rails_template_18f 2.0.0 → 2.2.0

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/terraform.yml

@@ -0,0 +1,33 @@
+# Shared setup helpers for terraform jobs
+.terraform:setup:
+  stage: deploy
+  inherit:
+    default: false
+  image:
+    name: "hashicorp/terraform"
+    entrypoint: ["sh"]
+  variables:
+    CF_API_URL: https://api.fr.cloud.gov
+    TF_STATE_NAME: staging
+    TF_HTTP_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${TF_STATE_NAME}
+    TF_HTTP_LOCK_ADDRESS: ${TF_HTTP_ADDRESS}/lock
+    TF_HTTP_UNLOCK_ADDRESS: ${TF_HTTP_ADDRESS}/lock
+    TF_HTTP_USERNAME: gitlab-ci-token
+    TF_HTTP_PASSWORD: ${CI_JOB_TOKEN}
+  dependencies: []
+  before_script:
+    - cd terraform
+    - terraform init
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+.terraform:variables:staging:
+  dependencies: null
+  variables:
+    CF_USER: $CF_USERNAME
+
+.terraform:variables:production:
+  dependencies: null
+  variables:
+    CF_USER: $CF_USERNAME
+    TF_STATE_NAME: "production"

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab-ci.yml.tt

@@ -0,0 +1,213 @@
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_BRANCH == "production"
+
+stages:
+  - build
+  - test
+  - scan
+  - deploy
+
+variables:
+  POSTGRES_DB: <%= app_name %>_test
+  POSTGRES_PASSWORD: not-actually-secret
+  POSTGRES_VERSION: <%= postgres_version %>
+  RUBY_VERSION: <%= RUBY_VERSION %>
+
+include:
+  - local: ".gitlab/ruby.yml"
+  - local: ".gitlab/node.yml"
+  - local: ".gitlab/rails.yml"
+  - local: ".gitlab/terraform.yml"
+
+default:
+  image: "ruby:${RUBY_VERSION}"
+  before_script:
+    - !reference [.setup-ruby]
+  cache:
+    - !reference [.cache-dependencies, cache]
+
+build-project:
+  stage: build
+  extends: [.cache-dependencies, .setup-languages]
+  cache:
+    policy: pull-push
+  script:
+    - !reference [.bundle-install]
+    - !reference [.yarn-install]
+    - bin/rake assets:precompile
+  artifacts:
+    expire_in: 1 hour
+    paths:
+      - app/assets/builds
+      - public/assets
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+brakeman-scan:
+  stage: test
+  script:
+    - bin/brakeman --no-pager --ensure-ignore-notes -f sarif -o output.sarif.json
+  artifacts:
+    when: always
+    expose_as: "Brakeman results"
+    paths:
+      - output.sarif.json
+
+dependency_scanning:
+  stage: test
+  extends: .setup-languages
+  script:
+    - bin/rake bundler:audit
+    - bin/rake yarn:audit
+    - gem install cyclonedx-ruby
+    - cyclonedx-ruby -p . -o ruby_bom.xml
+  artifacts:
+    expose_as: "Ruby SBOM"
+    paths:
+      - ruby_bom.xml
+
+rspec:
+  stage: test
+  extends: .setup-project
+  script:
+    - bundle exec rspec
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+pa11y_scan:
+  stage: scan
+  extends: .run-server
+  script:
+    - !reference [.install-puppet-deps]
+    - yarn run pa11y-ci -c pa11yci.js
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+owasp_scan:
+  extends: .owasp:setup
+  script:
+    - /zap/zap-baseline.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+owasp_daily_scan:
+  extends: .owasp:setup
+  script:
+    - /zap/zap-full-scan.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+
+terraform:fmt:
+  stage: test
+  extends: .terraform:setup
+  script:
+    - terraform fmt -check -recursive .
+
+terraform:validate:
+  stage: test
+  extends: .terraform:setup
+  script:
+    - terraform validate
+
+terraform:assets:staging:
+  extends: .assets:builder
+  cache:
+    - !reference [.cache-dependencies, cache]
+    - key: staging-assets
+      unprotect: true
+      paths:
+        - public/assets
+        - app/assets/builds
+      policy: $CACHE_POLICY
+  variables:
+    RAILS_ENV: staging
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      variables:
+        CACHE_POLICY: pull-push
+    - variables:
+        CACHE_POLICY: pull
+<% if terraform_manage_spaces? %>
+terraform:assets:production:
+  extends: .assets:builder
+  cache:
+    - !reference [.cache-dependencies, cache]
+    - key: production-assets
+      paths:
+        - public/assets
+        - app/assets/builds
+      policy: $CACHE_POLICY
+  variables:
+    RAILS_ENV: production
+  rules:
+    - if: $CI_COMMIT_BRANCH == "production"
+      variables:
+        CACHE_POLICY: pull-push
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+      variables:
+        CACHE_POLICY: pull
+<% end %>
+terraform:plan:staging:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:staging
+  needs: ["terraform:assets:staging"]
+  script:
+    - apk add zip
+    - terraform plan -out=staging_plan.out -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
+  artifacts:
+    paths:
+      - terraform/staging_plan.out
+      - terraform/dist
+
+terraform:apply:staging:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:staging
+  needs:
+    - terraform:plan:staging
+    - terraform:assets:staging
+  script:
+    - apk add zip
+    - terraform apply -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME staging_plan.out
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+<% if terraform_manage_spaces? %>
+terraform:plan:production:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:production
+  needs: ["terraform:assets:production"]
+  script:
+    - apk add zip
+    - terraform plan -out=production_plan.out -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
+  artifacts:
+    paths:
+      - terraform/production_plan.out
+      - terraform/dist
+
+terraform:apply:production:
+  extends:
+    - .terraform:setup
+    - .terraform:variables:production
+  needs:
+    - terraform:plan:production
+    - terraform:assets:production
+  script:
+    - apk add zip
+    - terraform apply -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME production_plan.out
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == "production"
+      when: manual<% end %>

data/lib/generators/rails_template18f/oscal/oscal_generator.rb

@@ -49,6 +49,16 @@ module RailsTemplate18f
         end
       end
 
+      def copy_gitlab_ci
+        if use_gitlab_ci?
+          directory "gitlab", ".gitlab"
+          if file_exists? ".gitlab-ci.yml"
+            insert_into_file ".gitlab-ci.yml", "  - local: \".gitlab/trestle.yml\"\n", after: /^include:\n/
+            insert_into_file ".gitlab-ci.yml", "  TRESTLE_VERSION: #{docker_trestle_tag}\n", after: /^variables:\n/
+          end
+        end
+      end
+
       def update_readme
         if file_content("README.md").match?("## Documentation")
           insert_into_file "README.md", readme_contents, after: "## Documentation\n"
@@ -85,13 +95,17 @@ module RailsTemplate18f
         end
 
         def docker_trestle_tag
-          options[:tag].present? ? options[:tag] : "20240912"
+          options[:tag].present? ? options[:tag] : "20250603"
         end
 
         def use_github_actions?
           options[:ci] == "github" || file_exists?(".github/workflows")
         end
 
+        def use_gitlab_ci?
+          options[:ci] == "gitlab" || file_exists?(".gitlab-ci.yml")
+        end
+
         def readme_contents
           content = <<~README
 

data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt

@@ -2,8 +2,17 @@
 
 trestle_tag="<%= docker_trestle_tag %>"
 
+if [ "$1" = "-h" ]; then
+    echo """
+        Usage: $0 [-h] [CMD [CMD ARGS]]
+
+        CMD defaults to 'bash'
+    """
+    exit 0
+fi
+
 command="bash"
-if [ "$1" != "" ]; then
+if [ -n "$1" ]; then
     command=$1
     shift 1
 fi

data/lib/generators/rails_template18f/oscal/templates/gitlab/trestle.yml.tt

@@ -0,0 +1,29 @@
+.trestle:setup:
+  inherit:
+    default: false
+  image: "ghcr.io/gsa-tts/trestle:${TRESTLE_VERSION}"
+  before_script:
+    - cd doc/compliance/oscal
+    - export PATH="/app/bin:$PATH"
+
+validate_ssp:
+  extends: .trestle:setup
+  stage: test
+  script:
+    - validate-ssp-json
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+assemble_ssp:
+  extends: .trestle:setup
+  stage: deploy
+  script:
+    - trestle assemble -n <%= app_name %> system-security-plan
+    - render-ssp
+  artifacts:
+    expose_as: "<%= app_name %> SSPP"
+    paths:
+      - doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+      - doc/compliance/oscal/ssp-render/<%= app_name %>_ssp.md
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"

data/lib/generators/rails_template18f/public_egress/public_egress_generator.rb

@@ -41,24 +41,6 @@ EOT
 EOT
       end
 
-      def setup_terraform_provider
-        insert_into_file file_path("terraform/providers.tf"), after: "required_providers {\n" do
-          <<-EOT
-    cloudfoundry-community = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.53.1"
-    }
-          EOT
-        end
-        append_to_file file_path("terraform/providers.tf"), <<~EOT
-          provider "cloudfoundry-community" {
-            api_url  = "https://api.fr.cloud.gov"
-            user     = var.cf_user
-            password = var.cf_password
-          }
-        EOT
-      end
-
       def setup_proxy_vars
         create_file ".profile", <<~EOP unless file_exists?(".profile")
           ##
@@ -117,18 +99,19 @@ EOB
           <<~EOT
 
             module "egress_space" {
-              source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.1.0"
+              source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
 
               cf_org_name          = local.cf_org_name
               cf_space_name        = "${var.cf_space_name}-egress"
-              allow_ssh            = var.allow_space_ssh
+              allow_ssh            = var.allow_ssh
               deployers            = local.space_deployers
               developers           = var.space_developers
+              auditors             = var.space_auditors
               security_group_names = ["public_networks_egress"]
             }
 
             module "egress_proxy" {
-              source = "github.com/gsa-tts/terraform-cloudgov//egress_proxy?ref=v2.1.0"
+              source = "github.com/gsa-tts/terraform-cloudgov//egress_proxy?ref=v2.3.0"
 
               cf_org_name     = local.cf_org_name
               cf_egress_space = module.egress_space.space
@@ -139,17 +122,18 @@ EOB
             }
 
             resource "cloudfoundry_network_policy" "egress_routing" {
-              provider = cloudfoundry-community
-              policy {
-                source_app      = cloudfoundry_app.app.id
-                destination_app = module.egress_proxy.app_id
-                port            = "61443"
-              }
-              policy {
-                source_app      = cloudfoundry_app.app.id
-                destination_app = module.egress_proxy.app_id
-                port            = "8080"
-              }
+              policies = [
+                {
+                  source_app      = cloudfoundry_app.app.id
+                  destination_app = module.egress_proxy.app_id
+                  port            = module.egress_proxy.https_port
+                },
+                {
+                  source_app      = cloudfoundry_app.app.id
+                  destination_app = module.egress_proxy.app_id
+                  port            = module.egress_proxy.http_port
+                }
+              ]
             }
 
             resource "cloudfoundry_service_instance" "egress_proxy_credentials" {

data/lib/generators/rails_template18f/sidekiq/templates/config/initializers/redis.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 Rails.application.config.to_prepare do
-  redis_url = CloudGovConfig.dig "aws-elasticache-redis", "credentials", "uri"
+  redis_url = CloudGovConfig.new.dig "aws-elasticache-redis", "credentials", "uri"
   if redis_url.present?
     Sidekiq.configure_server do |config|
       config.redis = {url: redis_url, ssl: true}

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/apply.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+if ! command -v terraform &> /dev/null
+then
+  echo "terraform must be installed before running this script"
+  exit 1
+fi
+
+if [ -z "$GITLAB_PROJECT_ID" ] || [ -z "$GITLAB_HOSTNAME" ]; then
+  echo "GITLAB_PROJECT_ID or GITLAB_HOSTNAME has not been set. Run ./setup_shadowenv.sh first"
+  exit 1
+fi
+
+set -e
+
+# ensure we're logged in via cli
+cf spaces &> /dev/null || cf login -a api.fr.cloud.gov --sso
+
+tf_state_address="https://$GITLAB_HOSTNAME/api/v4/projects/$GITLAB_PROJECT_ID/terraform/state/bootstrap"
+terraform init \
+  -backend-config="address=$tf_state_address" \
+  -backend-config="lock_address=$tf_state_address/lock" \
+  -backend-config="unlock_address=$tf_state_address/lock"
+
+terraform apply "$@"

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/main.tf.tt

@@ -0,0 +1,98 @@
+terraform {
+  required_version = "~> 1.10"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry/cloudfoundry"
+      version = "~> 1.7"
+    }
+  }
+  backend "http" {
+    lock_method    = "POST"
+    unlock_method  = "DELETE"
+    retry_wait_min = 5
+  }
+}
+# empty config will let terraform borrow cf-cli's auth
+provider "cloudfoundry" {}
+
+locals {
+  org_name   = "<%= cloud_gov_organization %>"
+  space_name = "<%= terraform_manage_spaces? ? "#{ cloud_gov_production_space }-mgmt" : cloud_gov_staging_space %>"
+}
+
+data "cloudfoundry_org" "org" {
+  name = local.org_name
+}
+<% if terraform_manage_spaces? %>
+variable "terraform_users" {
+  type        = set(string)
+  description = "The list of developer emails and service account usernames who should be granted access to retrieve state bucket credentials"
+
+  validation {
+    condition     = length(var.terraform_users) > 0
+    error_message = "terraform_users must include at least the current user calling apply.sh"
+  }
+}
+
+module "mgmt_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
+
+  cf_org_name   = local.org_name
+  cf_space_name = local.space_name
+  developers    = var.terraform_users
+}
+<% else %>
+data "cloudfoundry_space" "space" {
+  name = local.space_name
+  org  = data.cloudfoundry_org.org.id
+}
+<% end %>
+data "cloudfoundry_service_plans" "cg_service_account" {
+  name                  = "<%= terraform_manage_spaces? ? "space-auditor" : "space-deployer" %>"
+  service_offering_name = "cloud-gov-service-account"
+}
+locals {
+  sa_service_name    = "<%= app_name %>-cicd-deployer"
+  sa_key_name        = "cicd-deployer-access-key"
+  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+  sa_cf_username     = nonsensitive(local.sa_bot_credentials.username)
+  sa_cf_password     = local.sa_bot_credentials.password
+}
+resource "cloudfoundry_service_instance" "runner_service_account" {
+  name         = local.sa_service_name
+  type         = "managed"
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id<% if terraform_manage_spaces? %>
+  space        = module.mgmt_space.space_id
+  depends_on   = [module.mgmt_space]<% else %>
+  space        = data.cloudfoundry_space.space.id<% end %>
+}
+resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
+}<% if terraform_manage_spaces? %>
+data "cloudfoundry_user" "sa_user" {
+  name = local.sa_cf_username
+}
+resource "cloudfoundry_org_role" "sa_org_manager" {
+  user = data.cloudfoundry_user.sa_user.users.0.id
+  type = "organization_manager"
+  org  = data.cloudfoundry_org.org.id
+}<% end %>
+
+resource "local_sensitive_file" "bot_secrets_file" {
+  filename        = "${path.module}/secrets.cicd.tfvars"
+  file_permission = "0600"
+
+  content = templatefile("${path.module}/bot_secrets.tftpl", {
+    service_name = local.sa_service_name,
+    key_name     = local.sa_key_name,
+    username     = local.sa_cf_username,
+    password     = local.sa_cf_password
+  })
+}

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/setup_shadowenv.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+#
+# Setup .shadowenv.d/ files for terraform configuration
+
+set -e
+
+# ensure we're operating with the correct relative paths
+cd `dirname "$0"`
+
+shadowenv trust && eval "$(shadowenv hook)"
+
+ans=""
+prompt_ans() {
+  local prompt="$1"
+  local default="$2"
+  if [ -n "$default" ]; then
+    prompt="$prompt (default: $default)"
+  fi
+  read -r -p "$prompt: " ans
+}
+
+prompt_ans "GitLab hostname" "${GITLAB_HOSTNAME:=gsa.gitlab-dedicated.us}"
+if [ -n "$ans" ]; then
+  GITLAB_HOSTNAME="$ans"
+fi
+
+prompt_ans "GitLab project id" "$GITLAB_PROJECT_ID"
+if [ -n "$ans" ]; then
+  GITLAB_PROJECT_ID="$ans"
+fi
+
+if [ ! -d ../.shadowenv.d ]; then
+  mkdir ../.shadowenv.d
+fi
+
+cat <<EOF > ../.shadowenv.d/100_gitlab_project.lisp
+(provide "gitlab-backend-config")
+(env/set "GITLAB_HOSTNAME" "$GITLAB_HOSTNAME")
+(env/set "GITLAB_PROJECT_ID" "$GITLAB_PROJECT_ID")
+EOF
+
+prompt_ans "GitLab username" "$TF_HTTP_USERNAME"
+if [ -n "$ans" ]; then
+  TF_HTTP_USERNAME=$ans
+fi
+if [ -z "$TF_HTTP_PASSWORD" ]; then
+  prompt_ans "GitLab PAT (with api scope)"
+else
+  prompt_ans "GitLab PAT (with api scope, Leave blank to re-use existing PAT)"
+fi
+if [ -n "$ans" ]; then
+  TF_HTTP_PASSWORD=$ans
+fi
+
+cat <<EOF > ../.shadowenv.d/500_tf_backend_secrets.lisp
+(provide "tf-backend-secrets")
+(env/set "TF_HTTP_USERNAME" "$TF_HTTP_USERNAME")
+(env/set "TF_HTTP_PASSWORD" "$TF_HTTP_PASSWORD")
+EOF

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/templates/backend_config.tftpl

@@ -0,0 +1,6 @@
+(provide "terraform-backend-config")
+(env/set "S3_BUCKET_NAME" "${creds.bucket}")
+(env/set "AWS_ACCESS_KEY_ID" "${creds.access_key_id}")
+(env/set "AWS_SECRET_ACCESS_KEY" "${creds.secret_access_key}")
+; not a secret, but setting it here enables the aws cli to work when in the terraform directory
+(env/set "AWS_REGION" "${creds.region}")

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/templates/bot_secrets.tftpl

@@ -0,0 +1,5 @@
+# Generated via bootstrap module. Remove this file when finished
+# credentials for service "${service_name}"/"${key_name}"
+
+cf_user     = "${username}"
+cf_password = "${password}"

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/users.auto.tfvars

@@ -0,0 +1,5 @@
+terraform_users = [
+  # add your terraform_users list here: example values:
+  # "team.member@gsa.gov",
+  # "cf_user-guid-value-for-space-developer-service-account",
+]

data/lib/generators/rails_template18f/terraform/templates/{full_bootstrap → s3_bootstrap/full}/main.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.2.0"
+      version = "~> 1.7"
     }
   }
 }
@@ -36,7 +36,7 @@ locals {
   s3_plan_name = "basic"
 }
 module "mgmt_space" {
-  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.1.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
 
   cf_org_name   = local.org_name
   cf_space_name = var.mgmt_space_name
@@ -44,7 +44,7 @@ module "mgmt_space" {
 }
 
 module "s3" {
-  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.1.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.3.0"
 
   cf_space_id  = module.mgmt_space.space_id
   name         = "<%= app_name %>-terraform-state"
@@ -134,7 +134,7 @@ locals {
 }
 resource "local_sensitive_file" "bucket_creds" {
   content         = local.backend_config
-  filename        = "${path.module}/../secrets.backend.tfvars"
+  filename        = "${path.module}/../.shadowenv.d/500_tf_backend_secrets.lisp"
   file_permission = "0600"
 }
 
@@ -150,10 +150,3 @@ resource "local_sensitive_file" "bot_secrets_file" {
     password     = local.sa_cf_password
   })
 }
-
-output "mgmt_space_id" {
-  value = module.mgmt_space.space_id
-}
-output "mgmt_org_id" {
-  value = data.cloudfoundry_org.org.id
-}