rails_template_18f 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3286e663d05b9b712a5b1f3fa2aa1403016f0822be9fd26d0999200701dab318
-  data.tar.gz: 04e5124a24452f747270e42aaa1b5455de3b0ce4362ff455e94554984214473e
+  metadata.gz: c98e855c8844d55ba478f2fe9a0bac27cea41e417e7f76b2be22f97c5363963c
+  data.tar.gz: 5eeb6079ee3d68350ee473aec5156fd54f2f47d837a1230ac62080b223960220
 SHA512:
-  metadata.gz: 954b939ea264b5200c01e8122da1001e0c099f072b370de98926ce9dcaef154a6e00568353a4fff191addfaf1cd7cc4f85549454c6984b29ff9c537af8207f17
-  data.tar.gz: c85daa74d0ca528fbbe4a3d260a720206194635a12c6a73fde878e19384870a601e78f789b513c43bfd57c4290ef6e6f85bcb409717ad646628ca1966318e09b
+  metadata.gz: 24df2ba12417ab9754e851406fc9c77b21c23b21206f7760dd0ba23d0793f25b3fad5c8a57fbf2c5f9743cb8e0edd2bbe6a89b4f8603342f9ec893f3a28bdb34
+  data.tar.gz: 681823d0918b7ddacde8372051d85f8636954b92aa97467655b89e7d5ac3580768b31d1b7e12d27cd8d2a296c92769ae065b578dbb1b143aa8dbb15e9927fcde

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 ## [Unreleased]
 
+## [2.1.0] - 2025-04-29
+
+- Terraform generator updates to remove the old cloudfoundy-community provider and reduce the need for cloud.gov service accounts
+- New GitLab CI generator for use with DevTools GitLab
+
 ## [2.0.0] - 2025-01-16
 
 - Default new apps to Rails 8, including support for thruster proxy

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (2.0.0)
+    rails_template_18f (2.1.0)
       activesupport (~> 8.0.1)
       colorize (~> 1.1)
       railties (~> 8.0.1)
@@ -71,11 +71,11 @@ GEM
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     minitest (5.25.4)
-    nokogiri (1.18.0-arm64-darwin)
+    nokogiri (1.18.8-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.0-x86_64-darwin)
+    nokogiri (1.18.8-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.0-x86_64-linux-gnu)
+    nokogiri (1.18.8-x86_64-linux-gnu)
       racc (~> 1.4)
     parallel (1.26.3)
     parser (3.3.6.0)
@@ -85,7 +85,7 @@ GEM
       date
       stringio
     racc (1.8.1)
-    rack (3.1.8)
+    rack (3.1.12)
     rack-session (2.0.0)
       rack (>= 3.0.0)
     rack-test (2.2.0)
@@ -171,7 +171,7 @@ GEM
     unicode-display_width (3.1.3)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
-    uri (1.0.2)
+    uri (1.0.3)
     useragent (0.16.11)
     zeitwerk (2.7.1)
 

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -314,13 +314,15 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/plan:
+          environment:
+            CF_API_URL: "https://api.fr.cloud.gov"
+            CF_USER: "$CF_USERNAME"
           path: terraform
           out: staging.out
           var_file: staging.tfvars
           var: >-
             rails_master_key="$RAILS_MASTER_KEY",
             cf_user="$CF_USERNAME",
-            cf_password="$CF_PASSWORD"
       - persist_to_workspace:
           root: .
           paths:
@@ -332,6 +334,9 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/apply:
+          environment:
+            CF_API_URL: "https://api.fr.cloud.gov"
+            CF_USER: "$CF_USERNAME"
           path: terraform
           plan: staging.out<% if terraform_manage_spaces? %>
 
@@ -358,13 +363,15 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/plan:
+          environment:
+            CF_API_URL: "https://api.fr.cloud.gov"
+            CF_USER: "$CF_USERNAME"
           path: terraform
           out: production.out
           var_file: production.tfvars
           var: >-
             rails_master_key="$PRODUCTION_RAILS_MASTER_KEY",
             cf_user="$CF_USERNAME",
-            cf_password="$CF_PASSWORD"
       - persist_to_workspace:
           root: .
           paths:
@@ -376,6 +383,9 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/apply:
+          environment:
+            CF_API_URL: "https://api.fr.cloud.gov"
+            CF_USER: "$CF_USERNAME"
           path: terraform
           plan: production.out<% end %>
 

data/lib/generators/rails_template18f/cloud_gov_config/templates/app/models/cloud_gov_config.rb

@@ -10,6 +10,14 @@ class CloudGovConfig
   end
 
   def self.vcap_services
-    @vcap_services ||= JSON.parse(ENV[ENV_VARIABLE]).with_indifferent_access
+    if Rails.env.test?
+      parse_env
+    else
+      @vcap_services ||= parse_env
+    end
+  end
+
+  private_class_method def self.parse_env
+    JSON.parse(ENV[ENV_VARIABLE]).with_indifferent_access
   end
 end

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml

@@ -47,8 +47,10 @@ jobs:
       - name: Terraform apply
         uses: dflook/terraform-apply@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
           TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
           TERRAFORM_PRE_RUN: |
             apt-get update

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml

@@ -47,8 +47,10 @@ jobs:
       - name: Terraform apply
         uses: dflook/terraform-apply@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
           TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
           TERRAFORM_PRE_RUN: |
             apt-get update

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml

@@ -57,8 +57,10 @@ jobs:
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
           TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
           TERRAFORM_PRE_RUN: |
             apt-get update

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml

@@ -57,8 +57,10 @@ jobs:
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
           TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
           TERRAFORM_PRE_RUN: |
             apt-get update

data/lib/generators/rails_template18f/gitlab_ci/gitlab_ci_generator.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module RailsTemplate18f
+  module Generators
+    class GitlabCiGenerator < ::Rails::Generators::Base
+      include Base
+      include CloudGovOptions
+
+      class_option :node_version, desc: "Node version to test against in actions"
+      class_option :postgres_version, default: "15", desc: "PostgreSQL version "
+
+      desc <<~DESC
+        Description:
+          Install GitLab CI workflow files
+      DESC
+
+      def install_actions
+        template "gitlab-ci.yml", ".gitlab-ci.yml"
+        directory "gitlab", ".gitlab"
+      end
+
+      def update_readme
+        if file_content("README.md").match?(/^## CI\/CD$/)
+          insert_into_file "README.md", readme_cicd, after: "## CI/CD\n"
+          insert_into_file "README.md", readme_staging_deploy, after: "#### Staging\n"
+          insert_into_file "README.md", readme_prod_deploy, after: "#### Production\n"
+          insert_into_file "README.md", readme_credentials, after: "#### Credentials and other Secrets\n"
+        else
+          append_to_file "README.md", <<~EOM
+            ## CI/CD
+            #{readme_cicd}
+
+            ### Deployment
+
+            #### Staging
+            #{readme_staging_deploy}
+
+            #### Production
+            #{readme_prod_deploy}
+
+            #### Credentials and other Secrets
+            #{readme_credentials}
+          EOM
+        end
+      end
+
+      def update_boundary_diagram
+        boundary_filename = "doc/compliance/apps/application.boundary.md"
+        insert_into_file boundary_filename, <<EOB, after: "Boundary(cicd, \"CI/CD Pipeline\") {\n"
+    System_Ext(gitlabci, "GitLab w/ DevTools Runner", "GSA-controlled code repository and Continuous Integration Service")
+EOB
+        insert_into_file boundary_filename, <<~EOB, before: "@enduml"
+          Rel(developer, gitlabci, "Publish code", "git ssh (22)")
+          Rel(gitlabci, cg_api, "Deploy App", "Auth: SpaceDeployer Service Account, https (443)")
+        EOB
+      end
+
+      no_tasks do
+        def readme_cicd
+          <<~EOM
+
+            GitLab CI is used to run all tests and scans as part of pull requests.
+
+            Security scans are also run on a scheduled basis. DEVELOPER TODO: create a pipeline schedule in the GitLab UI and update this sentence with the cadence.
+          EOM
+        end
+
+        def readme_staging_deploy
+          <<~EOM
+
+            Deploys to staging happen via terraform on every push to the `main` branch in GitLab.
+
+            The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/)
+
+            | Secret Name | Description |
+            | ----------- | ----------- |
+            | `CF_USERNAME` | cloud.gov SpaceDeployer username |
+            | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+            | `RAILS_MASTER_KEY` | `config/master.key` |
+            #{terraform_secret_values}
+          EOM
+        end
+
+        def readme_prod_deploy
+          if terraform_manage_spaces?
+            <<~EOM
+
+              Deploys to production happen via terraform on every push to the `production` branch in GitLab.
+
+              The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/)
+
+              | Secret Name | Description |
+              | ----------- | ----------- |
+              | `CF_USERNAME` | cloud.gov SpaceDeployer username |
+              | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+              | `PRODUCTION_RAILS_MASTER_KEY` | `config/credentials/production.key`. Should be marked as `Protected`. |
+              #{terraform_secret_values}
+            EOM
+          else
+            "Production deploys are not supported in the sandbox organization."
+          end
+        end
+
+        def readme_credentials
+          <<~EOM
+
+            1. Store variables that must be secret using masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/) in GitLab
+            1. Add the appropriate `-var` arguments to the `terraform:plan:<env>` and `terraform:apply:<env>` jobs like the existing `-var rails_master_key=`
+          EOM
+        end
+      end
+
+      private
+
+      def terraform_secret_values
+        <<~EOM
+          | `TERRAFORM_PUBLIC_BACKEND_CONFIG` | File-type variable containing all entries from secrets.backend.tfvars _except_ `secret_key`. Marked as `Visible` |
+          | `TERRAFORM_SECRET_BACKEND_CONFIG` | File-type variable containing the `secret_key` line from secrets.backend.tfvars. Masked and hidden. |
+        EOM
+      end
+
+      def postgres_version
+        options[:postgres_version]
+      end
+
+      def node_version
+        if options[:node_version].present?
+          options[:node_version]
+        elsif File.exist?(nvmrc_path)
+          File.read(nvmrc_path).strip
+        else
+          "20.16"
+        end
+      end
+
+      def node_major
+        node_version.split(".").first
+      end
+
+      def nvmrc_path
+        @nvmrc_path ||= File.expand_path(".nvmrc", destination_root)
+      end
+    end
+  end
+end

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/node.yml.tt

@@ -0,0 +1,11 @@
+.setup-node:
+  - curl -fsSL https://deb.nodesource.com/setup_<%= node_major %>.x -o nodesource_setup.sh
+  - bash nodesource_setup.sh
+  - apt-get install -y nodejs
+  - npm install --global yarn
+
+.yarn-install:
+  - PUPPETEER_SKIP_DOWNLOAD=true yarn install --frozen-lockfile --no-progress
+
+.install-puppet-deps:
+  - apt-get update && apt-get install -y chromium

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/rails.yml

@@ -0,0 +1,75 @@
+include:
+  - local: ".gitlab/ruby.yml"
+  - local: ".gitlab/node.yml"
+
+# Cache Helpers
+.cache-dependencies:
+  variables:
+    WORKER_MEMORY: 2G
+  cache:
+    key:
+      files:
+        - Gemfile.lock
+        - yarn.lock
+      prefix: dependencies
+    paths:
+      - vendor/ruby
+      - node_modules/
+    policy: pull
+
+# Language Helpers
+.setup-languages:
+  before_script:
+    - !reference [.setup-ruby]
+    - !reference [.setup-node]
+
+# Project Helpers
+.setup-project:
+  services:
+    - name: "postgres:${POSTGRES_VERSION}"
+      alias: pg
+  before_script:
+    - !reference [.setup-ruby]
+    - export DATABASE_URL="postgres://postgres:${POSTGRES_PASSWORD}@${CI_SERVICE_pg}:5432/${POSTGRES_DB}"
+    - bin/rails db:prepare
+
+.run-server:
+  extends: .setup-project
+  dependencies: []
+  variables:
+    RAILS_ENV: ci
+    SECRET_KEY_BASE_DUMMY: 1
+  before_script:
+    - !reference [.setup-node]
+    - !reference [.setup-project, before_script]
+    - bin/rake assets:precompile
+    - PORT=3000 bin/rails server > /dev/null 2>&1 &
+    - sleep 5
+
+.owasp:setup:
+  stage: test
+  extends: .run-server
+  image: "rcahearngsa/owasp-ruby:${RUBY_VERSION}"
+  variables:
+    WORKER_MEMORY: 3G
+    WORKER_DISK: 6G
+  before_script:
+    - !reference [.run-server, before_script]
+    - ln -s $PWD /zap/wrk
+  artifacts:
+    expose_as: "OWASP Report"
+    paths:
+      - zap_report.html
+
+.assets:builder:
+  stage: deploy
+  extends: .setup-languages
+  dependencies: []
+  variables:
+    SECRET_KEY_BASE_DUMMY: 1
+  script:
+    - bin/rake assets:precompile
+    - bin/rake assets:clean
+  artifacts:
+    paths:
+      - public/assets

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/ruby.yml

@@ -0,0 +1,7 @@
+.setup-ruby:
+  - export PATH=$PATH:/usr/local/bundle/bin
+  - bundle config set --local path 'vendor/ruby'
+  - bundle config set --local deployment true
+
+.bundle-install:
+  - bundle install

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/terraform.yml

@@ -0,0 +1,28 @@
+# Shared setup helpers for terraform jobs
+.terraform:setup:
+  stage: deploy
+  inherit:
+    default: false
+  image:
+    name: "hashicorp/terraform"
+    entrypoint: ["sh"]
+  variables:
+    CF_API_URL: https://api.fr.cloud.gov
+    TERRAFORM_BACKEND_KEY: terraform.tfstate.staging
+  dependencies: []
+  before_script:
+    - cd terraform
+    - terraform init -backend-config=$TERRAFORM_PUBLIC_BACKEND_CONFIG -backend-config=$TERRAFORM_SECRET_BACKEND_CONFIG -backend-config="key=$TERRAFORM_BACKEND_KEY"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+.terraform:variables:staging:
+  dependencies: null
+  variables:
+    CF_USER: $CF_USERNAME
+
+.terraform:variables:production:
+  dependencies: null
+  variables:
+    CF_USER: $CF_USERNAME
+    TERRAFORM_BACKEND_KEY: terraform.tfstate.production

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab-ci.yml.tt

@@ -0,0 +1,212 @@
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH == "production"
+
+stages:
+  - build
+  - test
+  - deploy
+
+variables:
+  POSTGRES_DB: <%= app_name %>_test
+  POSTGRES_PASSWORD: not-actually-secret
+  POSTGRES_VERSION: <%= postgres_version %>
+  RUBY_VERSION: <%= RUBY_VERSION %>
+
+include:
+  - local: ".gitlab/ruby.yml"
+  - local: ".gitlab/node.yml"
+  - local: ".gitlab/rails.yml"
+  - local: ".gitlab/terraform.yml"
+
+default:
+  image: "ruby:${RUBY_VERSION}"
+  before_script:
+    - !reference [.setup-ruby]
+  cache:
+    - !reference [.cache-dependencies, cache]
+
+build-project:
+  stage: build
+  extends: [.cache-dependencies, .setup-languages]
+  cache:
+    policy: pull-push
+  script:
+    - !reference [.bundle-install]
+    - !reference [.yarn-install]
+    - bin/rake assets:precompile
+  artifacts:
+    expire_in: 1 hour
+    paths:
+      - app/assets/builds
+      - public/assets
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+brakeman-scan:
+  stage: test
+  script:
+    - bin/brakeman --no-pager --ensure-ignore-notes -f sarif -o output.sarif.json
+  artifacts:
+    when: always
+    expose_as: "Brakeman results"
+    paths:
+      - output.sarif.json
+
+dependency_scanning:
+  stage: test
+  extends: .setup-languages
+  script:
+    - bin/rake bundler:audit
+    - bin/rake yarn:audit
+    - gem install cyclonedx-ruby
+    - cyclonedx-ruby -p . -o ruby_bom.xml
+  artifacts:
+    expose_as: "Ruby SBOM"
+    paths:
+      - ruby_bom.xml
+
+rspec:
+  stage: test
+  extends: .setup-project
+  script:
+    - bundle exec rspec
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+pa11y_scan:
+  stage: test
+  extends: .run-server
+  script:
+    - !reference [.install-puppet-deps]
+    - yarn run pa11y-ci -c pa11yci.js
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+owasp_scan:
+  extends: .owasp:setup
+  script:
+    - /zap/zap-baseline.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+owasp_daily_scan:
+  extends: .owasp:setup
+  script:
+    - /zap/zap-full-scan.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+
+terraform:fmt:
+  stage: test
+  extends: .terraform:setup
+  script:
+    - terraform fmt -check -recursive .
+
+terraform:validate:
+  stage: test
+  extends: .terraform:setup
+  script:
+    - terraform validate
+
+terraform:assets:staging:
+  extends: .assets:builder
+  cache:
+    - !reference [.cache-dependencies, cache]
+    - key: staging-assets
+      unprotect: true
+      paths:
+        - public/assets
+        - app/assets/builds
+      policy: $CACHE_POLICY
+  variables:
+    RAILS_ENV: staging
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      variables:
+        CACHE_POLICY: pull-push
+    - variables:
+        CACHE_POLICY: pull
+<% if terraform_manage_spaces? %>
+terraform:assets:production:
+  extends: .assets:builder
+  cache:
+    - !reference [.cache-dependencies, cache]
+    - key: production-assets
+      paths:
+        - public/assets
+        - app/assets/builds
+      policy: $CACHE_POLICY
+  variables:
+    RAILS_ENV: production
+  rules:
+    - if: $CI_COMMIT_BRANCH == "production"
+      variables:
+        CACHE_POLICY: pull-push
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+      variables:
+        CACHE_POLICY: pull
+<% end %>
+terraform:plan:staging:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:staging
+  needs: ["terraform:assets:staging"]
+  script:
+    - apk add zip
+    - terraform plan -out=staging_plan.out -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
+  artifacts:
+    paths:
+      - terraform/staging_plan.out
+      - terraform/dist
+
+terraform:apply:staging:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:staging
+  needs:
+    - terraform:plan:staging
+    - terraform:assets:staging
+  script:
+    - apk add zip
+    - terraform apply -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME staging_plan.out
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+<% if terraform_manage_spaces? %>
+terraform:plan:production:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:production
+  needs: ["terraform:assets:production"]
+  script:
+    - apk add zip
+    - terraform plan -out=production_plan.out -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
+  artifacts:
+    paths:
+      - terraform/production_plan.out
+      - terraform/dist
+
+terraform:apply:production:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:production
+  needs:
+    - terraform:plan:production
+    - terraform:assets:production
+  script:
+    - apk add zip
+    - terraform apply -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME production_plan.out
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == "production"
+      when: manual<% end %>