rails_template_18f 2.1.0 → 2.3.0

data/lib/generators/rails_template18f/gitlab_ci/gitlab_ci_generator.rb

@@ -49,7 +49,7 @@ module RailsTemplate18f
       def update_boundary_diagram
         boundary_filename = "doc/compliance/apps/application.boundary.md"
         insert_into_file boundary_filename, <<EOB, after: "Boundary(cicd, \"CI/CD Pipeline\") {\n"
-    System_Ext(gitlabci, "GitLab w/ DevTools Runner", "GSA-controlled code repository and Continuous Integration Service")
+    System_Ext(gitlabci, "Cloud.gov Workshop", "GSA-run code repository and Continuous Integration Service")
 EOB
         insert_into_file boundary_filename, <<~EOB, before: "@enduml"
           Rel(developer, gitlabci, "Publish code", "git ssh (22)")
@@ -76,10 +76,9 @@ EOB
 
             | Secret Name | Description |
             | ----------- | ----------- |
-            | `CF_USERNAME` | cloud.gov SpaceDeployer username |
-            | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+            | `CF_USER` | cloud.gov OrgManager username |
+            | `CF_PASSWORD` | cloud.gov OrgManager password |
             | `RAILS_MASTER_KEY` | `config/master.key` |
-            #{terraform_secret_values}
           EOM
         end
 
@@ -87,16 +86,15 @@ EOB
           if terraform_manage_spaces?
             <<~EOM
 
-              Deploys to production happen via terraform on every push to the `production` branch in GitLab.
+              Deploys to production happen via terraform on every tag that is added to the `main` branch.
 
-              The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/)
+              The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/) and assigned to the `production` environment.
 
               | Secret Name | Description |
               | ----------- | ----------- |
-              | `CF_USERNAME` | cloud.gov SpaceDeployer username |
-              | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
-              | `PRODUCTION_RAILS_MASTER_KEY` | `config/credentials/production.key`. Should be marked as `Protected`. |
-              #{terraform_secret_values}
+              | `CF_USER` | cloud.gov OrgManager username |
+              | `CF_PASSWORD` | cloud.gov OrgManager password |
+              | `RAILS_MASTER_KEY` | `config/credentials/production.key`. Should be marked as `Protected`. |
             EOM
           else
             "Production deploys are not supported in the sandbox organization."
@@ -107,20 +105,13 @@ EOB
           <<~EOM
 
             1. Store variables that must be secret using masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/) in GitLab
-            1. Add the appropriate `-var` arguments to the `terraform:plan:<env>` and `terraform:apply:<env>` jobs like the existing `-var rails_master_key=`
+            1. Add the appropriate `TF_VAR_` prefixed variables for the `terraform:plan:<env>` and `terraform:apply:<env>` jobs like the existing `TF_VAR_rails_master_key`
           EOM
         end
       end
 
       private
 
-      def terraform_secret_values
-        <<~EOM
-          | `TERRAFORM_PUBLIC_BACKEND_CONFIG` | File-type variable containing all entries from secrets.backend.tfvars _except_ `secret_key`. Marked as `Visible` |
-          | `TERRAFORM_SECRET_BACKEND_CONFIG` | File-type variable containing the `secret_key` line from secrets.backend.tfvars. Masked and hidden. |
-        EOM
-      end
-
       def postgres_version
         options[:postgres_version]
       end

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/{node.yml.tt → node.yml}

@@ -1,5 +1,5 @@
 .setup-node:
-  - curl -fsSL https://deb.nodesource.com/setup_<%= node_major %>.x -o nodesource_setup.sh
+  - curl -fsSL "https://deb.nodesource.com/setup_${NODE_MAJOR_VERSION}.x" -o nodesource_setup.sh
   - bash nodesource_setup.sh
   - apt-get install -y nodejs
   - npm install --global yarn

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/rails.yml

@@ -2,6 +2,13 @@ include:
   - local: ".gitlab/ruby.yml"
   - local: ".gitlab/node.yml"
 
+.base:
+  image: "ruby:${RUBY_VERSION}"
+  before_script:
+    - !reference [.setup-ruby]
+  cache:
+    - !reference [.cache-dependencies, cache]
+
 # Cache Helpers
 .cache-dependencies:
   variables:
@@ -15,27 +22,28 @@ include:
     paths:
       - vendor/ruby
       - node_modules/
-    policy: pull
 
 # Language Helpers
 .setup-languages:
+  extends: .base
   before_script:
     - !reference [.setup-ruby]
     - !reference [.setup-node]
 
 # Project Helpers
 .setup-project:
+  extends: .base
   services:
     - name: "postgres:${POSTGRES_VERSION}"
       alias: pg
+  variables:
+    DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD}@${WSR_SERVICE_HOST_pg}:5432/${POSTGRES_DB}"
   before_script:
     - !reference [.setup-ruby]
-    - export DATABASE_URL="postgres://postgres:${POSTGRES_PASSWORD}@${CI_SERVICE_pg}:5432/${POSTGRES_DB}"
     - bin/rails db:prepare
 
 .run-server:
   extends: .setup-project
-  dependencies: []
   variables:
     RAILS_ENV: ci
     SECRET_KEY_BASE_DUMMY: 1
@@ -46,21 +54,6 @@ include:
     - PORT=3000 bin/rails server > /dev/null 2>&1 &
     - sleep 5
 
-.owasp:setup:
-  stage: test
-  extends: .run-server
-  image: "rcahearngsa/owasp-ruby:${RUBY_VERSION}"
-  variables:
-    WORKER_MEMORY: 3G
-    WORKER_DISK: 6G
-  before_script:
-    - !reference [.run-server, before_script]
-    - ln -s $PWD /zap/wrk
-  artifacts:
-    expose_as: "OWASP Report"
-    paths:
-      - zap_report.html
-
 .assets:builder:
   stage: deploy
   extends: .setup-languages

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab-ci.yml.tt

@@ -1,41 +1,94 @@
 # Note that environment variables can be set in several places
 # See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+spec:
+  inputs:
+    enable-staging-deploy:
+      type: boolean
+      default: true
+      description: "Set to false for scheduled pipelines"
+    disable-tflint:
+      type: boolean
+      default: false
+      description: "Set to true for scheduled pipelines"
+    enable-tf-fmt:
+      type: boolean
+      default: true
+      description: "Set to false for scheduled pipelines"
+---
 
 workflow:
   rules:
     - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_PIPELINE_SOURCE == 'web'
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-    - if: $CI_COMMIT_BRANCH == "production"
+    - if: $CI_COMMIT_TAG =~ /^v?\d+\.\d+\.\d+$/
 
 stages:
   - build
   - test
-  - deploy
+  - publish
+  - infra
+  - dast
+  - infra-prod
 
 variables:
   POSTGRES_DB: <%= app_name %>_test
   POSTGRES_PASSWORD: not-actually-secret
   POSTGRES_VERSION: <%= postgres_version %>
   RUBY_VERSION: <%= RUBY_VERSION %>
+  NODE_MAJOR_VERSION: <%= node_major %>
+  CF_API_URL: https://api.fr.cloud.gov
+  TF_VAR_cf_user: $CF_USER
+  TF_VAR_rails_master_key: $RAILS_MASTER_KEY
 
 include:
   - local: ".gitlab/ruby.yml"
   - local: ".gitlab/node.yml"
   - local: ".gitlab/rails.yml"
-  - local: ".gitlab/terraform.yml"
+  - template: Jobs/SAST.gitlab-ci.yml
+  - template: Jobs/SAST-IaC.gitlab-ci.yml
+  - template: Security/DAST.gitlab-ci.yml
+  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
+  - template: Jobs/Secret-Detection.gitlab-ci.yml
+  - component: $CI_SERVER_FQDN/components/terraform/gitlab-ci-terraform@8
+    inputs:
+      project-dir: terraform
+      fmt-enabled: $[[ inputs.enable-tf-fmt ]]
+      tflint-disabled: $[[ inputs.disable-tflint ]]
+      validate-enabled: true
+      review-enabled: true
+      review-autostop-duration: "1 week"
+      staging-enabled: $[[ inputs.enable-staging-deploy ]]
+      prod-enabled: false # Switch to true when your project is ready for prod deploys
+      prod-plan-enabled: true
+
+check-tag-on-main:
+  stage: .pre
+  variables:
+    GIT_STRATEGY: clone
+    GIT_DEPTH: 0
+  script:
+    - git branch -r --contains "$CI_COMMIT_TAG" | grep "^\s*origin/${CI_DEFAULT_BRANCH}\$"
+  rules:
+    - if: $CI_COMMIT_TAG
 
-default:
-  image: "ruby:${RUBY_VERSION}"
-  before_script:
-    - !reference [.setup-ruby]
-  cache:
-    - !reference [.cache-dependencies, cache]
+tf-review:
+  environment:
+    url: "https://<%= app_name.tr("_", "-") %>-${CI_ENVIRONMENT_SLUG}.app.cloud.gov"
+    on_stop: tf-destroy-review
+
+tf-staging:
+  environment:
+    url: "https://<%= app_name.tr("_", "-") %>-${CI_ENVIRONMENT_SLUG}.app.cloud.gov"
+    on_stop: tf-destroy-staging
+
+tf-production:
+  environment:
+    url: "https://<%= app_name.tr("_", "-") %>-${CI_ENVIRONMENT_SLUG}.app.cloud.gov"
 
 build-project:
   stage: build
   extends: [.cache-dependencies, .setup-languages]
-  cache:
-    policy: pull-push
   script:
     - !reference [.bundle-install]
     - !reference [.yarn-install]
@@ -48,31 +101,9 @@ build-project:
   rules:
     - if: $CI_PIPELINE_SOURCE != "schedule"
 
-brakeman-scan:
-  stage: test
-  script:
-    - bin/brakeman --no-pager --ensure-ignore-notes -f sarif -o output.sarif.json
-  artifacts:
-    when: always
-    expose_as: "Brakeman results"
-    paths:
-      - output.sarif.json
-
-dependency_scanning:
-  stage: test
-  extends: .setup-languages
-  script:
-    - bin/rake bundler:audit
-    - bin/rake yarn:audit
-    - gem install cyclonedx-ruby
-    - cyclonedx-ruby -p . -o ruby_bom.xml
-  artifacts:
-    expose_as: "Ruby SBOM"
-    paths:
-      - ruby_bom.xml
-
 rspec:
   stage: test
+  needs: ["build-project"]
   extends: .setup-project
   script:
     - bundle exec rspec
@@ -81,6 +112,7 @@ rspec:
 
 pa11y_scan:
   stage: test
+  needs: ["build-project"]
   extends: .run-server
   script:
     - !reference [.install-puppet-deps]
@@ -88,125 +120,21 @@ pa11y_scan:
   rules:
     - if: $CI_PIPELINE_SOURCE != "schedule"
 
-owasp_scan:
-  extends: .owasp:setup
-  script:
-    - /zap/zap-baseline.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
-  rules:
-    - if: $CI_PIPELINE_SOURCE != "schedule"
-
-owasp_daily_scan:
-  extends: .owasp:setup
-  script:
-    - /zap/zap-full-scan.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
-
-terraform:fmt:
-  stage: test
-  extends: .terraform:setup
-  script:
-    - terraform fmt -check -recursive .
-
-terraform:validate:
-  stage: test
-  extends: .terraform:setup
-  script:
-    - terraform validate
-
-terraform:assets:staging:
-  extends: .assets:builder
-  cache:
-    - !reference [.cache-dependencies, cache]
-    - key: staging-assets
-      unprotect: true
-      paths:
-        - public/assets
-        - app/assets/builds
-      policy: $CACHE_POLICY
-  variables:
-    RAILS_ENV: staging
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
-      when: never
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      variables:
-        CACHE_POLICY: pull-push
-    - variables:
-        CACHE_POLICY: pull
-<% if terraform_manage_spaces? %>
-terraform:assets:production:
-  extends: .assets:builder
-  cache:
-    - !reference [.cache-dependencies, cache]
-    - key: production-assets
-      paths:
-        - public/assets
-        - app/assets/builds
-      policy: $CACHE_POLICY
+dast:
+  environment:
+    name: $DAST_ENVIRONMENT_NAME
+    action: access
   variables:
-    RAILS_ENV: production
-  rules:
-    - if: $CI_COMMIT_BRANCH == "production"
-      variables:
-        CACHE_POLICY: pull-push
-    - if: $CI_PIPELINE_SOURCE != "schedule"
-      variables:
-        CACHE_POLICY: pull
-<% end %>
-terraform:plan:staging:
-  extends:
-    - .terraform:setup
-    - .terraform:variables:staging
-  needs: ["terraform:assets:staging"]
+    DAST_TARGET_URL: "https://<%= app_name.tr("_", "-") %>-${CI_ENVIRONMENT_SLUG}.app.cloud.gov"
+    DAST_IMAGE_SUFFIX: "-fips"
+  tags:
+    - unsafe_egress
   script:
-    - apk add zip
-    - terraform plan -out=staging_plan.out -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
-  artifacts:
-    paths:
-      - terraform/staging_plan.out
-      - terraform/dist
-
-terraform:apply:staging:
-  extends:
-    - .terraform:setup
-    - .terraform:variables:staging
-  needs:
-    - terraform:plan:staging
-    - terraform:assets:staging
-  script:
-    - apk add zip
-    - terraform apply -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME staging_plan.out
+    - /browserker/entrypoint.sh /analyze
   rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
-      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      variables:
+        DAST_ENVIRONMENT_NAME: "review/$CI_COMMIT_REF_NAME"
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-<% if terraform_manage_spaces? %>
-terraform:plan:production:
-  extends:
-    - .terraform:setup
-    - .terraform:variables:production
-  needs: ["terraform:assets:production"]
-  script:
-    - apk add zip
-    - terraform plan -out=production_plan.out -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
-  artifacts:
-    paths:
-      - terraform/production_plan.out
-      - terraform/dist
-
-terraform:apply:production:
-  extends:
-    - .terraform:setup
-    - .terraform:variables:production
-  needs:
-    - terraform:plan:production
-    - terraform:assets:production
-  script:
-    - apk add zip
-    - terraform apply -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME production_plan.out
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
-      when: never
-    - if: $CI_COMMIT_BRANCH == "production"
-      when: manual<% end %>
+      variables:
+        DAST_ENVIRONMENT_NAME: "staging"

data/lib/generators/rails_template18f/oscal/oscal_generator.rb

@@ -49,6 +49,16 @@ module RailsTemplate18f
         end
       end
 
+      def copy_gitlab_ci
+        if use_gitlab_ci?
+          directory "gitlab", ".gitlab"
+          if file_exists? ".gitlab-ci.yml"
+            insert_into_file ".gitlab-ci.yml", "  - local: \".gitlab/trestle.yml\"\n", after: /^include:\n/
+            insert_into_file ".gitlab-ci.yml", "  TRESTLE_VERSION: #{docker_trestle_tag}\n", after: /^variables:\n/
+          end
+        end
+      end
+
       def update_readme
         if file_content("README.md").match?("## Documentation")
           insert_into_file "README.md", readme_contents, after: "## Documentation\n"
@@ -85,13 +95,17 @@ module RailsTemplate18f
         end
 
         def docker_trestle_tag
-          options[:tag].present? ? options[:tag] : "20240912"
+          options[:tag].present? ? options[:tag] : "20250603"
         end
 
         def use_github_actions?
           options[:ci] == "github" || file_exists?(".github/workflows")
         end
 
+        def use_gitlab_ci?
+          options[:ci] == "gitlab" || file_exists?(".gitlab-ci.yml")
+        end
+
         def readme_contents
           content = <<~README
 

data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt

@@ -2,8 +2,17 @@
 
 trestle_tag="<%= docker_trestle_tag %>"
 
+if [ "$1" = "-h" ]; then
+    echo """
+        Usage: $0 [-h] [CMD [CMD ARGS]]
+
+        CMD defaults to 'bash'
+    """
+    exit 0
+fi
+
 command="bash"
-if [ "$1" != "" ]; then
+if [ -n "$1" ]; then
     command=$1
     shift 1
 fi

data/lib/generators/rails_template18f/oscal/templates/gitlab/trestle.yml.tt

@@ -0,0 +1,29 @@
+.trestle:setup:
+  inherit:
+    default: false
+  image: "ghcr.io/gsa-tts/trestle:${TRESTLE_VERSION}"
+  before_script:
+    - cd doc/compliance/oscal
+    - export PATH="/app/bin:$PATH"
+
+validate_ssp:
+  extends: .trestle:setup
+  stage: test
+  script:
+    - validate-ssp-json
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"
+
+assemble_ssp:
+  extends: .trestle:setup
+  stage: deploy
+  script:
+    - trestle assemble -n <%= app_name %> system-security-plan
+    - render-ssp
+  artifacts:
+    expose_as: "<%= app_name %> SSPP"
+    paths:
+      - doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+      - doc/compliance/oscal/ssp-render/<%= app_name %>_ssp.md
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"

data/lib/generators/rails_template18f/public_egress/public_egress_generator.rb

@@ -88,7 +88,7 @@ EOB
             ### Public Egress Proxy
 
             Traffic to be delivered to the public internet must be proxied through the [cg-egress-proxy](https://github.com/GSA-TTS/cg-egress-proxy) app. Hostnames that the app should be able to
-            reach should be added to the `egress_allowlist` terraform variable in `terraform/production.tfvars` and `terraform/staging.tfvars`
+            reach should be added to the `egress_allowlist` terraform variable in `terraform/production.env.tfvars` and `terraform/staging.env.tfvars`
 
             See the [ruby troubleshooting doc](https://github.com/GSA-TTS/cg-egress-proxy/blob/main/docs/ruby.md) first if you have any problems making outbound connections through the proxy.
 
@@ -103,7 +103,7 @@ EOB
 
               cf_org_name          = local.cf_org_name
               cf_space_name        = "${var.cf_space_name}-egress"
-              allow_ssh            = var.allow_space_ssh
+              allow_ssh            = var.allow_ssh
               deployers            = local.space_deployers
               developers           = var.space_developers
               auditors             = var.space_auditors

data/lib/generators/rails_template18f/sidekiq/templates/config/initializers/redis.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 Rails.application.config.to_prepare do
-  redis_url = CloudGovConfig.dig "aws-elasticache-redis", "credentials", "uri"
+  redis_url = CloudGovConfig.new.dig "aws-elasticache-redis", "credentials", "uri"
   if redis_url.present?
     Sidekiq.configure_server do |config|
       config.redis = {url: redis_url, ssl: true}

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/apply.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+if ! command -v terraform &> /dev/null
+then
+  echo "terraform must be installed before running this script"
+  exit 1
+fi
+
+if [ -z "$GITLAB_PROJECT_ID" ] || [ -z "$GITLAB_BASE_URL" ]; then
+  echo "GITLAB_PROJECT_ID or GITLAB_BASE_URL has not been set. Run ./setup_shadowenv.sh first"
+  exit 1
+fi
+
+set -e
+
+# ensure we're logged in via cli
+cf spaces &> /dev/null || cf login -a api.fr.cloud.gov --sso
+
+tf_state_address="$GITLAB_BASE_URL/projects/$GITLAB_PROJECT_ID/terraform/state/bootstrap"
+terraform init \
+  -backend-config="address=$tf_state_address" \
+  -backend-config="lock_address=$tf_state_address/lock" \
+  -backend-config="unlock_address=$tf_state_address/lock"
+
+terraform apply -var project_id="$GITLAB_PROJECT_ID" "$@"

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/main.tf.tt

@@ -0,0 +1,114 @@
+terraform {
+  required_version = "~> 1.10"
+  required_providers {
+    cloudfoundry = {
+      source  = "cloudfoundry/cloudfoundry"
+      version = "~> 1.10"
+    }
+    gitlab = {
+      source  = "gitlabhq/gitlab"
+      version = "~> 18.5"
+    }
+  }
+  backend "http" {
+    lock_method    = "POST"
+    unlock_method  = "DELETE"
+    retry_wait_min = 5
+  }
+}
+# empty config will let terraform borrow cf-cli's auth
+provider "cloudfoundry" {}
+provider "gitlab" {}
+
+locals {
+  org_name   = "<%= cloud_gov_organization %>"
+  space_name = "<%= terraform_manage_spaces? ? "#{ cloud_gov_production_space }-mgmt" : cloud_gov_staging_space %>"
+}
+
+data "cloudfoundry_org" "org" {
+  name = local.org_name
+}
+
+variable "project_id" {
+  type        = number
+  description = "The GitLab project ID for this project"
+}
+
+<% if terraform_manage_spaces? %>
+variable "terraform_users" {
+  type        = set(string)
+  description = "The list of developer emails and service account usernames who should be able to update the service bot user"
+
+  validation {
+    condition     = length(var.terraform_users) > 0
+    error_message = "terraform_users must include at least the current user calling apply.sh"
+  }
+}
+
+module "mgmt_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
+
+  cf_org_name   = local.org_name
+  cf_space_name = local.space_name
+  developers    = var.terraform_users
+}
+<% else %>
+data "cloudfoundry_space" "space" {
+  name = local.space_name
+  org  = data.cloudfoundry_org.org.id
+}
+<% end %>
+data "cloudfoundry_service_plans" "cg_service_account" {
+  name                  = "<%= terraform_manage_spaces? ? "space-auditor" : "space-deployer" %>"
+  service_offering_name = "cloud-gov-service-account"
+}
+resource "cloudfoundry_service_instance" "runner_service_account" {
+  name         = "<%= app_name %>-cicd-deployer"
+  type         = "managed"
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans[0].id<% if terraform_manage_spaces? %>
+  space        = module.mgmt_space.space_id
+  depends_on   = [module.mgmt_space]<% else %>
+  space        = data.cloudfoundry_space.space.id<% end %>
+}
+resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
+  name             = "cicd-deployer-access-key"
+  service_instance = cloudfoundry_service_instance.runner_service_account.id
+  type             = "key"
+}
+locals {
+  sa_bot_credentials = jsondecode(cloudfoundry_service_credential_binding.runner_sa_key.credential_binding).credentials
+  sa_cf_username     = nonsensitive(local.sa_bot_credentials.username)
+  sa_cf_password     = local.sa_bot_credentials.password
+}<% if terraform_manage_spaces? %>
+data "cloudfoundry_user" "sa_user" {
+  name = local.sa_cf_username
+}
+resource "cloudfoundry_org_role" "sa_org_manager" {
+  user = data.cloudfoundry_user.sa_user.users[0].id
+  type = "organization_manager"
+  org  = data.cloudfoundry_org.org.id
+}<% end %>
+
+resource "gitlab_project_variable" "cf_user" {
+  project       = var.project_id
+  key           = "CF_USER"
+  value         = local.sa_cf_username
+  protected     = false
+  masked        = false
+  hidden        = false
+  raw           = true
+  variable_type = "env_var"
+  description   = "Set by terraform bootstrap module"
+}
+
+resource "gitlab_project_variable" "cf_password" {
+  project       = var.project_id
+  key           = "CF_PASSWORD"
+  value         = local.sa_cf_password
+  protected     = false
+  masked        = true
+  hidden        = true
+  raw           = true
+  variable_type = "env_var"
+  description   = "Set by terraform bootstrap module"
+}