rails_template_18f 1.3.0 → 2.0.0

data/lib/generators/rails_template18f/terraform/templates/full_bootstrap/main.tf.tt

@@ -0,0 +1,159 @@
+terraform {
+  required_version = "~> 1.10"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry/cloudfoundry"
+      version = "1.2.0"
+    }
+  }
+}
+# empty config will let terraform borrow cf-cli's auth
+provider "cloudfoundry" {}
+
+variable "terraform_users" {
+  type        = set(string)
+  description = "The list of developer emails and service account usernames who should be granted access to retrieve state bucket credentials"
+
+  validation {
+    condition     = length(var.terraform_users) > 0
+    error_message = "terraform_users must include at least the current user calling apply.sh"
+  }
+}
+variable "mgmt_space_name" {
+  type        = string
+  default     = "<%= cloud_gov_production_space %>-mgmt"
+  description = "The name of the mgmt space"
+}
+variable "create_bot_secrets_file" {
+  type        = bool
+  default     = false
+  description = "Flag whether to create secrets.cicd.tfvars file"
+}
+
+locals {
+  org_name = "<%= cloud_gov_organization %>"
+  # s3_plan_name should be basic when holding production data, though basic-sandbox will make early iterations easier
+  s3_plan_name = "basic"
+}
+module "mgmt_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.1.0"
+
+  cf_org_name   = local.org_name
+  cf_space_name = var.mgmt_space_name
+  developers    = var.terraform_users
+}
+
+module "s3" {
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.1.0"
+
+  cf_space_id  = module.mgmt_space.space_id
+  name         = "<%= app_name %>-terraform-state"
+  s3_plan_name = local.s3_plan_name
+  depends_on   = [module.mgmt_space]
+}
+
+data "cloudfoundry_service_plans" "cg_service_account" {
+  name                  = "space-deployer"
+  service_offering_name = "cloud-gov-service-account"
+}
+locals {
+  sa_service_name    = "<%= app_name %>-cicd-deployer"
+  sa_key_name        = "cicd-deployer-access-key"
+  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+  sa_cf_username     = nonsensitive(local.sa_bot_credentials.username)
+  sa_cf_password     = local.sa_bot_credentials.password
+}
+resource "cloudfoundry_service_instance" "runner_service_account" {
+  name         = local.sa_service_name
+  type         = "managed"
+  space        = module.mgmt_space.space_id
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id
+  depends_on   = [module.mgmt_space]
+}
+resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
+}
+data "cloudfoundry_org" "org" {
+  name = local.org_name
+}
+data "cloudfoundry_user" "sa_user" {
+  name = local.sa_cf_username
+}
+resource "cloudfoundry_org_role" "sa_org_manager" {
+  user = data.cloudfoundry_user.sa_user.users.0.id
+  type = "organization_manager"
+  org  = data.cloudfoundry_org.org.id
+}
+
+locals {
+  bucket_creds_key_name = "backend-state-bucket-creds"
+}
+resource "cloudfoundry_service_credential_binding" "bucket_creds" {
+  name             = local.bucket_creds_key_name
+  service_instance = module.s3.bucket_id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "bucket_creds" {
+  name             = local.bucket_creds_key_name
+  service_instance = module.s3.bucket_id
+  depends_on       = [cloudfoundry_service_credential_binding.bucket_creds]
+}
+
+locals {
+  import_map = {
+    "module.mgmt_space.cloudfoundry_space.space"            = module.mgmt_space.space_id
+    "module.s3.cloudfoundry_service_instance.bucket"        = module.s3.bucket_id
+    "cloudfoundry_service_credential_binding.bucket_creds"  = cloudfoundry_service_credential_binding.bucket_creds.id
+    "cloudfoundry_service_instance.runner_service_account"  = cloudfoundry_service_instance.runner_service_account.id
+    "cloudfoundry_service_credential_binding.runner_sa_key" = cloudfoundry_service_credential_binding.runner_sa_key.id
+    "cloudfoundry_org_role.sa_org_manager"                  = cloudfoundry_org_role.sa_org_manager.id
+  }
+
+  recreate_state_template = templatefile("${path.module}/templates/imports.tf.tftpl", {
+    import_map    = local.import_map,
+    developer_map = { for username, id in module.mgmt_space.developer_role_ids : username => id },
+    manager_map   = { for username, id in module.mgmt_space.manager_role_ids : username => id }
+  })
+}
+resource "local_file" "recreate_script" {
+  content         = local.recreate_state_template
+  filename        = "${path.module}/imports.tf"
+  file_permission = "0644"
+}
+
+locals {
+  bucket_creds   = jsondecode(data.cloudfoundry_service_credential_binding.bucket_creds.credential_bindings.0.credential_binding).credentials
+  backend_config = templatefile("${path.module}/templates/backend_config.tftpl", { creds = local.bucket_creds })
+}
+resource "local_sensitive_file" "bucket_creds" {
+  content         = local.backend_config
+  filename        = "${path.module}/../secrets.backend.tfvars"
+  file_permission = "0600"
+}
+
+resource "local_sensitive_file" "bot_secrets_file" {
+  count           = (var.create_bot_secrets_file ? 1 : 0)
+  filename        = "${path.module}/../secrets.cicd.tfvars"
+  file_permission = "0600"
+
+  content = templatefile("${path.module}/templates/bot_secrets.tftpl", {
+    service_name = local.sa_service_name,
+    key_name     = local.sa_key_name,
+    username     = local.sa_cf_username,
+    password     = local.sa_cf_password
+  })
+}
+
+output "mgmt_space_id" {
+  value = module.mgmt_space.space_id
+}
+output "mgmt_org_id" {
+  value = data.cloudfoundry_org.org.id
+}

data/lib/generators/rails_template18f/terraform/templates/sandbox_bootstrap/imports.tf.tftpl

@@ -0,0 +1,10 @@
+# This file takes care of importing bootstrap
+# resources onto a new developer's machine if needed
+# import happens automatically on a normal ./apply.sh run
+
+%{ for resource_name, id in import_map ~}
+import {
+  to = ${resource_name}
+  id = "${id}"
+}
+%{ endfor ~}

data/lib/generators/rails_template18f/terraform/templates/sandbox_bootstrap/main.tf.tt

@@ -0,0 +1,117 @@
+terraform {
+  required_version = "~> 1.10"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry/cloudfoundry"
+      version = "1.2.0"
+    }
+  }
+}
+# empty config will let terraform borrow cf-cli's auth
+provider "cloudfoundry" {}
+
+variable "create_bot_secrets_file" {
+  type        = bool
+  default     = false
+  description = "Flag whether to create secrets.cicd.tfvars file"
+}
+
+locals {
+  org_name      = "<%= cloud_gov_organization %>"
+  cf_space_name = "<%= cloud_gov_staging_space %>"
+}
+
+data "cloudfoundry_org" "org" {
+  name = local.org_name
+}
+data "cloudfoundry_space" "space" {
+  name = local.cf_space_name
+  org  = data.cloudfoundry_org.org.id
+}
+
+module "s3" {
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.1.0"
+
+  cf_space_id  = data.cloudfoundry_space.space.id
+  name         = "<%= app_name %>-terraform-state"
+  s3_plan_name = "basic-sandbox"
+}
+
+data "cloudfoundry_service_plans" "cg_service_account" {
+  name                  = "space-deployer"
+  service_offering_name = "cloud-gov-service-account"
+}
+locals {
+  sa_service_name    = "<%= app_name %>-cicd-deployer"
+  sa_key_name        = "cicd-deployer-access-key"
+  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+}
+resource "cloudfoundry_service_instance" "runner_service_account" {
+  name         = local.sa_service_name
+  type         = "managed"
+  space        = data.cloudfoundry_space.space.id
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id
+}
+resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
+}
+
+locals {
+  bucket_creds_key_name = "backend-state-bucket-creds"
+}
+resource "cloudfoundry_service_credential_binding" "bucket_creds" {
+  name             = local.bucket_creds_key_name
+  service_instance = module.s3.bucket_id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "bucket_creds" {
+  name             = local.bucket_creds_key_name
+  service_instance = module.s3.bucket_id
+  depends_on       = [cloudfoundry_service_credential_binding.bucket_creds]
+}
+
+locals {
+  import_map = {
+    "module.s3.cloudfoundry_service_instance.bucket"        = module.s3.bucket_id
+    "cloudfoundry_service_credential_binding.bucket_creds"  = cloudfoundry_service_credential_binding.bucket_creds.id
+    "cloudfoundry_service_instance.runner_service_account"  = cloudfoundry_service_instance.runner_service_account.id
+    "cloudfoundry_service_credential_binding.runner_sa_key" = cloudfoundry_service_credential_binding.runner_sa_key.id
+  }
+
+  recreate_state_template = templatefile("${path.module}/templates/imports.tf.tftpl", { import_map = local.import_map })
+}
+resource "local_file" "recreate_script" {
+  content         = local.recreate_state_template
+  filename        = "${path.module}/imports.tf"
+  file_permission = "0644"
+}
+
+locals {
+  bucket_creds   = jsondecode(data.cloudfoundry_service_credential_binding.bucket_creds.credential_bindings.0.credential_binding).credentials
+  backend_config = templatefile("${path.module}/templates/backend_config.tftpl", { creds = local.bucket_creds })
+}
+resource "local_sensitive_file" "bucket_creds" {
+  content         = local.backend_config
+  filename        = "${path.module}/../secrets.backend.tfvars"
+  file_permission = "0600"
+}
+
+resource "local_sensitive_file" "bot_secrets_file" {
+  count           = (var.create_bot_secrets_file ? 1 : 0)
+  filename        = "${path.module}/../secrets.cicd.tfvars"
+  file_permission = "0600"
+
+  content = templatefile("${path.module}/templates/bot_secrets.tftpl", {
+    service_name = local.sa_service_name,
+    key_name     = local.sa_key_name,
+    username     = local.sa_bot_credentials.username,
+    password     = local.sa_bot_credentials.password
+  })
+}

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -1,133 +1,117 @@
 # Terraform
 
-This directory holds the terraform modules for maintaining your complete persistent infrastructure.
+This directory holds the terraform module for maintaining the system infrastructure and deploying the application.
 
-Prerequisite: install the `jq` JSON processor: `brew bundle` or `brew install jq`
+<% unless terraform_manage_spaces? %>
+## READ ME FIRST
 
-## Initial project setup
+Due to users not having `OrgManager` permission in the `sandbox-gsa` organization, this version of the terraform module
+is very limited.
 
-These steps only need to be run once per project.
-
-1. Manually [bootstrap the state storage bucket](#bootstrapping-the-state-storage-s3-buckets-for-the-first-time) within the `bootstrap` directory
-1. Setup CI/CD Pipeline to run Terraform
-    1. Copy bootstrap credentials to your CI/CD secrets using the instructions in the base README
-    1. Create a cloud.gov SpaceDeployer by following the instructions under `SpaceDeployers`
-    1. Copy SpaceDeployer credentials to your CI/CD secrets using the instructions in the base README
-1. Manually Running Terraform
-    1. Follow instructions under `Set up a new environment` to create your infrastructure
-
-## Initial developer setup
-
-These steps should be run for any developer that needs to start running terraform or who just moved to a new machine.
-
-They are not necessary for the developer who runs the [initial project setup](#initial-project-setup)
+When you are ready to move the application to a non-sandbox cloud.gov organization, please re-run the terraform generator with…
 
-1. Import the existing bootstrap resources to your local state with `./import.sh`
-1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
+```bash
+bin/rails generate rails_template18f:terraform --cg-org=<ORG_NAME> --cg-staging=<STAGING_SPACE_NAME> --cg-prod=<PRODUCTION_SPACE_NAME>
+```
 
+…to take full advantage of the generator, and then re-run your CI generator of choice to add production terraform plan and apply steps to your workflow.
+<% end %>
 
 ## Terraform State Credentials
 
-The `bootstrap` module is used to create an s3 bucket for later terraform runs to store their state in.
+The `bootstrap` module is used to create an s3 bucket for later terraform runs to store their state in as well as
+create credentials files so developers can use that s3 bucket to create their own sandbox environments.
 
-### Bootstrapping the state storage s3 buckets for the first time
+### Initial project setup
 
-These steps are run once per project.
+These steps only need to be run once per project.
 
-1. Run `./run.sh init`
-1. Run `./run.sh apply` to set up the bucket and retrieve credentials
-1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
-1. Ensure that `import.sh` includes a line and correct IDs for any resources created
-1. Run `./teardown_creds.sh` to remove the space deployer account used to create the s3 bucket
+1. `cd bootstrap`<% if terraform_manage_spaces? %>
+1. Add any users who should have access to the terraform state bucket to `users.auto.tfvars`<% end %>
+1. Run `./apply.sh -var create_bot_secrets_file=true`
+1. Add `imports.tf` to git and commit the changes
+1. Setup your CI/CD Pipeline to run terraform and deploy your staging and production environments
+    1. Copy backend credentials from `/terraform/secrets.backend.tfvars` to your CI/CD secrets using the instructions in the base README
+    1. Copy the cf_user and cf_password credentials from `/terraform/secrets.cicd.tfvars` to your CI/CD secrets using the instructions in the base README
+1. Delete the two secrets files
 
 ### To make changes to the bootstrap module
 
-*This should not be necessary in most cases*
+*This should not be necessary in most cases<% if terraform_manage_spaces? %>, other than adding or removing users who should have access to the state bucket in `bootstrap/users.auto.tfvars`<% end %>*
 
 1. Make your changes
-1. Run `./run.sh plan` to verify the changes are what you expect
-1. Continue from step 2 of the [boostrapping instructions](#bootstrapping-the-state-storage-s3-buckets-for-the-first-time)
+1. Run `./apply.sh` and verify the plan before entering `yes`
+1. Commit any changes to `imports.tf`
 
-### Use bootstrap credentials
+## Set up a sandbox environment or review app
 
-1. Add the following to `~/.aws/credentials`
-    ```
-    [<%= app_name %>-terraform-backend]
-    aws_access_key_id = <AWS_ACCESS_KEY_ID from run.sh output>
-    aws_secret_access_key = <AWS_SECRET_ACCESS_KEY from run.sh output>
-    ```
+### Pre-requisites:
 
-1. Copy `BUCKET` from `run.sh` output to the backend block of `staging/providers.tf` and `production/providers.tf`
+1. Someone on the team has run the [Initial project setup](#initial-project-setup) steps and `imports.tf` is up-to-date on your branch.
+<% if terraform_manage_spaces? %>1. You are included in the list of users in `bootstrap/users.auto.tfvars` and `bootstrap/imports.tf`<% end %>
 
-## SpaceDeployers
+### Steps:
 
-A [SpaceDeployer](https://cloud.gov/docs/services/cloud-gov-service-account/) account is required to run terraform or
-deploy the application from the CI/CD pipeline. Create a new account by running:
+<% if terraform_manage_spaces? %>1. Create a new `sandbox-<NAME>.tfvars` file to hold variable values for your environment. A good starting point is copying `staging.tfvars` and editing it with your values.<% end %>
 
-`../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> -m`
-
-## Set up a new environment manually
-
-The below steps rely on you first configuring access to the Terraform state in s3 as described in [initial project setup](#initial-project-setup) or [initial developer setup](#initial-developer-setup).
-
-1. `cd` to the environment you are working in
-
-1. Set up a SpaceDeployer and save the credentials in a file named `secrets.auto.tfvars`
+1. Run terraform plan with:
     ```bash
-    # create a space deployer service instance that can log in with just a username and password
-    # the value of < SPACE_NAME > should be `staging` or `prod` depending on where you are working
-    # the value for < ACCOUNT_NAME > can be anything, although we recommend
-    # something that communicates the purpose of the deployer
-    # for example: circleci-deployer for the credentials CircleCI uses to
-    # deploy the application or <your_name>-terraform for credentials to run terraform manually
-    ../../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> -m > secrets.auto.tfvars
+    ./terraform.sh -e <%= terraform_manage_spaces? ? "sandbox-<NAME>" : "staging" %>
     ```
 
-    The script will output the `username` (as `cf_user`) and `password` (as `cf_password`) for your `<ACCOUNT_NAME>`. Read more in the [cloud.gov service account documentation](https://cloud.gov/docs/services/cloud-gov-service-account/).
-
-    The easiest way to use this script locally is to redirect the output directly to the `secrets.auto.tfvars` file it needs to be used in
-
-1. Run terraform from your new environment directory with
+1. Apply changes with:
     ```bash
-    terraform init -backend-config="profile=<%= app_name %>-terraform-backend"
-    terraform plan
+    ./terraform.sh -e <%= terraform_manage_spaces? ? "sandbox-<NAME>" : "staging" %> -c apply
     ```
 
-1. Apply changes with `terraform apply`.
-
-1. Remove the space deployer service instance if it doesn't need to be used again, such as when manually running terraform plan before letting CI/CD apply the changes.
+1. <%= terraform_manage_spaces? ? "Optional: tear down the sandbox if" : "Destroy the app when" %> it does not need to be used anymore
     ```bash
-    # <SPACE_NAME> and <ACCOUNT_NAME> have the same values as used above.
-    ../../bin/ops/destroy_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME>
+    ./terraform.sh -e <%= terraform_manage_spaces? ? "sandbox-<NAME>" : "staging" %> -c destroy
     ```
 
 ## Structure
 
-Each environment has its own module.
-
 ```
-- bootstrap/
-  |- main.tf
-  |- providers.tf
-  |- variables.tf
-  |- run.sh
-  |- teardown_creds.sh
-  |- import.sh
-- <env>/
-  |- main.tf
-  |- providers.tf
-  |- variables.tf
+|- bootstrap/
+|  |- main.tf
+|  |- apply.sh
+|  |- imports.tf (automatically generated)
+|  |- users.auto.tfvars
+|  |- terraform.tfstate(.backup) (automatically generated)
+|  |- templates/
+|     |- backend_config.tftpl
+|     |- bot_secrets.tftpl
+|     |- imports.tf.tftpl<% if terraform_manage_spaces? %>
+|- sandbox_bot/
+|  |- main.tf
+|  |- run.sh
+|  |- <sandbox_name>/ (automatically generated)
+|     |- terraform.tfstate(.backup) (automatically generated)<% end %>
+|- dist/
+|  |- src.zip (automatically generated)
+|- README.md
+|- app.tf
+|- main.tf
+|- providers.tf
+|- terraform.sh
+|- variables.tf
+|- <env>.tfvars
 ```
 
-In the environment-specific modules:
-- `providers.tf` lists the required providers
-- `main.tf` calls the shared Terraform code, but this is also a place where you can add any other services, resources, etc, which you would like to set up for that environment
-- `variables.tf` lists the variables that will be needed, either to pass through to the child module or for use in this module
+In the root module:
+- `<env>.tfvars` is where to set variable values for the given environment name
+- `terraform.sh` Helper script to setup terraform to point to the correct state file, create a service account to run the root module, and apply the root module.
+- `app.tf` defines the application resource and configuration
+- `main.tf` defines the persistent infrastructure
+- `providers.tf` lists the required providers and shell backend config
+- `variables.tf` lists the variables that will be needed
 
 In the bootstrap module:
-- `providers.tf` lists the required providers
-- `main.tf` sets up s3 bucket to be shared across all environments. It lives in `prod` to communicate that it should not be deleted
-- `variables.tf` lists the variables that will be needed. Most values are hard-coded in this module
-- `run.sh` Helper script to set up a space deployer and run terraform. The terraform action (`init`/`show`/`plan`/`apply`/`destroy`) is passed as an argument
-- `teardown_creds.sh` Helper script to remove the space deployer setup as part of `run.sh`
-- `import.sh` Helper script to create a new local state file when new developers need to access the state file
+- `main.tf` sets up a management space, an s3 bucket to store terraform state files, and an initial SpaceDeployer for the system
+- `apply.sh` Helper script to either recreate the state locally or call `terraform apply` Any arguments are passed through to the `apply` call
+- `imports.tf` import blocks to create a new local state file when new developers need to access the state file. This file is automatically generated by calling `./apply.sh` and should be checked into git on any changes
+- `users.auto.tfvars` this file defines the list of cloud.gov accounts that should have access to the terraform state bucket
+
+In the sandbox_bot module:
+- `main.tf` sets up a cloud.gov SpaceDeployer to manage the sandbox environment and outputs its credentials into the main module `secrets.auto.tfvars`
+- `run.sh` Helper script to set up a separate local state file for each sandbox name. In normal use this will only ever be called by `./terraform.sh`

data/lib/generators/rails_template18f/terraform/templates/terraform/app.tf.tt

@@ -0,0 +1,63 @@
+data "archive_file" "src" {
+  type        = "zip"
+  source_dir  = "${path.module}/.."
+  output_path = "${path.module}/dist/src.zip"
+  excludes = [
+    ".git*",
+    ".circleci/*",
+    ".bundle/*",
+    "node_modules/*",
+    "tmp/**/*",
+    "terraform/*",
+    "log/*",
+    "doc/*"
+  ]
+}
+
+locals {
+  host_name = coalesce(var.host_name, "${local.app_name}-${var.env}")
+  domain    = coalesce(var.custom_domain_name, "app.cloud.gov")
+}
+
+resource "cloudfoundry_app" "app" {
+  name       = "${local.app_name}-${var.env}"
+  space_name = var.cf_space_name
+  org_name   = local.cf_org_name
+
+  path             = data.archive_file.src.output_path
+  source_code_hash = data.archive_file.src.output_base64sha256
+  buildpacks       = ["ruby_buildpack"]
+  strategy         = "rolling"
+  routes           = [{ route = "${local.host_name}.${local.domain}" }]
+
+  environment = {
+    RAILS_ENV                = var.env
+    RAILS_MASTER_KEY         = var.rails_master_key
+    RAILS_LOG_TO_STDOUT      = "true"
+    RAILS_SERVE_STATIC_FILES = "true"
+  }
+
+  processes = [
+    {
+      type                       = "web"
+      instances                  = var.web_instances
+      memory                     = var.web_memory
+      health_check_http_endpoint = "/up"
+      health_check_type          = "http"
+      command                    = "./bin/rake cf:on_first_instance db:migrate && exec env HTTP_PORT=$PORT ./bin/thrust ./bin/rails server"
+    }
+  ]
+
+  service_bindings = [
+<% if has_active_job? %>    { service_instance = "${local.app_name}-redis-${var.env}" },<% end %>
+<% if has_active_storage? %>    { service_instance = "${local.app_name}-s3-${var.env}" },<% end %>
+    { service_instance = "${local.app_name}-rds-${var.env}" }
+  ]
+
+  depends_on = [
+<% if has_active_job? %>    module.redis,<% end %>
+<% if has_active_storage? %>    module.s3,<% end %>
+<% if terraform_manage_spaces? %>    module.app_space,<% end %>
+    module.database
+  ]
+}

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/apply.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+if ! command -v terraform &> /dev/null
+then
+  echo "terraform must be installed before running this script"
+  exit 1
+fi
+
+set -e
+
+# ensure we're logged in via cli
+cf spaces &> /dev/null || cf login -a api.fr.cloud.gov --sso
+
+terraform init
+terraform apply "$@"

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/templates/backend_config.tftpl

@@ -0,0 +1,8 @@
+# remove this file after initializing your terraform
+# you can always regenerate it by running ./apply.sh
+# within the bootstrap module
+
+bucket     = "${creds.bucket}"
+region     = "${creds.region}"
+access_key = "${creds.access_key_id}"
+secret_key = "${creds.secret_access_key}"

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/templates/bot_secrets.tftpl

@@ -0,0 +1,5 @@
+# Generated via bootstrap module. Remove this file when finished
+# credentials for service "${service_name}"/"${key_name}"
+
+cf_user     = "${username}"
+cf_password = "${password}"

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/users.auto.tfvars

@@ -0,0 +1,5 @@
+terraform_users = [
+  # add your terraform_users list here: example values:
+  # "team.member@gsa.gov",
+  # "cf_user-guid-value-for-space-developer-service-account",
+]