rails_template_18f 1.3.0 → 2.1.0

data/lib/generators/rails_template18f/terraform/templates/sandbox_bootstrap/main.tf.tt

@@ -0,0 +1,117 @@
+terraform {
+  required_version = "~> 1.10"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry/cloudfoundry"
+      version = "1.2.0"
+    }
+  }
+}
+# empty config will let terraform borrow cf-cli's auth
+provider "cloudfoundry" {}
+
+variable "create_bot_secrets_file" {
+  type        = bool
+  default     = false
+  description = "Flag whether to create secrets.cicd.tfvars file"
+}
+
+locals {
+  org_name      = "<%= cloud_gov_organization %>"
+  cf_space_name = "<%= cloud_gov_staging_space %>"
+}
+
+data "cloudfoundry_org" "org" {
+  name = local.org_name
+}
+data "cloudfoundry_space" "space" {
+  name = local.cf_space_name
+  org  = data.cloudfoundry_org.org.id
+}
+
+module "s3" {
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.3.0"
+
+  cf_space_id  = data.cloudfoundry_space.space.id
+  name         = "<%= app_name %>-terraform-state"
+  s3_plan_name = "basic-sandbox"
+}
+
+data "cloudfoundry_service_plans" "cg_service_account" {
+  name                  = "space-deployer"
+  service_offering_name = "cloud-gov-service-account"
+}
+locals {
+  sa_service_name    = "<%= app_name %>-cicd-deployer"
+  sa_key_name        = "cicd-deployer-access-key"
+  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+}
+resource "cloudfoundry_service_instance" "runner_service_account" {
+  name         = local.sa_service_name
+  type         = "managed"
+  space        = data.cloudfoundry_space.space.id
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id
+}
+resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
+}
+
+locals {
+  bucket_creds_key_name = "backend-state-bucket-creds"
+}
+resource "cloudfoundry_service_credential_binding" "bucket_creds" {
+  name             = local.bucket_creds_key_name
+  service_instance = module.s3.bucket_id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "bucket_creds" {
+  name             = local.bucket_creds_key_name
+  service_instance = module.s3.bucket_id
+  depends_on       = [cloudfoundry_service_credential_binding.bucket_creds]
+}
+
+locals {
+  import_map = {
+    "module.s3.cloudfoundry_service_instance.bucket"        = module.s3.bucket_id
+    "cloudfoundry_service_credential_binding.bucket_creds"  = cloudfoundry_service_credential_binding.bucket_creds.id
+    "cloudfoundry_service_instance.runner_service_account"  = cloudfoundry_service_instance.runner_service_account.id
+    "cloudfoundry_service_credential_binding.runner_sa_key" = cloudfoundry_service_credential_binding.runner_sa_key.id
+  }
+
+  recreate_state_template = templatefile("${path.module}/templates/imports.tf.tftpl", { import_map = local.import_map })
+}
+resource "local_file" "recreate_script" {
+  content         = local.recreate_state_template
+  filename        = "${path.module}/imports.tf"
+  file_permission = "0644"
+}
+
+locals {
+  bucket_creds   = jsondecode(data.cloudfoundry_service_credential_binding.bucket_creds.credential_bindings.0.credential_binding).credentials
+  backend_config = templatefile("${path.module}/templates/backend_config.tftpl", { creds = local.bucket_creds })
+}
+resource "local_sensitive_file" "bucket_creds" {
+  content         = local.backend_config
+  filename        = "${path.module}/../secrets.backend.tfvars"
+  file_permission = "0600"
+}
+
+resource "local_sensitive_file" "bot_secrets_file" {
+  count           = (var.create_bot_secrets_file ? 1 : 0)
+  filename        = "${path.module}/../secrets.cicd.tfvars"
+  file_permission = "0600"
+
+  content = templatefile("${path.module}/templates/bot_secrets.tftpl", {
+    service_name = local.sa_service_name,
+    key_name     = local.sa_key_name,
+    username     = local.sa_bot_credentials.username,
+    password     = local.sa_bot_credentials.password
+  })
+}

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -1,133 +1,107 @@
 # Terraform
 
-This directory holds the terraform modules for maintaining your complete persistent infrastructure.
+This directory holds the terraform module for maintaining the system infrastructure and deploying the application.
+<% unless terraform_manage_spaces? %>
+## READ ME FIRST
 
-Prerequisite: install the `jq` JSON processor: `brew bundle` or `brew install jq`
+Due to users not having `OrgManager` permission in the `sandbox-gsa` organization, this version of the terraform module
+is very limited.
 
-## Initial project setup
-
-These steps only need to be run once per project.
-
-1. Manually [bootstrap the state storage bucket](#bootstrapping-the-state-storage-s3-buckets-for-the-first-time) within the `bootstrap` directory
-1. Setup CI/CD Pipeline to run Terraform
-    1. Copy bootstrap credentials to your CI/CD secrets using the instructions in the base README
-    1. Create a cloud.gov SpaceDeployer by following the instructions under `SpaceDeployers`
-    1. Copy SpaceDeployer credentials to your CI/CD secrets using the instructions in the base README
-1. Manually Running Terraform
-    1. Follow instructions under `Set up a new environment` to create your infrastructure
-
-## Initial developer setup
-
-These steps should be run for any developer that needs to start running terraform or who just moved to a new machine.
-
-They are not necessary for the developer who runs the [initial project setup](#initial-project-setup)
-
-1. Import the existing bootstrap resources to your local state with `./import.sh`
-1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
+When you are ready to move the application to a non-sandbox cloud.gov organization, please re-run the terraform generator with…
 
+```bash
+bin/rails generate rails_template18f:terraform --cg-org=<ORG_NAME> --cg-staging=<STAGING_SPACE_NAME> --cg-prod=<PRODUCTION_SPACE_NAME>
+```
 
+…to take full advantage of the generator, and then re-run your CI generator of choice to add production terraform plan and apply steps to your workflow.
+<% end %>
 ## Terraform State Credentials
 
-The `bootstrap` module is used to create an s3 bucket for later terraform runs to store their state in.
+The `bootstrap` module is used to create an s3 bucket for later terraform runs to store their state in as well as
+create credentials files so developers can use that s3 bucket to create their own sandbox environments.
 
-### Bootstrapping the state storage s3 buckets for the first time
+### Initial project setup
 
-These steps are run once per project.
+These steps only need to be run once per project.
 
-1. Run `./run.sh init`
-1. Run `./run.sh apply` to set up the bucket and retrieve credentials
-1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
-1. Ensure that `import.sh` includes a line and correct IDs for any resources created
-1. Run `./teardown_creds.sh` to remove the space deployer account used to create the s3 bucket
+1. `cd bootstrap`<% if terraform_manage_spaces? %>
+1. Add any users who should have access to the terraform state bucket to `users.auto.tfvars`<% end %>
+1. Run `./apply.sh -var create_bot_secrets_file=true`
+1. Add `imports.tf` to git and commit the changes
+1. Setup your CI/CD Pipeline to run terraform and deploy your staging and production environments
+    1. Copy backend credentials from `/terraform/secrets.backend.tfvars` to your CI/CD secrets using the instructions in the base README
+    1. Copy the cf_user and cf_password credentials from `/terraform/secrets.cicd.tfvars` to your CI/CD secrets using the instructions in the base README
+1. Delete the two secrets files
 
 ### To make changes to the bootstrap module
 
-*This should not be necessary in most cases*
+*This should not be necessary in most cases<% if terraform_manage_spaces? %>, other than adding or removing users who should have access to the state bucket in `bootstrap/users.auto.tfvars`<% end %>*
 
 1. Make your changes
-1. Run `./run.sh plan` to verify the changes are what you expect
-1. Continue from step 2 of the [boostrapping instructions](#bootstrapping-the-state-storage-s3-buckets-for-the-first-time)
+1. Run `./apply.sh` and verify the plan before entering `yes`
+1. Commit any changes to `imports.tf`
 
-### Use bootstrap credentials
+## Set up a sandbox environment or review app
 
-1. Add the following to `~/.aws/credentials`
-    ```
-    [<%= app_name %>-terraform-backend]
-    aws_access_key_id = <AWS_ACCESS_KEY_ID from run.sh output>
-    aws_secret_access_key = <AWS_SECRET_ACCESS_KEY from run.sh output>
-    ```
-
-1. Copy `BUCKET` from `run.sh` output to the backend block of `staging/providers.tf` and `production/providers.tf`
-
-## SpaceDeployers
-
-A [SpaceDeployer](https://cloud.gov/docs/services/cloud-gov-service-account/) account is required to run terraform or
-deploy the application from the CI/CD pipeline. Create a new account by running:
-
-`../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> -m`
+### Pre-requisites:
 
-## Set up a new environment manually
+1. Someone on the team has run the [Initial project setup](#initial-project-setup) steps and `imports.tf` is up-to-date on your branch.
+<% if terraform_manage_spaces? %>1. You are included in the list of users in `bootstrap/users.auto.tfvars` and `bootstrap/imports.tf`<% end %>
 
-The below steps rely on you first configuring access to the Terraform state in s3 as described in [initial project setup](#initial-project-setup) or [initial developer setup](#initial-developer-setup).
+### Steps:
 
-1. `cd` to the environment you are working in
+<% if terraform_manage_spaces? %>1. Create a new `sandbox-<NAME>.tfvars` file to hold variable values for your environment. A good starting point is copying `staging.tfvars` and editing it with your values
+1. Add a `cf_user = "your.email@agency.gov"` line to the `sandbox-<NAME>.tfvars` file<% end %>
 
-1. Set up a SpaceDeployer and save the credentials in a file named `secrets.auto.tfvars`
+1. Run terraform plan with:
     ```bash
-    # create a space deployer service instance that can log in with just a username and password
-    # the value of < SPACE_NAME > should be `staging` or `prod` depending on where you are working
-    # the value for < ACCOUNT_NAME > can be anything, although we recommend
-    # something that communicates the purpose of the deployer
-    # for example: circleci-deployer for the credentials CircleCI uses to
-    # deploy the application or <your_name>-terraform for credentials to run terraform manually
-    ../../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> -m > secrets.auto.tfvars
+    ./terraform.sh -e <%= terraform_manage_spaces? ? "sandbox-<NAME>" : "staging" %>
     ```
 
-    The script will output the `username` (as `cf_user`) and `password` (as `cf_password`) for your `<ACCOUNT_NAME>`. Read more in the [cloud.gov service account documentation](https://cloud.gov/docs/services/cloud-gov-service-account/).
-
-    The easiest way to use this script locally is to redirect the output directly to the `secrets.auto.tfvars` file it needs to be used in
-
-1. Run terraform from your new environment directory with
+1. Apply changes with:
     ```bash
-    terraform init -backend-config="profile=<%= app_name %>-terraform-backend"
-    terraform plan
+    ./terraform.sh -e <%= terraform_manage_spaces? ? "sandbox-<NAME>" : "staging" %> -c apply
     ```
 
-1. Apply changes with `terraform apply`.
-
-1. Remove the space deployer service instance if it doesn't need to be used again, such as when manually running terraform plan before letting CI/CD apply the changes.
+1. <%= terraform_manage_spaces? ? "Optional: tear down the sandbox if" : "Destroy the app when" %> it does not need to be used anymore
     ```bash
-    # <SPACE_NAME> and <ACCOUNT_NAME> have the same values as used above.
-    ../../bin/ops/destroy_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME>
+    ./terraform.sh -e <%= terraform_manage_spaces? ? "sandbox-<NAME>" : "staging" %> -c destroy
     ```
 
 ## Structure
 
-Each environment has its own module.
-
 ```
-- bootstrap/
-  |- main.tf
-  |- providers.tf
-  |- variables.tf
-  |- run.sh
-  |- teardown_creds.sh
-  |- import.sh
-- <env>/
-  |- main.tf
-  |- providers.tf
-  |- variables.tf
+|- bootstrap/
+|  |- main.tf
+|  |- apply.sh
+|  |- imports.tf (automatically generated)
+|  |- users.auto.tfvars
+|  |- terraform.tfstate(.backup) (automatically generated)
+|  |- templates/
+|     |- backend_config.tftpl
+|     |- bot_secrets.tftpl
+|     |- imports.tf.tftpl
+|- dist/
+|  |- src.zip (automatically generated)
+|- README.md
+|- app.tf
+|- main.tf
+|- providers.tf
+|- terraform.sh
+|- variables.tf
+|- <env>.tfvars
 ```
 
-In the environment-specific modules:
-- `providers.tf` lists the required providers
-- `main.tf` calls the shared Terraform code, but this is also a place where you can add any other services, resources, etc, which you would like to set up for that environment
-- `variables.tf` lists the variables that will be needed, either to pass through to the child module or for use in this module
+In the root module:
+- `<env>.tfvars` is where to set variable values for the given environment name
+- `terraform.sh` Helper script to setup terraform to point to the correct state file, create a service account to run the root module, and apply the root module.
+- `app.tf` defines the application resource and configuration
+- `main.tf` defines the persistent infrastructure
+- `providers.tf` lists the required providers and shell backend config
+- `variables.tf` lists the variables that will be needed
 
 In the bootstrap module:
-- `providers.tf` lists the required providers
-- `main.tf` sets up s3 bucket to be shared across all environments. It lives in `prod` to communicate that it should not be deleted
-- `variables.tf` lists the variables that will be needed. Most values are hard-coded in this module
-- `run.sh` Helper script to set up a space deployer and run terraform. The terraform action (`init`/`show`/`plan`/`apply`/`destroy`) is passed as an argument
-- `teardown_creds.sh` Helper script to remove the space deployer setup as part of `run.sh`
-- `import.sh` Helper script to create a new local state file when new developers need to access the state file
+- `main.tf` sets up a management space, an s3 bucket to store terraform state files, and an initial SpaceDeployer for the system
+- `apply.sh` Helper script to either recreate the state locally or call `terraform apply` Any arguments are passed through to the `apply` call
+- `imports.tf` import blocks to create a new local state file when new developers need to access the state file. This file is automatically generated by calling `./apply.sh` and should be checked into git on any changes
+- `users.auto.tfvars` this file defines the list of cloud.gov accounts that should have access to the terraform state bucket

data/lib/generators/rails_template18f/terraform/templates/terraform/app.tf.tt

@@ -0,0 +1,57 @@
+data "archive_file" "src" {
+  type        = "zip"
+  source_dir  = "${path.module}/.."
+  output_path = "${path.module}/dist/src.zip"
+  excludes = [
+    ".git*",
+    ".circleci/*",
+    ".bundle/*",
+    "node_modules/*",
+    "tmp/**/*",
+    "terraform/*",
+    "log/*",
+    "doc/*"
+  ]
+}
+
+resource "cloudfoundry_app" "app" {
+  name       = "${local.app_name}-${var.env}"
+  space_name = var.cf_space_name
+  org_name   = local.cf_org_name
+
+  path             = data.archive_file.src.output_path
+  source_code_hash = data.archive_file.src.output_base64sha256
+  buildpacks       = ["ruby_buildpack"]
+  strategy         = "rolling"
+
+  environment = {
+    RAILS_ENV                = var.env
+    RAILS_MASTER_KEY         = var.rails_master_key
+    RAILS_LOG_TO_STDOUT      = "true"
+    RAILS_SERVE_STATIC_FILES = "true"
+  }
+
+  processes = [
+    {
+      type                       = "web"
+      instances                  = var.web_instances
+      memory                     = var.web_memory
+      health_check_http_endpoint = "/up"
+      health_check_type          = "http"
+      command                    = "./bin/rake cf:on_first_instance db:migrate && exec env HTTP_PORT=$PORT ./bin/thrust ./bin/rails server"
+    }
+  ]
+
+  service_bindings = [
+<% if has_active_job? %>    { service_instance = "${local.app_name}-redis-${var.env}" },<% end %>
+<% if has_active_storage? %>    { service_instance = "${local.app_name}-s3-${var.env}" },<% end %>
+    { service_instance = "${local.app_name}-rds-${var.env}" }
+  ]
+
+  depends_on = [
+<% if has_active_job? %>    module.redis,<% end %>
+<% if has_active_storage? %>    module.s3,<% end %>
+<% if terraform_manage_spaces? %>    module.app_space,<% end %>
+    module.database
+  ]
+}

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/apply.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+if ! command -v terraform &> /dev/null
+then
+  echo "terraform must be installed before running this script"
+  exit 1
+fi
+
+set -e
+
+# ensure we're logged in via cli
+cf spaces &> /dev/null || cf login -a api.fr.cloud.gov --sso
+
+terraform init
+terraform apply "$@"

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/templates/backend_config.tftpl

@@ -0,0 +1,8 @@
+# remove this file after initializing your terraform
+# you can always regenerate it by running ./apply.sh
+# within the bootstrap module
+
+bucket     = "${creds.bucket}"
+region     = "${creds.region}"
+access_key = "${creds.access_key_id}"
+secret_key = "${creds.secret_access_key}"

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/templates/bot_secrets.tftpl

@@ -0,0 +1,5 @@
+# Generated via bootstrap module. Remove this file when finished
+# credentials for service "${service_name}"/"${key_name}"
+
+cf_user     = "${username}"
+cf_password = "${password}"

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/users.auto.tfvars

@@ -0,0 +1,5 @@
+terraform_users = [
+  # add your terraform_users list here: example values:
+  # "team.member@gsa.gov",
+  # "cf_user-guid-value-for-space-developer-service-account",
+]

data/lib/generators/rails_template18f/terraform/templates/terraform/main.tf.tt

@@ -0,0 +1,117 @@
+locals {
+  cf_org_name     = "<%= cloud_gov_organization %>"
+  app_name        = "<%= app_name %>"
+  space_deployers = setunion([var.cf_user], var.space_deployers)
+}
+<% if terraform_manage_spaces? %>
+module "app_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
+
+  cf_org_name          = local.cf_org_name
+  cf_space_name        = var.cf_space_name
+  allow_ssh            = var.allow_space_ssh
+  deployers            = local.space_deployers
+  developers           = var.space_developers
+  auditors             = var.space_auditors
+  security_group_names = ["trusted_local_networks_egress"]
+}
+<% else %>
+data "cloudfoundry_org" "org" {
+  name = local.cf_org_name
+}
+data "cloudfoundry_space" "app_space" {
+  name = var.cf_space_name
+  org  = data.cloudfoundry_org.org.id
+}
+data "cloudfoundry_security_group" "trusted_egress_security_group" {
+  name = "trusted_local_networks_egress"
+}
+resource "cloudfoundry_security_group_space_bindings" "trusted_egress_binding" {
+  security_group = data.cloudfoundry_security_group.trusted_egress_security_group.id
+  running_spaces = [data.cloudfoundry_space.app_space.id]
+}
+<% end %>
+module "database" {
+  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v2.3.0"
+
+  cf_space_id   = <% if terraform_manage_spaces? %>module.app_space.space_id<% else %>data.cloudfoundry_space.app_space.id<% end %>
+  name          = "${local.app_name}-rds-${var.env}"
+  rds_plan_name = var.rds_plan_name<% if terraform_manage_spaces? %>
+  # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
+  depends_on = [module.app_space]<% end %>
+}
+<% if has_active_job? %>
+module "redis" {
+  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v2.3.0"
+
+  cf_space_id     = <% if terraform_manage_spaces? %>module.app_space.space_id<% else %>data.cloudfoundry_space.app_space.id<% end %>
+  name            = "${local.app_name}-redis-${var.env}"
+  redis_plan_name = var.redis_plan_name<% if terraform_manage_spaces? %>
+  # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
+  depends_on = [module.app_space]<% end %>
+}
+<% end %><% if has_active_storage? %>
+module "s3" {
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.3.0"
+
+  cf_space_id  = <% if terraform_manage_spaces? %>module.app_space.space_id<% else %>data.cloudfoundry_space.app_space.id<% end %>
+  name         = "${local.app_name}-s3-${var.env}"
+  s3_plan_name = var.s3_plan_name<% if terraform_manage_spaces? %>
+  # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
+  depends_on = [module.app_space]<% end %>
+}
+
+module "clamav" {
+  source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v2.3.0"
+
+  cf_org_name   = local.cf_org_name
+  cf_space_name = var.cf_space_name
+  name          = "${local.app_name}-clamapi-${var.env}"
+  clamav_image  = "ghcr.io/gsa-tts/clamav-rest/clamav:latest"
+  max_file_size = "30M"<% if terraform_manage_spaces? %>
+  # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
+  depends_on = [module.app_space]<% end %>
+}
+
+resource "cloudfoundry_network_policy" "clamav_routing" {
+  policies = [{
+    source_app      = cloudfoundry_app.app.id
+    destination_app = module.clamav.app_id
+    port            = "61443"
+  }]
+}
+<% end %>
+###########################################################################<% if terraform_manage_spaces? %>
+# Before setting var.custom_domain_name, ensure the ACME challenge record has been created:
+# See https://cloud.gov/docs/services/external-domain-service/#how-to-create-an-instance-of-this-service<% else %>
+# Before setting var.custom_domain_name, perform the following steps:
+# 1) Domain must be manually created by an OrgManager:
+#     cf create-domain var.cf_org_name var.domain_name
+# 2) ACME challenge record must be created.
+#     See https://cloud.gov/docs/services/external-domain-service/#how-to-create-an-instance-of-this-service<% end %>
+###########################################################################
+module "domain" {
+  count  = (var.custom_domain_name == null ? 0 : 1)
+  source = "github.com/gsa-tts/terraform-cloudgov//domain?ref=v2.3.0"
+
+  cf_org_name   = local.cf_org_name
+  cf_space      = <% if terraform_manage_spaces? %>module.app_space.space<% else %>data.cloudfoundry_space.app_space<% end %>
+  cdn_plan_name = "domain"
+  domain_name   = var.custom_domain_name
+  create_domain = <%= terraform_manage_spaces? ? "true" : "false" %>
+  app_ids       = [cloudfoundry_app.app.id]
+  host_name     = var.host_name<% if terraform_manage_spaces? %>
+  # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
+  depends_on = [module.app_space]<% end %>
+}
+module "app_route" {
+  count  = (var.custom_domain_name == null ? 1 : 0)
+  source = "github.com/gsa-tts/terraform-cloudgov//app_route?ref=v2.3.0"
+
+  cf_org_name   = local.cf_org_name
+  cf_space_name = var.cf_space_name
+  app_ids       = [cloudfoundry_app.app.id]
+  hostname      = coalesce(var.host_name, "${local.app_name}-${var.env}")<% if terraform_manage_spaces? %>
+  # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
+  depends_on = [module.app_space]<% end %>
+}

data/lib/generators/rails_template18f/terraform/templates/terraform/production.tfvars.tt

@@ -0,0 +1,13 @@
+cf_space_name      = "<%= cloud_gov_production_space %>"
+env                = "production"
+rds_plan_name      = "TKTK-production-rds-plan"
+custom_domain_name = null
+host_name          = null
+web_instances      = 2
+web_memory         = "512M"
+<% if has_active_storage? %>s3_plan_name       = "basic"<% end %>
+<% if has_active_job? %>redis_plan_name    = "TKTK-production-redis-plan"<% end %>
+<% if has_active_job? %>worker_memory      = "512M"<% end %>
+space_auditors = [
+  # enter cloud.gov usernames that should have access to audit logs
+]

data/lib/generators/rails_template18f/terraform/templates/terraform/providers.tf.tt

@@ -0,0 +1,18 @@
+terraform {
+  required_version = "~> 1.10"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry/cloudfoundry"
+      version = "1.5.0"
+    }
+  }
+
+  backend "s3" {
+    encrypt           = true
+    use_lockfile      = true
+    use_fips_endpoint = true
+    region            = "us-gov-west-1"
+  }
+}
+
+provider "cloudfoundry" {}

data/lib/generators/rails_template18f/terraform/templates/terraform/staging.tfvars.tt

@@ -0,0 +1,8 @@
+cf_space_name   = "<%= cloud_gov_staging_space %>"
+env             = "staging"
+allow_space_ssh = true
+# host_name must be unique across cloud.gov, default is "<%= app_name %>-${var.env}"
+host_name = null
+space_developers = [
+  # enter developer emails that should have ssh access to staging
+]