rails_template_18f 2.0.0 → 2.2.0

data/lib/generators/rails_template18f/terraform/templates/{sandbox_bootstrap → s3_bootstrap/sandbox}/main.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.2.0"
+      version = "~> 1.7"
     }
   }
 }
@@ -30,7 +30,7 @@ data "cloudfoundry_space" "space" {
 }
 
 module "s3" {
-  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.1.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.3.0"
 
   cf_space_id  = data.cloudfoundry_space.space.id
   name         = "<%= app_name %>-terraform-state"
@@ -99,7 +99,7 @@ locals {
 }
 resource "local_sensitive_file" "bucket_creds" {
   content         = local.backend_config
-  filename        = "${path.module}/../secrets.backend.tfvars"
+  filename        = "${path.module}/../.shadowenv.d/500_tf_backend_secrets.lisp"
   file_permission = "0600"
 }
 

data/lib/generators/rails_template18f/terraform/templates/terraform/.shadowenv.d/.gitignore

@@ -0,0 +1,3 @@
+/*secrets.lisp
+/.*
+!/.gitignore

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -1,7 +1,6 @@
 # Terraform
 
 This directory holds the terraform module for maintaining the system infrastructure and deploying the application.
-
 <% unless terraform_manage_spaces? %>
 ## READ ME FIRST
 
@@ -11,48 +10,57 @@ is very limited.
 When you are ready to move the application to a non-sandbox cloud.gov organization, please re-run the terraform generator with…
 
 ```bash
-bin/rails generate rails_template18f:terraform --cg-org=<ORG_NAME> --cg-staging=<STAGING_SPACE_NAME> --cg-prod=<PRODUCTION_SPACE_NAME>
+bin/rails generate rails_template18f:terraform --cg-org=<ORG_NAME> --cg-staging=<STAGING_SPACE_NAME> --cg-prod=<PRODUCTION_SPACE_NAME> --backend=<%= backend_unless_local %>
 ```
 
 …to take full advantage of the generator, and then re-run your CI generator of choice to add production terraform plan and apply steps to your workflow.
 <% end %>
+<% unless use_local_backend? %>## Terraform State Credentials
 
-## Terraform State Credentials
+The `bootstrap` module is used to create resources that must be created by an individual developers credentials before automation can be run:
 
-The `bootstrap` module is used to create an s3 bucket for later terraform runs to store their state in as well as
-create credentials files so developers can use that s3 bucket to create their own sandbox environments.
+* service account and credentials to provide to the CI/CD pipeline to perform future updates<% unless use_gitlab_backend? %>
+* an s3 bucket for later terraform runs to store their state in<% end %>
 
-### Initial project setup
+### Initial <%= use_gitlab_backend? ? "CI/CD pipeline" : "project" %> setup
 
 These steps only need to be run once per project.
 
-1. `cd bootstrap`<% if terraform_manage_spaces? %>
-1. Add any users who should have access to the terraform state bucket to `users.auto.tfvars`<% end %>
+1. `cd bootstrap`<% if use_gitlab_backend? %>
+1. Run `./setup_shadowenv.sh`<% end %><% if terraform_manage_spaces? %>
+1. Add any users who should have access to the management space to `users.auto.tfvars`<% end %><% if use_gitlab_backend? %>
+1. Run `./apply.sh`<% else %>
 1. Run `./apply.sh -var create_bot_secrets_file=true`
-1. Add `imports.tf` to git and commit the changes
-1. Setup your CI/CD Pipeline to run terraform and deploy your staging and production environments
-    1. Copy backend credentials from `/terraform/secrets.backend.tfvars` to your CI/CD secrets using the instructions in the base README
-    1. Copy the cf_user and cf_password credentials from `/terraform/secrets.cicd.tfvars` to your CI/CD secrets using the instructions in the base README
-1. Delete the two secrets files
+1. Add `imports.tf` to git and commit the changes<% end %>
+1. Setup your CI/CD Pipeline to run terraform and deploy your staging and production environments<% unless use_gitlab_backend? %>
+    1. Copy backend credentials from `/terraform/.shadowenv.d/500_tf_backend_secrets.lisp` to your CI/CD secrets using the instructions in the base README<% end %>
+    1. Copy the `cf_user` and `cf_password` credentials from `secrets.cicd.tfvars` to your CI/CD secrets using the instructions in the base README
+1. Delete `secrets.cicd.tfvars`
+1. Delete `.shadowenv.d/500_tf_backend_secrets.lisp` if you won't be running terraform locally
 
 ### To make changes to the bootstrap module
 
-*This should not be necessary in most cases<% if terraform_manage_spaces? %>, other than adding or removing users who should have access to the state bucket in `bootstrap/users.auto.tfvars`<% end %>*
+*This should not be necessary in most cases<% if terraform_manage_spaces? %>, other than adding or removing users who should have access to the mgmt space in `bootstrap/users.auto.tfvars`<% end %>*
 
 1. Make your changes
-1. Run `./apply.sh` and verify the plan before entering `yes`
-1. Commit any changes to `imports.tf`
+1. Run `./apply.sh` and verify the plan before entering `yes`<% unless use_gitlab_backend? %>
+1. Commit any changes to `imports.tf`<% end %><% end %>
 
-## Set up a sandbox environment or review app
+<% if use_local_backend? %>
+## Deploy the App
+<% else %>
+## Set up a sandbox environment or review app<% unless use_gitlab_backend? %>
 
 ### Pre-requisites:
 
 1. Someone on the team has run the [Initial project setup](#initial-project-setup) steps and `imports.tf` is up-to-date on your branch.
-<% if terraform_manage_spaces? %>1. You are included in the list of users in `bootstrap/users.auto.tfvars` and `bootstrap/imports.tf`<% end %>
+<% if terraform_manage_spaces? %>1. You are included in the list of users in `bootstrap/users.auto.tfvars` and `bootstrap/imports.tf`<% end %><% end %><% end %>
 
 ### Steps:
-
-<% if terraform_manage_spaces? %>1. Create a new `sandbox-<NAME>.tfvars` file to hold variable values for your environment. A good starting point is copying `staging.tfvars` and editing it with your values.<% end %>
+<% if use_gitlab_backend? %>
+1. Run `./bootstrap/setup_shadowenv.sh`<% end %>
+<% if terraform_manage_spaces? %>1. Create a new `sandbox-<NAME>.tfvars` file to hold variable values for your environment. A good starting point is copying `staging.tfvars` and editing it with your values
+1. Add a `cf_user = "your.email@gsa.gov"` line to the `sandbox-<NAME>.tfvars` file<% end %>
 
 1. Run terraform plan with:
     ```bash
@@ -71,22 +79,19 @@ These steps only need to be run once per project.
 
 ## Structure
 
-```
+```<% unless use_local_backend? %>
 |- bootstrap/
 |  |- main.tf
 |  |- apply.sh
+|  |- users.auto.tfvars<% if use_gitlab_backend? %>
+|  |- setup_shadowenv.sh
+|  |- bot_secrets.tftpl<% else %>
 |  |- imports.tf (automatically generated)
-|  |- users.auto.tfvars
 |  |- terraform.tfstate(.backup) (automatically generated)
 |  |- templates/
 |     |- backend_config.tftpl
 |     |- bot_secrets.tftpl
-|     |- imports.tf.tftpl<% if terraform_manage_spaces? %>
-|- sandbox_bot/
-|  |- main.tf
-|  |- run.sh
-|  |- <sandbox_name>/ (automatically generated)
-|     |- terraform.tfstate(.backup) (automatically generated)<% end %>
+|     |- imports.tf.tftpl<% end %><% end %>
 |- dist/
 |  |- src.zip (automatically generated)
 |- README.md
@@ -106,12 +111,9 @@ In the root module:
 - `providers.tf` lists the required providers and shell backend config
 - `variables.tf` lists the variables that will be needed
 
-In the bootstrap module:
+<% unless use_local_backend? %>In the bootstrap module:
 - `main.tf` sets up a management space, an s3 bucket to store terraform state files, and an initial SpaceDeployer for the system
-- `apply.sh` Helper script to either recreate the state locally or call `terraform apply` Any arguments are passed through to the `apply` call
-- `imports.tf` import blocks to create a new local state file when new developers need to access the state file. This file is automatically generated by calling `./apply.sh` and should be checked into git on any changes
-- `users.auto.tfvars` this file defines the list of cloud.gov accounts that should have access to the terraform state bucket
-
-In the sandbox_bot module:
-- `main.tf` sets up a cloud.gov SpaceDeployer to manage the sandbox environment and outputs its credentials into the main module `secrets.auto.tfvars`
-- `run.sh` Helper script to set up a separate local state file for each sandbox name. In normal use this will only ever be called by `./terraform.sh`
+- `apply.sh` Helper script to setup terraform and call `terraform apply`. Any arguments are passed through to the `apply` call
+- `users.auto.tfvars` this file defines the list of cloud.gov accounts that should have access to the management space<% if use_gitlab_backend? %>
+- `setup_shadowenv.sh` helper script to set terraform backend values using the gitlab http backend in shadowenv<% else %>
+- `imports.tf` import blocks to create a new local state file when new developers need to access the state file. This file is automatically generated by calling `./apply.sh` and should be checked into git on any changes<% end %><% end %>

data/lib/generators/rails_template18f/terraform/templates/terraform/app.tf.tt

@@ -14,11 +14,6 @@ data "archive_file" "src" {
   ]
 }
 
-locals {
-  host_name = coalesce(var.host_name, "${local.app_name}-${var.env}")
-  domain    = coalesce(var.custom_domain_name, "app.cloud.gov")
-}
-
 resource "cloudfoundry_app" "app" {
   name       = "${local.app_name}-${var.env}"
   space_name = var.cf_space_name
@@ -28,7 +23,7 @@ resource "cloudfoundry_app" "app" {
   source_code_hash = data.archive_file.src.output_base64sha256
   buildpacks       = ["ruby_buildpack"]
   strategy         = "rolling"
-  routes           = [{ route = "${local.host_name}.${local.domain}" }]
+  enable_ssh       = var.allow_ssh
 
   environment = {
     RAILS_ENV                = var.env

data/lib/generators/rails_template18f/terraform/templates/terraform/main.tf.tt

@@ -1,18 +1,18 @@
 locals {
   cf_org_name     = "<%= cloud_gov_organization %>"
-  app_name        = "<%= app_name %>"
-  space_deployers = setunion([var.cf_user], var.space_deployers)
+  app_name        = "<%= app_name.tr("_", "-") %>"<% if terraform_manage_spaces? %>
+  space_deployers = setunion([var.cf_user], var.space_deployers)<% end %>
 }
-
 <% if terraform_manage_spaces? %>
 module "app_space" {
-  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.1.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
 
   cf_org_name          = local.cf_org_name
   cf_space_name        = var.cf_space_name
-  allow_ssh            = var.allow_space_ssh
+  allow_ssh            = var.allow_ssh
   deployers            = local.space_deployers
   developers           = var.space_developers
+  auditors             = var.space_auditors
   security_group_names = ["trusted_local_networks_egress"]
 }
 <% else %>
@@ -31,9 +31,8 @@ resource "cloudfoundry_security_group_space_bindings" "trusted_egress_binding" {
   running_spaces = [data.cloudfoundry_space.app_space.id]
 }
 <% end %>
-
 module "database" {
-  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v2.1.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v2.3.0"
 
   cf_space_id   = <% if terraform_manage_spaces? %>module.app_space.space_id<% else %>data.cloudfoundry_space.app_space.id<% end %>
   name          = "${local.app_name}-rds-${var.env}"
@@ -43,7 +42,7 @@ module "database" {
 }
 <% if has_active_job? %>
 module "redis" {
-  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v2.1.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v2.3.0"
 
   cf_space_id     = <% if terraform_manage_spaces? %>module.app_space.space_id<% else %>data.cloudfoundry_space.app_space.id<% end %>
   name            = "${local.app_name}-redis-${var.env}"
@@ -51,10 +50,9 @@ module "redis" {
   # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
   depends_on = [module.app_space]<% end %>
 }
-<% end %>
-<% if has_active_storage? %>
+<% end %><% if has_active_storage? %>
 module "s3" {
-  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.1.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.3.0"
 
   cf_space_id  = <% if terraform_manage_spaces? %>module.app_space.space_id<% else %>data.cloudfoundry_space.app_space.id<% end %>
   name         = "${local.app_name}-s3-${var.env}"
@@ -64,7 +62,7 @@ module "s3" {
 }
 
 module "clamav" {
-  source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v2.1.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v2.3.0"
 
   cf_org_name   = local.cf_org_name
   cf_space_name = var.cf_space_name
@@ -76,31 +74,44 @@ module "clamav" {
 }
 
 resource "cloudfoundry_network_policy" "clamav_routing" {
-  provider = cloudfoundry-community
-  policy {
+  policies = [{
     source_app      = cloudfoundry_app.app.id
     destination_app = module.clamav.app_id
     port            = "61443"
-  }
+  }]
 }
 <% end %>
-
-###########################################################################
+###########################################################################<% if terraform_manage_spaces? %>
+# Before setting var.custom_domain_name, ensure the ACME challenge record has been created:
+# See https://cloud.gov/docs/services/external-domain-service/#how-to-create-an-instance-of-this-service<% else %>
 # Before setting var.custom_domain_name, perform the following steps:
 # 1) Domain must be manually created by an OrgManager:
 #     cf create-domain var.cf_org_name var.domain_name
 # 2) ACME challenge record must be created.
-#     See https://cloud.gov/docs/services/external-domain-service/#how-to-create-an-instance-of-this-service
+#     See https://cloud.gov/docs/services/external-domain-service/#how-to-create-an-instance-of-this-service<% end %>
 ###########################################################################
 module "domain" {
   count  = (var.custom_domain_name == null ? 0 : 1)
-  source = "github.com/gsa-tts/terraform-cloudgov//domain?ref=v2.1.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//domain?ref=v2.3.0"
 
   cf_org_name   = local.cf_org_name
   cf_space      = <% if terraform_manage_spaces? %>module.app_space.space<% else %>data.cloudfoundry_space.app_space<% end %>
   cdn_plan_name = "domain"
   domain_name   = var.custom_domain_name
+  create_domain = <%= terraform_manage_spaces? ? "true" : "false" %>
+  app_ids       = [cloudfoundry_app.app.id]
   host_name     = var.host_name<% if terraform_manage_spaces? %>
   # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
   depends_on = [module.app_space]<% end %>
 }
+module "app_route" {
+  count  = (var.custom_domain_name == null ? 1 : 0)
+  source = "github.com/gsa-tts/terraform-cloudgov//app_route?ref=v2.3.0"
+
+  cf_org_name   = local.cf_org_name
+  cf_space_name = var.cf_space_name
+  app_ids       = [cloudfoundry_app.app.id]
+  hostname      = coalesce(var.host_name, "${local.app_name}-${var.env}")<% if terraform_manage_spaces? %>
+  # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
+  depends_on = [module.app_space]<% end %>
+}

data/lib/generators/rails_template18f/terraform/templates/terraform/production.tfvars.tt

@@ -8,3 +8,6 @@ web_memory         = "512M"
 <% if has_active_storage? %>s3_plan_name       = "basic"<% end %>
 <% if has_active_job? %>redis_plan_name    = "TKTK-production-redis-plan"<% end %>
 <% if has_active_job? %>worker_memory      = "512M"<% end %>
+space_auditors = [
+  # enter cloud.gov usernames that should have access to audit logs
+]

data/lib/generators/rails_template18f/terraform/templates/terraform/providers.tf.tt

@@ -1,32 +1,12 @@
 terraform {
   required_version = "~> 1.10"
-  required_providers {<% if has_active_storage? %>
-    cloudfoundry-community = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = "0.53.1"
-    }<% end %>
+  required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.2.0"
+      version = "~> 1.7"
     }
   }
 
-  backend "s3" {
-    encrypt      = true
-    use_lockfile = true
-    region       = "us-gov-west-1"
-  }
-}
+<%= backend_block %>}
 
-provider "cloudfoundry" {
-  api_url  = "https://api.fr.cloud.gov"
-  user     = var.cf_user
-  password = var.cf_password
-}
-<% if has_active_storage? %>
-provider "cloudfoundry-community" {
-  api_url  = "https://api.fr.cloud.gov"
-  user     = var.cf_user
-  password = var.cf_password
-}
-<% end %>
+provider "cloudfoundry" {}

data/lib/generators/rails_template18f/terraform/templates/terraform/staging.tfvars.tt

@@ -1,8 +1,8 @@
-cf_space_name   = "<%= cloud_gov_staging_space %>"
-env             = "staging"
-allow_space_ssh = true
+cf_space_name = "<%= cloud_gov_staging_space %>"
+env           = "staging"
+allow_ssh     = true
 # host_name must be unique across cloud.gov, default is "<%= app_name %>-${var.env}"
-host_name = null
+host_name = null<% if terraform_manage_spaces? %>
 space_developers = [
   # enter developer emails that should have ssh access to staging
-]
+]<% end %>

data/lib/generators/rails_template18f/terraform/templates/terraform/terraform.sh.tt

@@ -20,8 +20,8 @@ Options:
 "
 
 
-rmk=`cat $rmk_file || echo -n ""`
-env=""
+rmk=$(cat $rmk_file || echo -n "")
+env="<% unless terraform_manage_spaces? %>staging<% end %>"
 force=""
 args_to_shift=0
 
@@ -54,7 +54,21 @@ done
 shift $args_to_shift
 if [[ "$1" = "--" ]]; then
   shift 1
-fi
+fi<% if use_gitlab_backend? %>
+
+if [ -z "$GITLAB_PROJECT_ID" ] || [ -z "$GITLAB_HOSTNAME" ]; then
+  echo "GITLAB_PROJECT_ID or GITLAB_HOSTNAME have not been set. Running bootstrap/setup_shadowenv.sh first"
+  (cd bootstrap && ./setup_shadowenv.sh)
+  eval "$(shadowenv hook)"
+fi<% elsif use_s3_backend? %>
+
+if [[ ! -f .shadowenv.d/500_tf_backend_secrets.lisp ]]; then
+  echo "=============================================================================================================="
+  echo "= Recreating backend config file. It is fine if this step wants to delete any local_sensitive_file resources"
+  echo "=============================================================================================================="
+  (cd bootstrap && ./apply.sh $force)
+  shadowenv trust && eval "$(shadowenv hook)"
+fi<% end %>
 
 if [[ -z "$env" ]]; then
   echo "-e <ENV_NAME> is required"
@@ -70,66 +84,37 @@ fi
 # ensure we're logged in via cli
 cf spaces &> /dev/null || cf login -a api.fr.cloud.gov --sso
 
-tfm_needs_init=true
+tfm_needs_init=true<% if use_gitlab_backend? %>
+tf_state_address="https://$GITLAB_HOSTNAME/api/v4/projects/$GITLAB_PROJECT_ID/terraform/state/$env"
 if [[ -f .terraform/terraform.tfstate ]]; then
-  backend_state_env=`cat .terraform/terraform.tfstate | jq -r ".backend.config.key" | cut -d '.' -f3`
-  if [[ "$backend_state_env" = "$env" ]]; then
+  backend_state_address=$(cat .terraform/terraform.tfstate | jq -r ".backend.config.address")
+  if [[ "$backend_state_address" = "$tf_state_address" ]]; then
     tfm_needs_init=false
   fi
-fi
-
-if [[ $tfm_needs_init = true ]]; then
-  if [[ ! -f secrets.backend.tfvars ]]; then
-    echo "=============================================================================================================="
-    echo "= Recreating backend config file. It is fine if this step wants to delete any local_sensitive_file resources"
-    echo "=============================================================================================================="
-    (cd bootstrap && ./apply.sh $force)
+fi<% elsif use_s3_backend? %>
+if [[ -f .terraform/terraform.tfstate ]]; then
+  backend_state_env=$(cat .terraform/terraform.tfstate | jq -r ".backend.config.key" | cut -d '.' -f3)
+  if [[ "$backend_state_env" = "$env" ]]; then
+    tfm_needs_init=false
   fi
-  terraform init -backend-config=secrets.backend.tfvars -backend-config="key=terraform.tfstate.$env" -reconfigure
-fi
-
-echo "=============================================================================================================="
-echo "= Creating a bot deployer for $env"
-echo "=============================================================================================================="
-<% if terraform_manage_spaces? %>
-if [[ "$env" = "staging" ]] || [[ "$env" = "production" ]]; then
-  (cd bootstrap && ./apply.sh -var create_bot_secrets_file=true $force)
 else
-  (cd sandbox_bot && ./run.sh "$env" apply $force)
-fi
-<% else %>
-if [[ ! -f secrets.auto.tfvars ]]; then
-  ../bin/ops/create_service_account.sh -s <%= cloud_gov_staging_space %> -u terraform-deployer -n > secrets.auto.tfvars
-fi
-<% end %>
-
-if [[ -f secrets.backend.tfvars ]]; then
-  rm secrets.backend.tfvars
+  echo "Sleeping for 10 seconds to avoid a bucket creation race condition"
+  sleep 10
+fi<% else %>
+if [[ -f .terraform.lock.hcl ]]; then
+  tfm_needs_init=false
+fi<% end %>
+
+if [[ $tfm_needs_init = true ]]; then<% if use_gitlab_backend? %>
+  terraform init -reconfigure \
+    -backend-config="address=$tf_state_address" \
+    -backend-config="lock_address=$tf_state_address/lock" \
+    -backend-config="unlock_address=$tf_state_address/lock"<% elsif use_s3_backend? %>
+  terraform init -backend-config="bucket=$S3_BUCKET_NAME" -backend-config="key=terraform.tfstate.$env" -reconfigure<% else %>
+  terraform init<% end %>
 fi
 
 echo "=============================================================================================================="
 echo "= Calling $cmd $force on the application infrastructure"
 echo "=============================================================================================================="
 terraform "$cmd" -var-file="$env.tfvars" -var rails_master_key="$rmk" $force "$@"
-
-<% if terraform_manage_spaces? %>
-if [[ "$cmd" = "destroy" ]] && [[ "$env" != "staging" ]] && [[ "$env" != "production" ]]; then
-<% else %>
-if [[ "$cmd" = "destroy" ]]; then
-<% end %>
-  if [[ -z "$force" ]]; then
-    read -p "Destroy the sandbox_bot user? (y/n) " confirm
-    if [[ "$confirm" != "y" ]]; then
-      exit 0
-    fi
-  fi
-  echo "=============================================================================================================="
-  echo "= Destroying the sandbox_bot user"
-  echo "=============================================================================================================="
-<% if terraform_manage_spaces? %>
-  (cd sandbox_bot && ./run.sh "$env" destroy -auto-approve)
-<% else %>
-  ../bin/ops/destroy_service_account.sh -s <%= cloud_gov_staging_space %> -u terraform-deployer
-  rm secrets.auto.tfvars
-<% end %>
-fi

data/lib/generators/rails_template18f/terraform/templates/terraform/variables.tf.tt

@@ -1,19 +1,14 @@
-# Deploy user settings
+<% if terraform_manage_spaces? %># Deploy user settings
 variable "cf_user" {
   type        = string
-  description = "The service account running the terraform"
+  description = "The user email or service account running the terraform"
 }
-variable "cf_password" {
-  type        = string
-  sensitive   = true
-  description = "The service account password"
-}
-
+<% end %>
 # app_space settings
 variable "cf_space_name" {
   type        = string
   description = "The space name to deploy the app into"
-}
+}<% if terraform_manage_spaces? %>
 variable "space_deployers" {
   type        = set(string)
   default     = []
@@ -24,10 +19,15 @@ variable "space_developers" {
   default     = []
   description = "A list of users to be granted SpaceDeveloper on cf_space_name"
 }
-variable "allow_space_ssh" {
+variable "space_auditors" {
+  type        = set(string)
+  default     = []
+  description = "A list of users to be granted SpaceAuditor on cf_space_name"
+}<% end %>
+variable "allow_ssh" {
   type        = bool
   default     = false
-  description = "Whether to allow ssh to cf_space_name"
+  description = "Whether to allow ssh to the space and/or app"
 }
 
 # supporting services settings
@@ -50,7 +50,6 @@ variable "s3_plan_name" {
   description = "The name of the s3 plan to use"
 }
 <% end %>
-
 # routing settings
 variable "custom_domain_name" {
   type        = string

data/lib/generators/rails_template18f/terraform/terraform_generator.rb

@@ -8,6 +8,8 @@ module RailsTemplate18f
       include Base
       include CloudGovOptions
 
+      class_option :backend, default: "s3", desc: "Which terraform backend to use. Options: [s3, gitlab, local]"
+
       desc <<~DESC
         Description:
           Install terraform files for cloud.gov database and s3 services
@@ -16,18 +18,43 @@ module RailsTemplate18f
       def install
         directory "terraform", mode: :preserve
         chmod "terraform/terraform.sh", 0o755
-        if terraform_manage_spaces?
-          template "full_bootstrap/main.tf", "terraform/bootstrap/main.tf"
-          copy_file "full_bootstrap/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+      end
+
+      def install_bootstrap
+        if use_gitlab_backend?
+          directory "gitlab_bootstrap", "terraform/bootstrap", mode: :preserve
+        elsif use_s3_backend?
+          directory "s3_bootstrap/common", "terraform/bootstrap", mode: :preserve
+          if terraform_manage_spaces?
+            template "s3_bootstrap/full/main.tf", "terraform/bootstrap/main.tf"
+            copy_file "s3_bootstrap/full/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+          else
+            template "s3_bootstrap/sandbox/main.tf", "terraform/bootstrap/main.tf"
+            copy_file "s3_bootstrap/sandbox/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+          end
         else
-          template "sandbox_bootstrap/main.tf", "terraform/bootstrap/main.tf"
-          copy_file "sandbox_bootstrap/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+          remove_dir "terraform/.shadowenv.d"
+        end
+        unless terraform_manage_spaces?
           remove_file "terraform/bootstrap/users.auto.tfvars"
-          remove_dir "terraform/sandbox_bot"
           remove_file "terraform/production.tfvars"
         end
       end
 
+      def install_shadowenv
+        unless use_local_backend?
+          append_to_file "Brewfile", <<~EOB
+
+            # shadowenv for loading terraform backend secrets
+            brew "shadowenv"
+          EOB
+          insert_into_file "README.md", indent(<<~EOR), after: /\* Install homebrew dependencies: `brew bundle`\n/
+            * [shadowenv](https://shopify.github.io/shadowenv/)
+              * See the [quick start](https://shopify.github.io/shadowenv/getting-started/#add-to-your-shell-profile) for instructions on loading shadowenv in your shell
+          EOR
+        end
+      end
+
       def ignore_files
         unless skip_git?
           append_to_file ".gitignore", <<~EOM
@@ -87,6 +114,51 @@ module RailsTemplate18f
             done
           EOM
         end
+
+        def use_gitlab_backend?
+          backend == "gitlab"
+        end
+
+        def use_s3_backend?
+          backend == "s3"
+        end
+
+        def use_local_backend?
+          backend == "local"
+        end
+
+        def backend
+          options[:backend]
+        end
+
+        def backend_unless_local
+          if use_local_backend?
+            "<s3 or gitlab>"
+          else
+            backend
+          end
+        end
+
+        def backend_block
+          if use_gitlab_backend?
+            <<EOB
+  backend "http" {
+    lock_method    = "POST"
+    unlock_method  = "DELETE"
+    retry_wait_min = 5
+  }
+EOB
+          elsif use_s3_backend?
+            <<EOB
+  backend "s3" {
+    encrypt           = true
+    use_lockfile      = true
+    use_fips_endpoint = true
+    region            = "us-gov-west-1"
+  }
+EOB
+          end
+        end
       end
     end
   end

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "2.0.0"
+  VERSION = "2.2.0"
 end