.env}" = []
-              }
+              source = "github.com/gsa-tts/terraform-cloudgov//egress_proxy?ref=v2.1.0"
+              cf_org_name     = local.cf_org_name
+              cf_egress_space = module.egress_space.space
+              name            = "egress-proxy-${var.env}"
+              allowlist       = var.egress_allowlist
               # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
               depends_on = [module.app_space, module.egress_space]
             }
+            resource "cloudfoundry_network_policy" "egress_routing" {
+              provider = cloudfoundry-community
+              policy {
+                source_app      = cloudfoundry_app.app.id
+                destination_app = module.egress_proxy.app_id
+                port            = "61443"
+              }
+              policy {
+                source_app      = cloudfoundry_app.app.id
+                destination_app = module.egress_proxy.app_id
+                port            = "8080"
+              }
+            }
+            resource "cloudfoundry_service_instance" "egress_proxy_credentials" {
+              name        = "egress-proxy-${var.env}-credentials"
+              space       = module.app_space.space_id
+              type        = "user-provided"
+              credentials = module.egress_proxy.json_credentials
+              # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+              depends_on = [module.app_space]
+            }
           EOT
         end
       end

data/lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb CHANGED Viewed

@@ -29,23 +29,14 @@ module RailsTemplate18f
       def configure_server_runner
         append_to_file "Procfile.dev", "worker: bundle exec sidekiq\n"
-        insert_into_file "manifest.yml", indent(<<~EOYAML), after: /processes:$\n/
-          - type: worker
-            instances: ((worker_instances))
-            memory: ((worker_memory))
-            command: bundle exec sidekiq
-        EOYAML
-        insert_into_file "manifest.yml", "\n  - #{app_name}-redis-((env))", after: "services:"
-        inside "config/deployment" do
-          append_to_file "staging.yml", <<~EOYAML
-            worker_instances: 1
-            worker_memory: 256M
-          EOYAML
-          append_to_file "production.yml", <<~EOYAML
-            worker_instances: 1
-            worker_memory: 512M
-          EOYAML
-        end
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "processes = [\n"
+    {
+      type      = "worker"
+      instances = var.worker_instances
+      memory    = var.worker_memory
+      command   = "bundle exec sidekiq"
+    },
+EOT
       end
       def configure_active_job

data/lib/generators/rails_template18f/terraform/templates/full_bootstrap/imports.tf.tftpl ADDED Viewed

@@ -0,0 +1,25 @@
+# This file takes care of importing bootstrap
+# resources onto a new developer's machine if needed
+# import happens automatically on a normal ./apply.sh run
+%{ for resource_name, id in import_map ~}
+import {
+  to = ${resource_name}
+  id = "${id}"
+}
+%{ endfor ~}
+locals {
+  developer_import_map = "${replace(jsonencode(developer_map), "\"", "\\\"")}"
+  manager_import_map   = "${replace(jsonencode(manager_map), "\"", "\\\"")}"
+}
+import {
+  for_each = jsondecode(local.developer_import_map)
+  to       = module.mgmt_space.cloudfoundry_space_role.developers[each.key]
+  id       = each.value
+}
+import {
+  for_each = jsondecode(local.manager_import_map)
+  to       = module.mgmt_space.cloudfoundry_space_role.managers[each.key]
+  id       = each.value
+}