rails_template_18f 2.1.0 → 2.2.0

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/setup_shadowenv.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+#
+# Setup .shadowenv.d/ files for terraform configuration
+
+set -e
+
+# ensure we're operating with the correct relative paths
+cd `dirname "$0"`
+
+shadowenv trust && eval "$(shadowenv hook)"
+
+ans=""
+prompt_ans() {
+  local prompt="$1"
+  local default="$2"
+  if [ -n "$default" ]; then
+    prompt="$prompt (default: $default)"
+  fi
+  read -r -p "$prompt: " ans
+}
+
+prompt_ans "GitLab hostname" "${GITLAB_HOSTNAME:=gsa.gitlab-dedicated.us}"
+if [ -n "$ans" ]; then
+  GITLAB_HOSTNAME="$ans"
+fi
+
+prompt_ans "GitLab project id" "$GITLAB_PROJECT_ID"
+if [ -n "$ans" ]; then
+  GITLAB_PROJECT_ID="$ans"
+fi
+
+if [ ! -d ../.shadowenv.d ]; then
+  mkdir ../.shadowenv.d
+fi
+
+cat <<EOF > ../.shadowenv.d/100_gitlab_project.lisp
+(provide "gitlab-backend-config")
+(env/set "GITLAB_HOSTNAME" "$GITLAB_HOSTNAME")
+(env/set "GITLAB_PROJECT_ID" "$GITLAB_PROJECT_ID")
+EOF
+
+prompt_ans "GitLab username" "$TF_HTTP_USERNAME"
+if [ -n "$ans" ]; then
+  TF_HTTP_USERNAME=$ans
+fi
+if [ -z "$TF_HTTP_PASSWORD" ]; then
+  prompt_ans "GitLab PAT (with api scope)"
+else
+  prompt_ans "GitLab PAT (with api scope, Leave blank to re-use existing PAT)"
+fi
+if [ -n "$ans" ]; then
+  TF_HTTP_PASSWORD=$ans
+fi
+
+cat <<EOF > ../.shadowenv.d/500_tf_backend_secrets.lisp
+(provide "tf-backend-secrets")
+(env/set "TF_HTTP_USERNAME" "$TF_HTTP_USERNAME")
+(env/set "TF_HTTP_PASSWORD" "$TF_HTTP_PASSWORD")
+EOF

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/templates/backend_config.tftpl

@@ -0,0 +1,6 @@
+(provide "terraform-backend-config")
+(env/set "S3_BUCKET_NAME" "${creds.bucket}")
+(env/set "AWS_ACCESS_KEY_ID" "${creds.access_key_id}")
+(env/set "AWS_SECRET_ACCESS_KEY" "${creds.secret_access_key}")
+; not a secret, but setting it here enables the aws cli to work when in the terraform directory
+(env/set "AWS_REGION" "${creds.region}")

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/templates/bot_secrets.tftpl

@@ -0,0 +1,5 @@
+# Generated via bootstrap module. Remove this file when finished
+# credentials for service "${service_name}"/"${key_name}"
+
+cf_user     = "${username}"
+cf_password = "${password}"

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/users.auto.tfvars

@@ -0,0 +1,5 @@
+terraform_users = [
+  # add your terraform_users list here: example values:
+  # "team.member@gsa.gov",
+  # "cf_user-guid-value-for-space-developer-service-account",
+]

data/lib/generators/rails_template18f/terraform/templates/{full_bootstrap → s3_bootstrap/full}/main.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.2.0"
+      version = "~> 1.7"
     }
   }
 }
@@ -134,7 +134,7 @@ locals {
 }
 resource "local_sensitive_file" "bucket_creds" {
   content         = local.backend_config
-  filename        = "${path.module}/../secrets.backend.tfvars"
+  filename        = "${path.module}/../.shadowenv.d/500_tf_backend_secrets.lisp"
   file_permission = "0600"
 }
 
@@ -150,10 +150,3 @@ resource "local_sensitive_file" "bot_secrets_file" {
     password     = local.sa_cf_password
   })
 }
-
-output "mgmt_space_id" {
-  value = module.mgmt_space.space_id
-}
-output "mgmt_org_id" {
-  value = data.cloudfoundry_org.org.id
-}

data/lib/generators/rails_template18f/terraform/templates/{sandbox_bootstrap → s3_bootstrap/sandbox}/main.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.2.0"
+      version = "~> 1.7"
     }
   }
 }
@@ -99,7 +99,7 @@ locals {
 }
 resource "local_sensitive_file" "bucket_creds" {
   content         = local.backend_config
-  filename        = "${path.module}/../secrets.backend.tfvars"
+  filename        = "${path.module}/../.shadowenv.d/500_tf_backend_secrets.lisp"
   file_permission = "0600"
 }
 

data/lib/generators/rails_template18f/terraform/templates/terraform/.shadowenv.d/.gitignore

@@ -0,0 +1,3 @@
+/*secrets.lisp
+/.*
+!/.gitignore

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -10,48 +10,57 @@ is very limited.
 When you are ready to move the application to a non-sandbox cloud.gov organization, please re-run the terraform generator with…
 
 ```bash
-bin/rails generate rails_template18f:terraform --cg-org=<ORG_NAME> --cg-staging=<STAGING_SPACE_NAME> --cg-prod=<PRODUCTION_SPACE_NAME>
+bin/rails generate rails_template18f:terraform --cg-org=<ORG_NAME> --cg-staging=<STAGING_SPACE_NAME> --cg-prod=<PRODUCTION_SPACE_NAME> --backend=<%= backend_unless_local %>
 ```
 
 …to take full advantage of the generator, and then re-run your CI generator of choice to add production terraform plan and apply steps to your workflow.
 <% end %>
-## Terraform State Credentials
+<% unless use_local_backend? %>## Terraform State Credentials
 
-The `bootstrap` module is used to create an s3 bucket for later terraform runs to store their state in as well as
-create credentials files so developers can use that s3 bucket to create their own sandbox environments.
+The `bootstrap` module is used to create resources that must be created by an individual developers credentials before automation can be run:
 
-### Initial project setup
+* service account and credentials to provide to the CI/CD pipeline to perform future updates<% unless use_gitlab_backend? %>
+* an s3 bucket for later terraform runs to store their state in<% end %>
+
+### Initial <%= use_gitlab_backend? ? "CI/CD pipeline" : "project" %> setup
 
 These steps only need to be run once per project.
 
-1. `cd bootstrap`<% if terraform_manage_spaces? %>
-1. Add any users who should have access to the terraform state bucket to `users.auto.tfvars`<% end %>
+1. `cd bootstrap`<% if use_gitlab_backend? %>
+1. Run `./setup_shadowenv.sh`<% end %><% if terraform_manage_spaces? %>
+1. Add any users who should have access to the management space to `users.auto.tfvars`<% end %><% if use_gitlab_backend? %>
+1. Run `./apply.sh`<% else %>
 1. Run `./apply.sh -var create_bot_secrets_file=true`
-1. Add `imports.tf` to git and commit the changes
-1. Setup your CI/CD Pipeline to run terraform and deploy your staging and production environments
-    1. Copy backend credentials from `/terraform/secrets.backend.tfvars` to your CI/CD secrets using the instructions in the base README
-    1. Copy the cf_user and cf_password credentials from `/terraform/secrets.cicd.tfvars` to your CI/CD secrets using the instructions in the base README
-1. Delete the two secrets files
+1. Add `imports.tf` to git and commit the changes<% end %>
+1. Setup your CI/CD Pipeline to run terraform and deploy your staging and production environments<% unless use_gitlab_backend? %>
+    1. Copy backend credentials from `/terraform/.shadowenv.d/500_tf_backend_secrets.lisp` to your CI/CD secrets using the instructions in the base README<% end %>
+    1. Copy the `cf_user` and `cf_password` credentials from `secrets.cicd.tfvars` to your CI/CD secrets using the instructions in the base README
+1. Delete `secrets.cicd.tfvars`
+1. Delete `.shadowenv.d/500_tf_backend_secrets.lisp` if you won't be running terraform locally
 
 ### To make changes to the bootstrap module
 
-*This should not be necessary in most cases<% if terraform_manage_spaces? %>, other than adding or removing users who should have access to the state bucket in `bootstrap/users.auto.tfvars`<% end %>*
+*This should not be necessary in most cases<% if terraform_manage_spaces? %>, other than adding or removing users who should have access to the mgmt space in `bootstrap/users.auto.tfvars`<% end %>*
 
 1. Make your changes
-1. Run `./apply.sh` and verify the plan before entering `yes`
-1. Commit any changes to `imports.tf`
+1. Run `./apply.sh` and verify the plan before entering `yes`<% unless use_gitlab_backend? %>
+1. Commit any changes to `imports.tf`<% end %><% end %>
 
-## Set up a sandbox environment or review app
+<% if use_local_backend? %>
+## Deploy the App
+<% else %>
+## Set up a sandbox environment or review app<% unless use_gitlab_backend? %>
 
 ### Pre-requisites:
 
 1. Someone on the team has run the [Initial project setup](#initial-project-setup) steps and `imports.tf` is up-to-date on your branch.
-<% if terraform_manage_spaces? %>1. You are included in the list of users in `bootstrap/users.auto.tfvars` and `bootstrap/imports.tf`<% end %>
+<% if terraform_manage_spaces? %>1. You are included in the list of users in `bootstrap/users.auto.tfvars` and `bootstrap/imports.tf`<% end %><% end %><% end %>
 
 ### Steps:
-
+<% if use_gitlab_backend? %>
+1. Run `./bootstrap/setup_shadowenv.sh`<% end %>
 <% if terraform_manage_spaces? %>1. Create a new `sandbox-<NAME>.tfvars` file to hold variable values for your environment. A good starting point is copying `staging.tfvars` and editing it with your values
-1. Add a `cf_user = "your.email@agency.gov"` line to the `sandbox-<NAME>.tfvars` file<% end %>
+1. Add a `cf_user = "your.email@gsa.gov"` line to the `sandbox-<NAME>.tfvars` file<% end %>
 
 1. Run terraform plan with:
     ```bash
@@ -70,17 +79,19 @@ These steps only need to be run once per project.
 
 ## Structure
 
-```
+```<% unless use_local_backend? %>
 |- bootstrap/
 |  |- main.tf
 |  |- apply.sh
+|  |- users.auto.tfvars<% if use_gitlab_backend? %>
+|  |- setup_shadowenv.sh
+|  |- bot_secrets.tftpl<% else %>
 |  |- imports.tf (automatically generated)
-|  |- users.auto.tfvars
 |  |- terraform.tfstate(.backup) (automatically generated)
 |  |- templates/
 |     |- backend_config.tftpl
 |     |- bot_secrets.tftpl
-|     |- imports.tf.tftpl
+|     |- imports.tf.tftpl<% end %><% end %>
 |- dist/
 |  |- src.zip (automatically generated)
 |- README.md
@@ -100,8 +111,9 @@ In the root module:
 - `providers.tf` lists the required providers and shell backend config
 - `variables.tf` lists the variables that will be needed
 
-In the bootstrap module:
+<% unless use_local_backend? %>In the bootstrap module:
 - `main.tf` sets up a management space, an s3 bucket to store terraform state files, and an initial SpaceDeployer for the system
-- `apply.sh` Helper script to either recreate the state locally or call `terraform apply` Any arguments are passed through to the `apply` call
-- `imports.tf` import blocks to create a new local state file when new developers need to access the state file. This file is automatically generated by calling `./apply.sh` and should be checked into git on any changes
-- `users.auto.tfvars` this file defines the list of cloud.gov accounts that should have access to the terraform state bucket
+- `apply.sh` Helper script to setup terraform and call `terraform apply`. Any arguments are passed through to the `apply` call
+- `users.auto.tfvars` this file defines the list of cloud.gov accounts that should have access to the management space<% if use_gitlab_backend? %>
+- `setup_shadowenv.sh` helper script to set terraform backend values using the gitlab http backend in shadowenv<% else %>
+- `imports.tf` import blocks to create a new local state file when new developers need to access the state file. This file is automatically generated by calling `./apply.sh` and should be checked into git on any changes<% end %><% end %>

data/lib/generators/rails_template18f/terraform/templates/terraform/app.tf.tt

@@ -23,6 +23,7 @@ resource "cloudfoundry_app" "app" {
   source_code_hash = data.archive_file.src.output_base64sha256
   buildpacks       = ["ruby_buildpack"]
   strategy         = "rolling"
+  enable_ssh       = var.allow_ssh
 
   environment = {
     RAILS_ENV                = var.env

data/lib/generators/rails_template18f/terraform/templates/terraform/main.tf.tt

@@ -1,7 +1,7 @@
 locals {
   cf_org_name     = "<%= cloud_gov_organization %>"
-  app_name        = "<%= app_name %>"
-  space_deployers = setunion([var.cf_user], var.space_deployers)
+  app_name        = "<%= app_name.tr("_", "-") %>"<% if terraform_manage_spaces? %>
+  space_deployers = setunion([var.cf_user], var.space_deployers)<% end %>
 }
 <% if terraform_manage_spaces? %>
 module "app_space" {
@@ -9,7 +9,7 @@ module "app_space" {
 
   cf_org_name          = local.cf_org_name
   cf_space_name        = var.cf_space_name
-  allow_ssh            = var.allow_space_ssh
+  allow_ssh            = var.allow_ssh
   deployers            = local.space_deployers
   developers           = var.space_developers
   auditors             = var.space_auditors

data/lib/generators/rails_template18f/terraform/templates/terraform/providers.tf.tt

@@ -3,16 +3,10 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.5.0"
+      version = "~> 1.7"
     }
   }
 
-  backend "s3" {
-    encrypt           = true
-    use_lockfile      = true
-    use_fips_endpoint = true
-    region            = "us-gov-west-1"
-  }
-}
+<%= backend_block %>}
 
 provider "cloudfoundry" {}

data/lib/generators/rails_template18f/terraform/templates/terraform/staging.tfvars.tt

@@ -1,8 +1,8 @@
-cf_space_name   = "<%= cloud_gov_staging_space %>"
-env             = "staging"
-allow_space_ssh = true
+cf_space_name = "<%= cloud_gov_staging_space %>"
+env           = "staging"
+allow_ssh     = true
 # host_name must be unique across cloud.gov, default is "<%= app_name %>-${var.env}"
-host_name = null
+host_name = null<% if terraform_manage_spaces? %>
 space_developers = [
   # enter developer emails that should have ssh access to staging
-]
+]<% end %>

data/lib/generators/rails_template18f/terraform/templates/terraform/terraform.sh.tt

@@ -20,8 +20,8 @@ Options:
 "
 
 
-rmk=`cat $rmk_file || echo -n ""`
-env=""
+rmk=$(cat $rmk_file || echo -n "")
+env="<% unless terraform_manage_spaces? %>staging<% end %>"
 force=""
 args_to_shift=0
 
@@ -54,7 +54,21 @@ done
 shift $args_to_shift
 if [[ "$1" = "--" ]]; then
   shift 1
-fi
+fi<% if use_gitlab_backend? %>
+
+if [ -z "$GITLAB_PROJECT_ID" ] || [ -z "$GITLAB_HOSTNAME" ]; then
+  echo "GITLAB_PROJECT_ID or GITLAB_HOSTNAME have not been set. Running bootstrap/setup_shadowenv.sh first"
+  (cd bootstrap && ./setup_shadowenv.sh)
+  eval "$(shadowenv hook)"
+fi<% elsif use_s3_backend? %>
+
+if [[ ! -f .shadowenv.d/500_tf_backend_secrets.lisp ]]; then
+  echo "=============================================================================================================="
+  echo "= Recreating backend config file. It is fine if this step wants to delete any local_sensitive_file resources"
+  echo "=============================================================================================================="
+  (cd bootstrap && ./apply.sh $force)
+  shadowenv trust && eval "$(shadowenv hook)"
+fi<% end %>
 
 if [[ -z "$env" ]]; then
   echo "-e <ENV_NAME> is required"
@@ -70,23 +84,34 @@ fi
 # ensure we're logged in via cli
 cf spaces &> /dev/null || cf login -a api.fr.cloud.gov --sso
 
-tfm_needs_init=true
+tfm_needs_init=true<% if use_gitlab_backend? %>
+tf_state_address="https://$GITLAB_HOSTNAME/api/v4/projects/$GITLAB_PROJECT_ID/terraform/state/$env"
+if [[ -f .terraform/terraform.tfstate ]]; then
+  backend_state_address=$(cat .terraform/terraform.tfstate | jq -r ".backend.config.address")
+  if [[ "$backend_state_address" = "$tf_state_address" ]]; then
+    tfm_needs_init=false
+  fi
+fi<% elsif use_s3_backend? %>
 if [[ -f .terraform/terraform.tfstate ]]; then
-  backend_state_env=`cat .terraform/terraform.tfstate | jq -r ".backend.config.key" | cut -d '.' -f3`
+  backend_state_env=$(cat .terraform/terraform.tfstate | jq -r ".backend.config.key" | cut -d '.' -f3)
   if [[ "$backend_state_env" = "$env" ]]; then
     tfm_needs_init=false
   fi
-fi
+else
+  echo "Sleeping for 10 seconds to avoid a bucket creation race condition"
+  sleep 10
+fi<% else %>
+if [[ -f .terraform.lock.hcl ]]; then
+  tfm_needs_init=false
+fi<% end %>
 
-if [[ $tfm_needs_init = true ]]; then
-  if [[ ! -f secrets.backend.tfvars ]]; then
-    echo "=============================================================================================================="
-    echo "= Recreating backend config file. It is fine if this step wants to delete any local_sensitive_file resources"
-    echo "=============================================================================================================="
-    (cd bootstrap && ./apply.sh -auto-approve)
-  fi
-  terraform init -backend-config=secrets.backend.tfvars -backend-config="key=terraform.tfstate.$env" -reconfigure
-  rm secrets.backend.tfvars
+if [[ $tfm_needs_init = true ]]; then<% if use_gitlab_backend? %>
+  terraform init -reconfigure \
+    -backend-config="address=$tf_state_address" \
+    -backend-config="lock_address=$tf_state_address/lock" \
+    -backend-config="unlock_address=$tf_state_address/lock"<% elsif use_s3_backend? %>
+  terraform init -backend-config="bucket=$S3_BUCKET_NAME" -backend-config="key=terraform.tfstate.$env" -reconfigure<% else %>
+  terraform init<% end %>
 fi
 
 echo "=============================================================================================================="

data/lib/generators/rails_template18f/terraform/templates/terraform/variables.tf.tt

@@ -1,9 +1,9 @@
-# Deploy user settings
+<% if terraform_manage_spaces? %># Deploy user settings
 variable "cf_user" {
   type        = string
   description = "The user email or service account running the terraform"
 }
-
+<% end %>
 # app_space settings
 variable "cf_space_name" {
   type        = string
@@ -23,12 +23,12 @@ variable "space_auditors" {
   type        = set(string)
   default     = []
   description = "A list of users to be granted SpaceAuditor on cf_space_name"
-}
-variable "allow_space_ssh" {
+}<% end %>
+variable "allow_ssh" {
   type        = bool
   default     = false
-  description = "Whether to allow ssh to cf_space_name"
-}<% end %>
+  description = "Whether to allow ssh to the space and/or app"
+}
 
 # supporting services settings
 variable "rds_plan_name" {

data/lib/generators/rails_template18f/terraform/terraform_generator.rb

@@ -8,6 +8,8 @@ module RailsTemplate18f
       include Base
       include CloudGovOptions
 
+      class_option :backend, default: "s3", desc: "Which terraform backend to use. Options: [s3, gitlab, local]"
+
       desc <<~DESC
         Description:
           Install terraform files for cloud.gov database and s3 services
@@ -16,17 +18,43 @@ module RailsTemplate18f
       def install
         directory "terraform", mode: :preserve
         chmod "terraform/terraform.sh", 0o755
-        if terraform_manage_spaces?
-          template "full_bootstrap/main.tf", "terraform/bootstrap/main.tf"
-          copy_file "full_bootstrap/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+      end
+
+      def install_bootstrap
+        if use_gitlab_backend?
+          directory "gitlab_bootstrap", "terraform/bootstrap", mode: :preserve
+        elsif use_s3_backend?
+          directory "s3_bootstrap/common", "terraform/bootstrap", mode: :preserve
+          if terraform_manage_spaces?
+            template "s3_bootstrap/full/main.tf", "terraform/bootstrap/main.tf"
+            copy_file "s3_bootstrap/full/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+          else
+            template "s3_bootstrap/sandbox/main.tf", "terraform/bootstrap/main.tf"
+            copy_file "s3_bootstrap/sandbox/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+          end
         else
-          template "sandbox_bootstrap/main.tf", "terraform/bootstrap/main.tf"
-          copy_file "sandbox_bootstrap/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+          remove_dir "terraform/.shadowenv.d"
+        end
+        unless terraform_manage_spaces?
           remove_file "terraform/bootstrap/users.auto.tfvars"
           remove_file "terraform/production.tfvars"
         end
       end
 
+      def install_shadowenv
+        unless use_local_backend?
+          append_to_file "Brewfile", <<~EOB
+
+            # shadowenv for loading terraform backend secrets
+            brew "shadowenv"
+          EOB
+          insert_into_file "README.md", indent(<<~EOR), after: /\* Install homebrew dependencies: `brew bundle`\n/
+            * [shadowenv](https://shopify.github.io/shadowenv/)
+              * See the [quick start](https://shopify.github.io/shadowenv/getting-started/#add-to-your-shell-profile) for instructions on loading shadowenv in your shell
+          EOR
+        end
+      end
+
       def ignore_files
         unless skip_git?
           append_to_file ".gitignore", <<~EOM
@@ -86,6 +114,51 @@ module RailsTemplate18f
             done
           EOM
         end
+
+        def use_gitlab_backend?
+          backend == "gitlab"
+        end
+
+        def use_s3_backend?
+          backend == "s3"
+        end
+
+        def use_local_backend?
+          backend == "local"
+        end
+
+        def backend
+          options[:backend]
+        end
+
+        def backend_unless_local
+          if use_local_backend?
+            "<s3 or gitlab>"
+          else
+            backend
+          end
+        end
+
+        def backend_block
+          if use_gitlab_backend?
+            <<EOB
+  backend "http" {
+    lock_method    = "POST"
+    unlock_method  = "DELETE"
+    retry_wait_min = 5
+  }
+EOB
+          elsif use_s3_backend?
+            <<EOB
+  backend "s3" {
+    encrypt           = true
+    use_lockfile      = true
+    use_fips_endpoint = true
+    region            = "us-gov-west-1"
+  }
+EOB
+          end
+        end
       end
     end
   end

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "2.1.0"
+  VERSION = "2.2.0"
 end

data/template.rb

@@ -102,6 +102,10 @@ cloud_gov_production_space = default_prod_space if cloud_gov_production_space.bl
 @gitlab_ci = yes?("Create GitLab CI config? (y/n)")
 @github_actions = yes?("Create GitHub Actions? (y/n)")
 @circleci_pipeline = yes?("Create CircleCI config? (y/n)")
+local_terraform_backend = false
+unless [@gitlab_ci, @github_actions, @circleci_pipeline].any?
+  local_terraform_backend = yes?("Use a local file to store terraform state? This is only appropriate for short-lived proofs of concept but will make it easier to deploy for a single dev. (y/n)")
+end
 newrelic = yes?("Create FEDRAMP New Relic config files? (y/n)")
 dap = yes?("If this will be a public site, should we include Digital Analytics Program code? (y/n)")
 supported_languages = []
@@ -128,22 +132,27 @@ register_announcement("Documentation", <<~EOM)
 EOM
 
 # do early so later generators register files in the correct location
-if compliance_trestle
-  after_bundle do
-    generator_arguments = []
-    generator_arguments << "--oscal_repo=#{compliance_trestle_repo}" if compliance_trestle_submodule
-    generator_arguments << "--ci=github" if @github_actions
-    generator_arguments << "--ci=gitlab" if @gitlab_ci
-    generator_arguments << "--ci=circleci" if @circleci_pipeline
-    generate "rails_template18f:oscal", *generator_arguments
-  end
-  register_announcement("OSCAL Documentation", <<~EOM)
-    OSCAL files have been generated with some default implementation statements in `doc/compliance/oscal`
+run_oscal_generator = ->(register_announcement = false) {
+  if compliance_trestle
+    after_bundle do
+      generator_arguments = []
+      generator_arguments << "--oscal_repo=#{compliance_trestle_repo}" if compliance_trestle_submodule
+      generator_arguments << "--ci=github" if @github_actions
+      generator_arguments << "--ci=gitlab" if @gitlab_ci
+      generator_arguments << "--ci=circleci" if @circleci_pipeline
+      generate "rails_template18f:oscal", *generator_arguments
+    end
+    if register_announcement
+      register_announcement("OSCAL Documentation", <<~EOM)
+        OSCAL files have been generated with some default implementation statements in `doc/compliance/oscal`
 
-    All generated statements must be reviewed for accuracy with your system's implementation before being
-    submitted for authorization.
-  EOM
-end
+        All generated statements must be reviewed for accuracy with your system's implementation before being
+        submitted for authorization.
+      EOM
+    end
+  end
+}
+run_oscal_generator.call(true)
 
 # ensure dependencies are installed
 copy_file "Brewfile"
@@ -401,6 +410,11 @@ after_bundle do
     "--cg-staging=#{cloud_gov_staging_space}",
     "--cg-prod=#{cloud_gov_production_space}"
   ]
+  if @gitlab_ci
+    generator_arguments << "--backend=gitlab"
+  elsif local_terraform_backend
+    generator_arguments << "--backend=local"
+  end
   generate "rails_template18f:terraform", *generator_arguments
 end
 if cloud_gov_org_tktk?
@@ -467,6 +481,9 @@ if @gitlab_ci
   EOM
 end
 
+# rerun so we can update the correct CI systems
+run_oscal_generator.call
+
 if auditree
   after_bundle do
     generate "rails_template18f:auditree", "--evidence_locker=#{auditree_evidence_repo}"