rails_template_18f 1.3.0 → 2.1.0

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab-ci.yml.tt

@@ -0,0 +1,212 @@
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH == "production"
+
+stages:
+  - build
+  - test
+  - deploy
+
+variables:
+  POSTGRES_DB: <%= app_name %>_test
+  POSTGRES_PASSWORD: not-actually-secret
+  POSTGRES_VERSION: <%= postgres_version %>
+  RUBY_VERSION: <%= RUBY_VERSION %>
+
+include:
+  - local: ".gitlab/ruby.yml"
+  - local: ".gitlab/node.yml"
+  - local: ".gitlab/rails.yml"
+  - local: ".gitlab/terraform.yml"
+
+default:
+  image: "ruby:${RUBY_VERSION}"
+  before_script:
+    - !reference [.setup-ruby]
+  cache:
+    - !reference [.cache-dependencies, cache]
+
+build-project:
+  stage: build
+  extends: [.cache-dependencies, .setup-languages]
+  cache:
+    policy: pull-push
+  script:
+    - !reference [.bundle-install]
+    - !reference [.yarn-install]
+    - bin/rake assets:precompile
+  artifacts:
+    expire_in: 1 hour
+    paths:
+      - app/assets/builds
+      - public/assets
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+brakeman-scan:
+  stage: test
+  script:
+    - bin/brakeman --no-pager --ensure-ignore-notes -f sarif -o output.sarif.json
+  artifacts:
+    when: always
+    expose_as: "Brakeman results"
+    paths:
+      - output.sarif.json
+
+dependency_scanning:
+  stage: test
+  extends: .setup-languages
+  script:
+    - bin/rake bundler:audit
+    - bin/rake yarn:audit
+    - gem install cyclonedx-ruby
+    - cyclonedx-ruby -p . -o ruby_bom.xml
+  artifacts:
+    expose_as: "Ruby SBOM"
+    paths:
+      - ruby_bom.xml
+
+rspec:
+  stage: test
+  extends: .setup-project
+  script:
+    - bundle exec rspec
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+pa11y_scan:
+  stage: test
+  extends: .run-server
+  script:
+    - !reference [.install-puppet-deps]
+    - yarn run pa11y-ci -c pa11yci.js
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+owasp_scan:
+  extends: .owasp:setup
+  script:
+    - /zap/zap-baseline.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+owasp_daily_scan:
+  extends: .owasp:setup
+  script:
+    - /zap/zap-full-scan.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+
+terraform:fmt:
+  stage: test
+  extends: .terraform:setup
+  script:
+    - terraform fmt -check -recursive .
+
+terraform:validate:
+  stage: test
+  extends: .terraform:setup
+  script:
+    - terraform validate
+
+terraform:assets:staging:
+  extends: .assets:builder
+  cache:
+    - !reference [.cache-dependencies, cache]
+    - key: staging-assets
+      unprotect: true
+      paths:
+        - public/assets
+        - app/assets/builds
+      policy: $CACHE_POLICY
+  variables:
+    RAILS_ENV: staging
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      variables:
+        CACHE_POLICY: pull-push
+    - variables:
+        CACHE_POLICY: pull
+<% if terraform_manage_spaces? %>
+terraform:assets:production:
+  extends: .assets:builder
+  cache:
+    - !reference [.cache-dependencies, cache]
+    - key: production-assets
+      paths:
+        - public/assets
+        - app/assets/builds
+      policy: $CACHE_POLICY
+  variables:
+    RAILS_ENV: production
+  rules:
+    - if: $CI_COMMIT_BRANCH == "production"
+      variables:
+        CACHE_POLICY: pull-push
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+      variables:
+        CACHE_POLICY: pull
+<% end %>
+terraform:plan:staging:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:staging
+  needs: ["terraform:assets:staging"]
+  script:
+    - apk add zip
+    - terraform plan -out=staging_plan.out -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
+  artifacts:
+    paths:
+      - terraform/staging_plan.out
+      - terraform/dist
+
+terraform:apply:staging:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:staging
+  needs:
+    - terraform:plan:staging
+    - terraform:assets:staging
+  script:
+    - apk add zip
+    - terraform apply -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME staging_plan.out
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+<% if terraform_manage_spaces? %>
+terraform:plan:production:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:production
+  needs: ["terraform:assets:production"]
+  script:
+    - apk add zip
+    - terraform plan -out=production_plan.out -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
+  artifacts:
+    paths:
+      - terraform/production_plan.out
+      - terraform/dist
+
+terraform:apply:production:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:production
+  needs:
+    - terraform:plan:production
+    - terraform:assets:production
+  script:
+    - apk add zip
+    - terraform apply -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME production_plan.out
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == "production"
+      when: manual<% end %>

data/lib/generators/rails_template18f/i18n_js/i18n_js_generator.rb

@@ -34,7 +34,7 @@ module RailsTemplate18f
       def configure_asset_pipeline
         copy_file "lib/tasks/i18n.rake"
         copy_file "config/initializers/i18n_js.rb"
-        copy_file "app/javascript/i18n.js"
+        copy_file "app/javascript/i18n/index.js"
       end
 
       def ignore_generated_file
@@ -42,7 +42,7 @@ module RailsTemplate18f
           append_to_file ".gitignore", <<~EOM
 
             # Generated by i18n-js
-            /app/javascript/generated
+            /app/javascript/i18n/translations.json
           EOM
         end
       end

data/lib/generators/rails_template18f/i18n_js/templates/app/javascript/{i18n.js → i18n/index.js}

@@ -1,5 +1,5 @@
 import { I18n } from 'i18n-js';
-import translations from './generated/translations.json';
+import translations from './translations.json';
 
 const userLocale = document.documentElement.lang;
 

data/lib/generators/rails_template18f/i18n_js/templates/config/i18n-js.yml

@@ -1,4 +1,4 @@
 translations:
-  - file: "app/javascript/generated/translations.json"
+  - file: "app/javascript/i18n/translations.json"
     patterns:
       - "*.js.*"

data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb

@@ -24,7 +24,7 @@ module RailsTemplate18f
 
       def install_gem
         return if gem_installed?("newrelic_rpm")
-        gem "newrelic_rpm", "~> 9.12"
+        gem "newrelic_rpm", "~> 9.16"
         bundle_install
       end
 
@@ -33,7 +33,9 @@ module RailsTemplate18f
       end
 
       def update_cloud_gov_manifest
-        insert_into_file "manifest.yml", "    NEW_RELIC_LOG: stdout\n", before: /^\s+processes:/
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "environment = {\n"
+    NEW_RELIC_LOG = "stdout"
+EOT
       end
 
       def update_readme

data/lib/generators/rails_template18f/public_egress/public_egress_generator.rb

@@ -22,44 +22,38 @@ module RailsTemplate18f
       end
 
       def use_terraform_module
-        append_to_file file_path("terraform/staging/main.tf"), terraform_module
-        append_to_file file_path("terraform/production/main.tf"), terraform_module
+        append_to_file file_path("terraform/main.tf"), terraform_module
+        append_to_file file_path("terraform/variables.tf"), <<~EOT
+          variable "egress_allowlist" {
+            type        = set(string)
+            default     = []
+            description = "The set of hostnames that the application is allowed to connect to"
+          }
+        EOT
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "environment = {\n"
+    no_proxy                 = "apps.internal,s3-fips.us-gov-west-1.amazonaws.com"
+EOT
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "service_bindings = [\n"
+    { service_instance = "egress-proxy-${var.env}-credentials" },
+EOT
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "depends_on = [\n"
+    cloudfoundry_service_instance.egress_proxy_credentials,
+EOT
       end
 
-      def add_to_deploy_steps
-        if file_exists?(".github/workflows/deploy-staging.yml")
-          insert_into_file ".github/workflows/deploy-staging.yml", <<EOD, before: "      - name: Deploy app"
-      - name: Set public egress
-        uses: cloud-gov/cg-cli-tools@main
-        with:
-          cf_username: ${{ secrets.CF_USERNAME }}
-          cf_password: ${{ secrets.CF_PASSWORD }}
-          cf_org: #{cloud_gov_organization}
-          cf_space: #{cloud_gov_staging_space}-egress
-          cf_command: bind-security-group public_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
-EOD
-        end
-        if file_exists?(".github/workflows/deploy-production.yml")
-          insert_into_file ".github/workflows/deploy-production.yml", <<EOD, before: "      - name: Deploy app"
-      - name: Set public egress
-        uses: cloud-gov/cg-cli-tools@main
-        with:
-          cf_username: ${{ secrets.CF_USERNAME }}
-          cf_password: ${{ secrets.CF_PASSWORD }}
-          cf_org: #{cloud_gov_organization}
-          cf_space: #{cloud_gov_production_space}-egress
-          cf_command: bind-security-group public_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
-EOD
-        end
-        if file_exists?(".circleci/config.yml")
-          insert_into_file ".circleci/config.yml", <<EOD, before: "          name: Push application with deployment vars"
-          name: Set public egress
-          command: |
-            cf bind-security-group public_networks_egress << parameters.cloudgov_org >> \
-              --space << parameters.cloudgov_space >>-egress
-        - run:
-EOD
-        end
+      def setup_proxy_vars
+        create_file ".profile", <<~EOP unless file_exists?(".profile")
+          ##
+          # Cloud Foundry app initialization script
+          # https://docs.cloudfoundry.org/devguide/deploy-apps/deploy-app.html#profile
+          ##
+
+        EOP
+        insert_into_file ".profile", <<~EOP
+          proxy_creds=$(echo "$VCAP_SERVICES" | jq --arg service_name "egress-proxy-$RAILS_ENV-credentials" '.[][] | select(.name == $service_name) | .credentials')
+          export http_proxy=$(echo "$proxy_creds" | jq --raw-output ".http_uri")
+          export https_proxy=$(echo "$proxy_creds" | jq --raw-output ".https_uri")
+        EOP
       end
 
       def update_readme
@@ -94,9 +88,10 @@ EOB
             ### Public Egress Proxy
 
             Traffic to be delivered to the public internet must be proxied through the [cg-egress-proxy](https://github.com/GSA-TTS/cg-egress-proxy) app. Hostnames that the app should be able to
-            reach should be added to the `allowlist` terraform configuration in `terraform/staging/main.tf` and `terraform/production/main.tf`
+            reach should be added to the `egress_allowlist` terraform variable in `terraform/production.tfvars` and `terraform/staging.tfvars`
 
             See the [ruby troubleshooting doc](https://github.com/GSA-TTS/cg-egress-proxy/blob/main/docs/ruby.md) first if you have any problems making outbound connections through the proxy.
+
           README
         end
 
@@ -104,30 +99,51 @@ EOB
           <<~EOT
 
             module "egress_space" {
-              source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v1.1.0"
-
-              cf_org_name   = local.cf_org_name
-              cf_space_name = "${local.cf_space_name}-egress"
-              # deployers should include any user or service account ID that will deploy the egress proxy
-              deployers = [
-                var.cf_user
-              ]
+              source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
+
+              cf_org_name          = local.cf_org_name
+              cf_space_name        = "${var.cf_space_name}-egress"
+              allow_ssh            = var.allow_space_ssh
+              deployers            = local.space_deployers
+              developers           = var.space_developers
+              auditors             = var.space_auditors
+              security_group_names = ["public_networks_egress"]
             }
 
             module "egress_proxy" {
-              source = "github.com/gsa-tts/terraform-cloudgov//egress_proxy?ref=v1.1.0"
-
-              cf_org_name   = local.cf_org_name
-              cf_space_name = module.egress_space.space_name
-              client_space  = local.cf_space_name
-              name          = "egress-proxy-${local.env}"
-              # comment out allowlist if this module is being deployed before the app has ever been deployed
-              allowlist = {
-                "${local.app_name}-${local.env}" = []
-              }
+              source = "github.com/gsa-tts/terraform-cloudgov//egress_proxy?ref=v2.3.0"
+
+              cf_org_name     = local.cf_org_name
+              cf_egress_space = module.egress_space.space
+              name            = "egress-proxy-${var.env}"
+              allowlist       = var.egress_allowlist
               # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
               depends_on = [module.app_space, module.egress_space]
             }
+
+            resource "cloudfoundry_network_policy" "egress_routing" {
+              policies = [
+                {
+                  source_app      = cloudfoundry_app.app.id
+                  destination_app = module.egress_proxy.app_id
+                  port            = module.egress_proxy.https_port
+                },
+                {
+                  source_app      = cloudfoundry_app.app.id
+                  destination_app = module.egress_proxy.app_id
+                  port            = module.egress_proxy.http_port
+                }
+              ]
+            }
+
+            resource "cloudfoundry_service_instance" "egress_proxy_credentials" {
+              name        = "egress-proxy-${var.env}-credentials"
+              space       = module.app_space.space_id
+              type        = "user-provided"
+              credentials = module.egress_proxy.json_credentials
+              # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+              depends_on = [module.app_space]
+            }
           EOT
         end
       end

data/lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb

@@ -29,23 +29,14 @@ module RailsTemplate18f
 
       def configure_server_runner
         append_to_file "Procfile.dev", "worker: bundle exec sidekiq\n"
-        insert_into_file "manifest.yml", indent(<<~EOYAML), after: /processes:$\n/
-          - type: worker
-            instances: ((worker_instances))
-            memory: ((worker_memory))
-            command: bundle exec sidekiq
-        EOYAML
-        insert_into_file "manifest.yml", "\n  - #{app_name}-redis-((env))", after: "services:"
-        inside "config/deployment" do
-          append_to_file "staging.yml", <<~EOYAML
-            worker_instances: 1
-            worker_memory: 256M
-          EOYAML
-          append_to_file "production.yml", <<~EOYAML
-            worker_instances: 1
-            worker_memory: 512M
-          EOYAML
-        end
+        insert_into_file file_path("terraform/app.tf"), <<EOT, after: "processes = [\n"
+    {
+      type      = "worker"
+      instances = var.worker_instances
+      memory    = var.worker_memory
+      command   = "bundle exec sidekiq"
+    },
+EOT
       end
 
       def configure_active_job

data/lib/generators/rails_template18f/terraform/templates/full_bootstrap/imports.tf.tftpl

@@ -0,0 +1,25 @@
+# This file takes care of importing bootstrap
+# resources onto a new developer's machine if needed
+# import happens automatically on a normal ./apply.sh run
+
+%{ for resource_name, id in import_map ~}
+import {
+  to = ${resource_name}
+  id = "${id}"
+}
+%{ endfor ~}
+
+locals {
+  developer_import_map = "${replace(jsonencode(developer_map), "\"", "\\\"")}"
+  manager_import_map   = "${replace(jsonencode(manager_map), "\"", "\\\"")}"
+}
+import {
+  for_each = jsondecode(local.developer_import_map)
+  to       = module.mgmt_space.cloudfoundry_space_role.developers[each.key]
+  id       = each.value
+}
+import {
+  for_each = jsondecode(local.manager_import_map)
+  to       = module.mgmt_space.cloudfoundry_space_role.managers[each.key]
+  id       = each.value
+}

data/lib/generators/rails_template18f/terraform/templates/full_bootstrap/main.tf.tt

@@ -0,0 +1,159 @@
+terraform {
+  required_version = "~> 1.10"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry/cloudfoundry"
+      version = "1.2.0"
+    }
+  }
+}
+# empty config will let terraform borrow cf-cli's auth
+provider "cloudfoundry" {}
+
+variable "terraform_users" {
+  type        = set(string)
+  description = "The list of developer emails and service account usernames who should be granted access to retrieve state bucket credentials"
+
+  validation {
+    condition     = length(var.terraform_users) > 0
+    error_message = "terraform_users must include at least the current user calling apply.sh"
+  }
+}
+variable "mgmt_space_name" {
+  type        = string
+  default     = "<%= cloud_gov_production_space %>-mgmt"
+  description = "The name of the mgmt space"
+}
+variable "create_bot_secrets_file" {
+  type        = bool
+  default     = false
+  description = "Flag whether to create secrets.cicd.tfvars file"
+}
+
+locals {
+  org_name = "<%= cloud_gov_organization %>"
+  # s3_plan_name should be basic when holding production data, though basic-sandbox will make early iterations easier
+  s3_plan_name = "basic"
+}
+module "mgmt_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
+
+  cf_org_name   = local.org_name
+  cf_space_name = var.mgmt_space_name
+  developers    = var.terraform_users
+}
+
+module "s3" {
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.3.0"
+
+  cf_space_id  = module.mgmt_space.space_id
+  name         = "<%= app_name %>-terraform-state"
+  s3_plan_name = local.s3_plan_name
+  depends_on   = [module.mgmt_space]
+}
+
+data "cloudfoundry_service_plans" "cg_service_account" {
+  name                  = "space-deployer"
+  service_offering_name = "cloud-gov-service-account"
+}
+locals {
+  sa_service_name    = "<%= app_name %>-cicd-deployer"
+  sa_key_name        = "cicd-deployer-access-key"
+  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+  sa_cf_username     = nonsensitive(local.sa_bot_credentials.username)
+  sa_cf_password     = local.sa_bot_credentials.password
+}
+resource "cloudfoundry_service_instance" "runner_service_account" {
+  name         = local.sa_service_name
+  type         = "managed"
+  space        = module.mgmt_space.space_id
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id
+  depends_on   = [module.mgmt_space]
+}
+resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
+}
+data "cloudfoundry_org" "org" {
+  name = local.org_name
+}
+data "cloudfoundry_user" "sa_user" {
+  name = local.sa_cf_username
+}
+resource "cloudfoundry_org_role" "sa_org_manager" {
+  user = data.cloudfoundry_user.sa_user.users.0.id
+  type = "organization_manager"
+  org  = data.cloudfoundry_org.org.id
+}
+
+locals {
+  bucket_creds_key_name = "backend-state-bucket-creds"
+}
+resource "cloudfoundry_service_credential_binding" "bucket_creds" {
+  name             = local.bucket_creds_key_name
+  service_instance = module.s3.bucket_id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "bucket_creds" {
+  name             = local.bucket_creds_key_name
+  service_instance = module.s3.bucket_id
+  depends_on       = [cloudfoundry_service_credential_binding.bucket_creds]
+}
+
+locals {
+  import_map = {
+    "module.mgmt_space.cloudfoundry_space.space"            = module.mgmt_space.space_id
+    "module.s3.cloudfoundry_service_instance.bucket"        = module.s3.bucket_id
+    "cloudfoundry_service_credential_binding.bucket_creds"  = cloudfoundry_service_credential_binding.bucket_creds.id
+    "cloudfoundry_service_instance.runner_service_account"  = cloudfoundry_service_instance.runner_service_account.id
+    "cloudfoundry_service_credential_binding.runner_sa_key" = cloudfoundry_service_credential_binding.runner_sa_key.id
+    "cloudfoundry_org_role.sa_org_manager"                  = cloudfoundry_org_role.sa_org_manager.id
+  }
+
+  recreate_state_template = templatefile("${path.module}/templates/imports.tf.tftpl", {
+    import_map    = local.import_map,
+    developer_map = { for username, id in module.mgmt_space.developer_role_ids : username => id },
+    manager_map   = { for username, id in module.mgmt_space.manager_role_ids : username => id }
+  })
+}
+resource "local_file" "recreate_script" {
+  content         = local.recreate_state_template
+  filename        = "${path.module}/imports.tf"
+  file_permission = "0644"
+}
+
+locals {
+  bucket_creds   = jsondecode(data.cloudfoundry_service_credential_binding.bucket_creds.credential_bindings.0.credential_binding).credentials
+  backend_config = templatefile("${path.module}/templates/backend_config.tftpl", { creds = local.bucket_creds })
+}
+resource "local_sensitive_file" "bucket_creds" {
+  content         = local.backend_config
+  filename        = "${path.module}/../secrets.backend.tfvars"
+  file_permission = "0600"
+}
+
+resource "local_sensitive_file" "bot_secrets_file" {
+  count           = (var.create_bot_secrets_file ? 1 : 0)
+  filename        = "${path.module}/../secrets.cicd.tfvars"
+  file_permission = "0600"
+
+  content = templatefile("${path.module}/templates/bot_secrets.tftpl", {
+    service_name = local.sa_service_name,
+    key_name     = local.sa_key_name,
+    username     = local.sa_cf_username,
+    password     = local.sa_cf_password
+  })
+}
+
+output "mgmt_space_id" {
+  value = module.mgmt_space.space_id
+}
+output "mgmt_org_id" {
+  value = data.cloudfoundry_org.org.id
+}

data/lib/generators/rails_template18f/terraform/templates/sandbox_bootstrap/imports.tf.tftpl

@@ -0,0 +1,10 @@
+# This file takes care of importing bootstrap
+# resources onto a new developer's machine if needed
+# import happens automatically on a normal ./apply.sh run
+
+%{ for resource_name, id in import_map ~}
+import {
+  to = ${resource_name}
+  id = "${id}"
+}
+%{ endfor ~}