rails_template_18f 2.1.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c98e855c8844d55ba478f2fe9a0bac27cea41e417e7f76b2be22f97c5363963c
-  data.tar.gz: 5eeb6079ee3d68350ee473aec5156fd54f2f47d837a1230ac62080b223960220
+  metadata.gz: bab13c0d757c29b86c139635bed3f016cc486d38299b7aa90533d888b6995d69
+  data.tar.gz: 447e73554b32dd86782cf52c4cda2699f55c4e0706c05f813e82515a2e61912f
 SHA512:
-  metadata.gz: 24df2ba12417ab9754e851406fc9c77b21c23b21206f7760dd0ba23d0793f25b3fad5c8a57fbf2c5f9743cb8e0edd2bbe6a89b4f8603342f9ec893f3a28bdb34
-  data.tar.gz: 681823d0918b7ddacde8372051d85f8636954b92aa97467655b89e7d5ac3580768b31d1b7e12d27cd8d2a296c92769ae065b578dbb1b143aa8dbb15e9927fcde
+  metadata.gz: cad79214c9110e3fb33968b8c6d1fc98477c6c979bc58724e9b88f57985456ca7d404515dd004891dade32d4e95183f1a90c12d4d05ee87753f52867f9efde94
+  data.tar.gz: ecb278387c12d47fc9bc611f26c0787fa7c4c2dda43fa14ce8f176bfb4cf9d0d2c6b04718ab0faa3569b4f5897e9d65cdc0b0944972c64648e8e401d9b341881

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## [Unreleased]
 
+## [2.2.0] - 2025-06-27
+
+- Prevent non-compliant hostnames by replacing underscores with dashes
+- use shadowenv for configuring terraform backend secrets
+- use GitLab http backend for terraform state storage whenever configuring both terraform and GitLab CI
+- Create GitLabCI jobs for oscal and auditree generators
+- fixes for deploying to the sandbox-gsa cloug.gov org
+
 ## [2.1.0] - 2025-04-29
 
 - Terraform generator updates to remove the old cloudfoundy-community provider and reduce the need for cloud.gov service accounts

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (2.1.0)
+    rails_template_18f (2.2.0)
       activesupport (~> 8.0.1)
       colorize (~> 1.1)
       railties (~> 8.0.1)
@@ -85,8 +85,9 @@ GEM
       date
       stringio
     racc (1.8.1)
-    rack (3.1.12)
-    rack-session (2.0.0)
+    rack (3.1.16)
+    rack-session (2.1.1)
+      base64 (>= 0.1.0)
       rack (>= 3.0.0)
     rack-test (2.2.0)
       rack (>= 1.3)
@@ -177,6 +178,7 @@ GEM
 
 PLATFORMS
   arm64-darwin-23
+  arm64-darwin-24
   x86_64-darwin-20
   x86_64-darwin-21
   x86_64-linux

data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb

@@ -20,12 +20,13 @@ module RailsTemplate18f
         environment "config.active_storage.service = :local", env: "ci"
         append_to_file "config/storage.yml", <<~EOYAML
 
+          <% cgc = CloudGovConfig.new %>
           amazon:
             service: S3
-            access_key_id: <%= CloudGovConfig.dig(:s3, :credentials, :access_key_id) %>
-            secret_access_key: <%= CloudGovConfig.dig(:s3, :credentials, :secret_access_key) %>
+            access_key_id: <%= cgc.dig(:s3, :credentials, :access_key_id) %>
+            secret_access_key: <%= cgc.dig(:s3, :credentials, :secret_access_key) %>
             region: us-gov-west-1
-            bucket: <%= CloudGovConfig.dig(:s3, :credentials, :bucket) %>
+            bucket: <%= cgc.dig(:s3, :credentials, :bucket) %>
         EOYAML
       end
 

data/lib/generators/rails_template18f/auditree/auditree_generator.rb

@@ -41,7 +41,7 @@ module RailsTemplate18f
             plant-helper -f /tmp/rspec.json -c assessment-plans -d "RSpec run assessment plan"
               -t 31536000 -l #{auditree_evidence_locker}
 
-      - name: Plan assessment results in evidence locker
+      - name: Plant assessment results in evidence locker
         uses: ./.github/actions/auditree-cmd
         env:
           GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
@@ -54,6 +54,19 @@ PLANT_HELPER_STEPS
         end
       end
 
+      def copy_gitlab_actions
+        if file_exists? ".gitlab-ci.yml"
+          directory "gitlab", ".gitlab"
+          insert_into_file ".gitlab-ci.yml", "  - local: \".gitlab/auditree.yml\"\n", after: /^include:\n/
+          insert_into_file ".gitlab-ci.yml", "  AUDITREE_VERSION: #{docker_auditree_tag}\n", after: /^variables:\n/
+          insert_into_file ".gitlab-ci.yml", <<EOY, after: /^\s+- bundle exec rspec\n/
+  artifacts:
+    paths:
+      - tmp/oscal/**/*
+EOY
+        end
+      end
+
       def update_readme
         if file_content("README.md").match?("## Documentation")
           insert_into_file "README.md", readme_contents, after: "## Documentation\n"
@@ -74,7 +87,7 @@ PLANT_HELPER_STEPS
         end
 
         def auditree_evidence_locker
-          options[:evidence_locker].present? ? options[:evidence_locker] : "https://github.com/GSA-TTS/TKTK_#{app_name}_evidence"
+          options[:evidence_locker].present? ? options[:evidence_locker] : "REPLACE_THIS_WITH_YOUR_EVIDENCE_LOCKER_REPO"
         end
 
         def git_email
@@ -98,10 +111,9 @@ PLANT_HELPER_STEPS
             1. Docker desktop must be running
             1. Initialize the config file with `bin/auditree init`
             1. Create an evidence locker repository with a default or blank README
-            1. Create a github personal access token to interact with the code repo and evidence locker and set as `AUDITREE_GITHUB_TOKEN` secret within your Github Actions secrets.
-            1. Update `config/auditree.template.json` with the repo addresses for your locker and code repos
-            #{(options[:evidence_locker].blank? && file_exists?(".github/workflows/rspec.yml")) ? "1. Update `.github/workflows/rspec.yml` with the locker repository URL" : ""}
-            1. Copy the `devtools_cloud_gov` component definition into the project with the latest docker-trestle
+            1. Update `config/auditree.template.json` with the repo address for your locker
+            #{ci_readme_contents.chomp}
+            1. Copy the `devtools_cloud_gov` component definition into the project with the latest docker-trestle after [setting up docker-trestle](#initial-trestle-setup)
 
             #### Ongoing use
 
@@ -109,6 +121,24 @@ PLANT_HELPER_STEPS
             auditree and using new checks.
           README
         end
+
+        def ci_readme_contents
+          if file_exists? ".gitlab-ci.yml"
+            <<~README
+              1. Remove the `repo_integrity` section of `config/auditree.template.json`
+              1. Create a gitlab personal access token with `write_repository` scope to interact with the code repo and evidence locker and set as `AUDITREE_GITLAB_TOKEN` secret within your CI/CD variables.
+              #{options[:evidence_locker].blank? ? "1. Update `.gitlab/auditree.yml` with the locker repository URL" : ""}
+            README
+          elsif file_exists? ".github/workflows"
+            <<~README
+              1. Update `config/auditree.template.json` with the repo address for your code repos
+              1. Create a github personal access token to interact with the code repo and evidence locker and set as `AUDITREE_GITHUB_TOKEN` secret within your Github Actions secrets.
+              #{options[:evidence_locker].blank? ? "1. Update `.github/workflows/rspec.yml` with the locker repository URL" : ""}
+            README
+          else
+            ""
+          end
+        end
       end
     end
   end

data/lib/generators/rails_template18f/auditree/templates/gitlab/auditree.yml.tt

@@ -0,0 +1,48 @@
+.auditree:setup:
+  inherit:
+    default: false
+  image: "ghcr.io/gsa-tts/auditree:${AUDITREE_VERSION}"
+  variables:
+    CDEF: "${CI_PROJECT_DIR}/doc/compliance/oscal/component-definitions/devtools_cloud_gov/component-definition.json"
+    AUDITREE_CONFIG: "${CI_PROJECT_DIR}/config/auditree.template.json"
+  before_script:
+    - git config --global user.name "$GITLAB_USER_NAME"
+    - git config --global user.email "$GITLAB_USER_EMAIL"
+    - cf api api.fr.cloud.gov
+    - cd $HOME
+    - export GITLAB_TOKEN="auditree-gitlab-token:${AUDITREE_GITLAB_TOKEN}"
+
+auditree:
+  extends: .auditree:setup
+  stage: scan
+  script:
+    - fetch -c "$CDEF" -t "$AUDITREE_CONFIG"
+    - check -c "$CDEF" -t "$AUDITREE_CONFIG" -o "$CI_PROJECT_DIR"
+  artifacts:
+    paths:
+      - auditree.json
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+
+rspec:plant:
+  extends: .auditree:setup
+  stage: test
+  needs: ["rspec"]
+  variables:
+    PLAN_FILE: "${CI_PROJECT_DIR}/tmp/oscal/assessment-plans/rspec/assessment-plan.json"
+    RESULT_FILE: "${CI_PROJECT_DIR}/tmp/oscal/assessment-results/rspec/assessment-results.json"
+  script:
+    - |
+      if [ -f "$PLAN_FILE" ]; then
+        plant-helper -f "$PLAN_FILE" -c assessment-plans -d "RSpec run assessment plan" -t 31536000 -l "<%= auditree_evidence_locker %>"
+      else
+        echo "No plan file, skipping plant"
+      fi
+    - |
+      if [ -f "$RESULT_FILE" ]; then
+        plant-helper -f "$RESULT_FILE" -c assessment-results -d "RSpec run assessment results" -t 31536000 -l "<%= auditree_evidence_locker %>"
+      else
+        echo "No result file, skipping plant"
+      fi
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"

data/lib/generators/rails_template18f/cloud_gov_config/cloud_gov_config_generator.rb

@@ -12,14 +12,6 @@ module RailsTemplate18f
           Install a helper class to retrieve configuration from ENV["VCAP_SERVICES"]
       DESC
 
-      def install_climate_control
-        return if gem_installed?("climate_control")
-        gem_group :test do
-          gem "climate_control", "~> 1.2"
-        end
-        bundle_install
-      end
-
       def install_model_and_test
         copy_file "app/models/cloud_gov_config.rb"
         copy_file "spec/models/cloud_gov_config_spec.rb"

data/lib/generators/rails_template18f/cloud_gov_config/templates/app/models/cloud_gov_config.rb

@@ -1,23 +1,14 @@
 # frozen_string_literal: true
 
 class CloudGovConfig
-  ENV_VARIABLE = "VCAP_SERVICES"
+  attr_reader :vcap_services
 
-  def self.dig(*path)
-    return nil if ENV[ENV_VARIABLE].blank?
-    first, *rest = path
-    vcap_services[first]&.first&.dig(*rest)
-  end
-
-  def self.vcap_services
-    if Rails.env.test?
-      parse_env
-    else
-      @vcap_services ||= parse_env
-    end
+  def initialize(env = ENV["VCAP_SERVICES"])
+    @vcap_services = env.blank? ? {} : JSON.parse(env).with_indifferent_access
   end
 
-  private_class_method def self.parse_env
-    JSON.parse(ENV[ENV_VARIABLE]).with_indifferent_access
+  def dig(*path)
+    first, *rest = path
+    vcap_services[first]&.first&.dig(*rest)
   end
 end

data/lib/generators/rails_template18f/cloud_gov_config/templates/spec/models/cloud_gov_config_spec.rb

@@ -3,35 +3,29 @@
 require "rails_helper"
 
 RSpec.describe CloudGovConfig, type: :model do
-  subject { described_class }
-
-  describe ".dig" do
-    context "VCAP_SERVICES is blank" do
-      it "returns nil" do
-        expect(subject.dig(:s3, :credentials, :bucket)).to be_nil
+  describe "#dig" do
+    [nil, "", "{}"].each do |blank|
+      context "VCAP_SERVICES is #{blank.inspect}" do
+        subject { described_class.new blank }
+        it "returns nil" do
+          expect(subject.dig(:s3, :credentials, :bucket)).to be_nil
+        end
       end
     end
 
     context "VCAP_SERVICES is set" do
+      subject { described_class.new vcap }
       let(:bucket_name) { "bucket-name" }
       let(:vcap) {
         {
-          s3: [
-            {
-              credentials: {
-                bucket: bucket_name
-              }
+          s3: [{
+            credentials: {
+              bucket: bucket_name
             }
-          ]
-        }
+          }]
+        }.to_json
       }
 
-      around do |example|
-        ClimateControl.modify VCAP_SERVICES: vcap.to_json do
-          example.run
-        end
-      end
-
       it "can find a path" do
         expect(subject.dig(:s3, :credentials, :bucket)).to eq bucket_name
       end

data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb

@@ -17,10 +17,6 @@ module RailsTemplate18f
 
       def install_actions
         directory "github", ".github"
-        if !oscal_dir_exists?
-          remove_file ".github/workflows/validate-ssp.yml"
-          remove_file ".github/workflows/assemble-ssp.yml"
-        end
         if !terraform_manage_spaces?
           remove_file ".github/workflows/terraform-production.yml"
           remove_file ".github/workflows/deploy-production.yml"

data/lib/generators/rails_template18f/gitlab_ci/gitlab_ci_generator.rb

@@ -79,7 +79,6 @@ EOB
             | `CF_USERNAME` | cloud.gov SpaceDeployer username |
             | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
             | `RAILS_MASTER_KEY` | `config/master.key` |
-            #{terraform_secret_values}
           EOM
         end
 
@@ -96,7 +95,6 @@ EOB
               | `CF_USERNAME` | cloud.gov SpaceDeployer username |
               | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
               | `PRODUCTION_RAILS_MASTER_KEY` | `config/credentials/production.key`. Should be marked as `Protected`. |
-              #{terraform_secret_values}
             EOM
           else
             "Production deploys are not supported in the sandbox organization."
@@ -114,13 +112,6 @@ EOB
 
       private
 
-      def terraform_secret_values
-        <<~EOM
-          | `TERRAFORM_PUBLIC_BACKEND_CONFIG` | File-type variable containing all entries from secrets.backend.tfvars _except_ `secret_key`. Marked as `Visible` |
-          | `TERRAFORM_SECRET_BACKEND_CONFIG` | File-type variable containing the `secret_key` line from secrets.backend.tfvars. Masked and hidden. |
-        EOM
-      end
-
       def postgres_version
         options[:postgres_version]
       end

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/rails.yml

@@ -30,7 +30,7 @@ include:
       alias: pg
   before_script:
     - !reference [.setup-ruby]
-    - export DATABASE_URL="postgres://postgres:${POSTGRES_PASSWORD}@${CI_SERVICE_pg}:5432/${POSTGRES_DB}"
+    - export DATABASE_URL="postgres://postgres:${POSTGRES_PASSWORD}@${WSR_SERVICE_HOST_pg}:5432/${POSTGRES_DB}"
     - bin/rails db:prepare
 
 .run-server:
@@ -47,7 +47,7 @@ include:
     - sleep 5
 
 .owasp:setup:
-  stage: test
+  stage: scan
   extends: .run-server
   image: "rcahearngsa/owasp-ruby:${RUBY_VERSION}"
   variables:

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/terraform.yml

@@ -8,11 +8,16 @@
     entrypoint: ["sh"]
   variables:
     CF_API_URL: https://api.fr.cloud.gov
-    TERRAFORM_BACKEND_KEY: terraform.tfstate.staging
+    TF_STATE_NAME: staging
+    TF_HTTP_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/${TF_STATE_NAME}
+    TF_HTTP_LOCK_ADDRESS: ${TF_HTTP_ADDRESS}/lock
+    TF_HTTP_UNLOCK_ADDRESS: ${TF_HTTP_ADDRESS}/lock
+    TF_HTTP_USERNAME: gitlab-ci-token
+    TF_HTTP_PASSWORD: ${CI_JOB_TOKEN}
   dependencies: []
   before_script:
     - cd terraform
-    - terraform init -backend-config=$TERRAFORM_PUBLIC_BACKEND_CONFIG -backend-config=$TERRAFORM_SECRET_BACKEND_CONFIG -backend-config="key=$TERRAFORM_BACKEND_KEY"
+    - terraform init
   rules:
     - if: $CI_PIPELINE_SOURCE != "schedule"
 
@@ -25,4 +30,4 @@
   dependencies: null
   variables:
     CF_USER: $CF_USERNAME
-    TERRAFORM_BACKEND_KEY: terraform.tfstate.production
+    TF_STATE_NAME: "production"

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab-ci.yml.tt

@@ -10,6 +10,7 @@ workflow:
 stages:
   - build
   - test
+  - scan
   - deploy
 
 variables:
@@ -80,7 +81,7 @@ rspec:
     - if: $CI_PIPELINE_SOURCE != "schedule"
 
 pa11y_scan:
-  stage: test
+  stage: scan
   extends: .run-server
   script:
     - !reference [.install-puppet-deps]

data/lib/generators/rails_template18f/oscal/oscal_generator.rb

@@ -49,6 +49,16 @@ module RailsTemplate18f
         end
       end
 
+      def copy_gitlab_ci
+        if use_gitlab_ci?
+          directory "gitlab", ".gitlab"
+          if file_exists? ".gitlab-ci.yml"
+            insert_into_file ".gitlab-ci.yml", "  - local: \".gitlab/trestle.yml\"\n", after: /^include:\n/
+            insert_into_file ".gitlab-ci.yml", "  TRESTLE_VERSION: #{docker_trestle_tag}\n", after: /^variables:\n/
+          end
+        end
+      end
+
       def update_readme
         if file_content("README.md").match?("## Documentation")
           insert_into_file "README.md", readme_contents, after: "## Documentation\n"
@@ -85,13 +95,17 @@ module RailsTemplate18f
         end
 
         def docker_trestle_tag
-          options[:tag].present? ? options[:tag] : "20240912"
+          options[:tag].present? ? options[:tag] : "20250603"
         end
 
         def use_github_actions?
           options[:ci] == "github" || file_exists?(".github/workflows")
         end
 
+        def use_gitlab_ci?
+          options[:ci] == "gitlab" || file_exists?(".gitlab-ci.yml")
+        end
+
         def readme_contents
           content = <<~README
 

data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt

@@ -2,8 +2,17 @@
 
 trestle_tag="<%= docker_trestle_tag %>"
 
+if [ "$1" = "-h" ]; then
+    echo """
+        Usage: $0 [-h] [CMD [CMD ARGS]]
+
+        CMD defaults to 'bash'
+    """
+    exit 0
+fi
+
 command="bash"
-if [ "$1" != "" ]; then
+if [ -n "$1" ]; then
     command=$1
     shift 1
 fi

data/lib/generators/rails_template18f/oscal/templates/gitlab/trestle.yml.tt

@@ -0,0 +1,29 @@
+.trestle:setup:
+  inherit:
+    default: false
+  image: "ghcr.io/gsa-tts/trestle:${TRESTLE_VERSION}"
+  before_script:
+    - cd doc/compliance/oscal
+    - export PATH="/app/bin:$PATH"
+
+validate_ssp:
+  extends: .trestle:setup
+  stage: test
+  script:
+    - validate-ssp-json
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+assemble_ssp:
+  extends: .trestle:setup
+  stage: deploy
+  script:
+    - trestle assemble -n <%= app_name %> system-security-plan
+    - render-ssp
+  artifacts:
+    expose_as: "<%= app_name %> SSPP"
+    paths:
+      - doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+      - doc/compliance/oscal/ssp-render/<%= app_name %>_ssp.md
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"

data/lib/generators/rails_template18f/public_egress/public_egress_generator.rb

@@ -103,7 +103,7 @@ EOB
 
               cf_org_name          = local.cf_org_name
               cf_space_name        = "${var.cf_space_name}-egress"
-              allow_ssh            = var.allow_space_ssh
+              allow_ssh            = var.allow_ssh
               deployers            = local.space_deployers
               developers           = var.space_developers
               auditors             = var.space_auditors

data/lib/generators/rails_template18f/sidekiq/templates/config/initializers/redis.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 Rails.application.config.to_prepare do
-  redis_url = CloudGovConfig.dig "aws-elasticache-redis", "credentials", "uri"
+  redis_url = CloudGovConfig.new.dig "aws-elasticache-redis", "credentials", "uri"
   if redis_url.present?
     Sidekiq.configure_server do |config|
       config.redis = {url: redis_url, ssl: true}

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/apply.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+if ! command -v terraform &> /dev/null
+then
+  echo "terraform must be installed before running this script"
+  exit 1
+fi
+
+if [ -z "$GITLAB_PROJECT_ID" ] || [ -z "$GITLAB_HOSTNAME" ]; then
+  echo "GITLAB_PROJECT_ID or GITLAB_HOSTNAME has not been set. Run ./setup_shadowenv.sh first"
+  exit 1
+fi
+
+set -e
+
+# ensure we're logged in via cli
+cf spaces &> /dev/null || cf login -a api.fr.cloud.gov --sso
+
+tf_state_address="https://$GITLAB_HOSTNAME/api/v4/projects/$GITLAB_PROJECT_ID/terraform/state/bootstrap"
+terraform init \
+  -backend-config="address=$tf_state_address" \
+  -backend-config="lock_address=$tf_state_address/lock" \
+  -backend-config="unlock_address=$tf_state_address/lock"
+
+terraform apply "$@"

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/main.tf.tt

@@ -0,0 +1,98 @@
+terraform {
+  required_version = "~> 1.10"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry/cloudfoundry"
+      version = "~> 1.7"
+    }
+  }
+  backend "http" {
+    lock_method    = "POST"
+    unlock_method  = "DELETE"
+    retry_wait_min = 5
+  }
+}
+# empty config will let terraform borrow cf-cli's auth
+provider "cloudfoundry" {}
+
+locals {
+  org_name   = "<%= cloud_gov_organization %>"
+  space_name = "<%= terraform_manage_spaces? ? "#{ cloud_gov_production_space }-mgmt" : cloud_gov_staging_space %>"
+}
+
+data "cloudfoundry_org" "org" {
+  name = local.org_name
+}
+<% if terraform_manage_spaces? %>
+variable "terraform_users" {
+  type        = set(string)
+  description = "The list of developer emails and service account usernames who should be granted access to retrieve state bucket credentials"
+
+  validation {
+    condition     = length(var.terraform_users) > 0
+    error_message = "terraform_users must include at least the current user calling apply.sh"
+  }
+}
+
+module "mgmt_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
+
+  cf_org_name   = local.org_name
+  cf_space_name = local.space_name
+  developers    = var.terraform_users
+}
+<% else %>
+data "cloudfoundry_space" "space" {
+  name = local.space_name
+  org  = data.cloudfoundry_org.org.id
+}
+<% end %>
+data "cloudfoundry_service_plans" "cg_service_account" {
+  name                  = "<%= terraform_manage_spaces? ? "space-auditor" : "space-deployer" %>"
+  service_offering_name = "cloud-gov-service-account"
+}
+locals {
+  sa_service_name    = "<%= app_name %>-cicd-deployer"
+  sa_key_name        = "cicd-deployer-access-key"
+  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+  sa_cf_username     = nonsensitive(local.sa_bot_credentials.username)
+  sa_cf_password     = local.sa_bot_credentials.password
+}
+resource "cloudfoundry_service_instance" "runner_service_account" {
+  name         = local.sa_service_name
+  type         = "managed"
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id<% if terraform_manage_spaces? %>
+  space        = module.mgmt_space.space_id
+  depends_on   = [module.mgmt_space]<% else %>
+  space        = data.cloudfoundry_space.space.id<% end %>
+}
+resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  type             = "key"
+}
+data "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = local.sa_key_name
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
+}<% if terraform_manage_spaces? %>
+data "cloudfoundry_user" "sa_user" {
+  name = local.sa_cf_username
+}
+resource "cloudfoundry_org_role" "sa_org_manager" {
+  user = data.cloudfoundry_user.sa_user.users.0.id
+  type = "organization_manager"
+  org  = data.cloudfoundry_org.org.id
+}<% end %>
+
+resource "local_sensitive_file" "bot_secrets_file" {
+  filename        = "${path.module}/secrets.cicd.tfvars"
+  file_permission = "0600"
+
+  content = templatefile("${path.module}/bot_secrets.tftpl", {
+    service_name = local.sa_service_name,
+    key_name     = local.sa_key_name,
+    username     = local.sa_cf_username,
+    password     = local.sa_cf_password
+  })
+}