rails_template_18f 2.1.0 → 2.3.0

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/setup_shadowenv.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+#
+# Setup .shadowenv.d/ files for terraform configuration
+
+set -e
+
+# ensure we're operating with the correct relative paths
+cd `dirname "$0"`
+
+shadowenv trust && eval "$(shadowenv hook)"
+
+ans=""
+prompt_ans() {
+  local prompt="$1"
+  local default="$2"
+  if [ -n "$default" ]; then
+    prompt="$prompt (default: $default)"
+  fi
+  read -r -p "$prompt: " ans
+}
+
+prompt_ans "GitLab hostname" "${GITLAB_HOSTNAME:=workshop.cloud.gov}"
+if [ -n "$ans" ]; then
+  GITLAB_HOSTNAME="$ans"
+fi
+
+prompt_ans "GitLab project id" "$GITLAB_PROJECT_ID"
+if [ -n "$ans" ]; then
+  GITLAB_PROJECT_ID="$ans"
+fi
+
+if [ ! -d ../.shadowenv.d ]; then
+  mkdir ../.shadowenv.d
+fi
+
+cat <<EOF > ../.shadowenv.d/100_gitlab_project.lisp
+(provide "gitlab-backend-config")
+(env/set "GITLAB_PROJECT_ID" "$GITLAB_PROJECT_ID")
+(env/set "GITLAB_HOSTNAME" "$GITLAB_HOSTNAME")
+(env/set "GITLAB_BASE_URL" "https://${GITLAB_HOSTNAME}/api/v4")
+EOF
+
+prompt_ans "GitLab username" "$TF_HTTP_USERNAME"
+if [ -n "$ans" ]; then
+  TF_HTTP_USERNAME=$ans
+fi
+if [ -z "$TF_HTTP_PASSWORD" ]; then
+  prompt_ans "GitLab PAT (with api scope)"
+else
+  prompt_ans "GitLab PAT (with api scope, Leave blank to re-use existing PAT)"
+fi
+if [ -n "$ans" ]; then
+  TF_HTTP_PASSWORD=$ans
+fi
+
+cat <<EOF > ../.shadowenv.d/500_tf_backend_secrets.lisp
+(provide "tf-backend-secrets")
+(env/set "TF_HTTP_USERNAME" "$TF_HTTP_USERNAME")
+(env/set "TF_HTTP_PASSWORD" "$TF_HTTP_PASSWORD")
+(env/set "GITLAB_TOKEN" "$TF_HTTP_PASSWORD")
+EOF

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/templates/backend_config.tftpl

@@ -0,0 +1,6 @@
+(provide "terraform-backend-config")
+(env/set "S3_BUCKET_NAME" "${creds.bucket}")
+(env/set "AWS_ACCESS_KEY_ID" "${creds.access_key_id}")
+(env/set "AWS_SECRET_ACCESS_KEY" "${creds.secret_access_key}")
+; not a secret, but setting it here enables the aws cli to work when in the terraform directory
+(env/set "AWS_REGION" "${creds.region}")

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/users.auto.tfvars

@@ -0,0 +1,5 @@
+terraform_users = [
+  # add your terraform_users list here: example values:
+  # "team.member@gsa.gov",
+  # "cf_user-guid-value-for-space-developer-service-account",
+]

data/lib/generators/rails_template18f/terraform/templates/{full_bootstrap → s3_bootstrap/full}/main.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.2.0"
+      version = "~> 1.10"
     }
   }
 }
@@ -59,7 +59,7 @@ data "cloudfoundry_service_plans" "cg_service_account" {
 locals {
   sa_service_name    = "<%= app_name %>-cicd-deployer"
   sa_key_name        = "cicd-deployer-access-key"
-  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+  sa_bot_credentials = jsondecode(cloudfoundry_service_credential_binding.runner_sa_key.credential_binding).credentials
   sa_cf_username     = nonsensitive(local.sa_bot_credentials.username)
   sa_cf_password     = local.sa_bot_credentials.password
 }
@@ -67,7 +67,7 @@ resource "cloudfoundry_service_instance" "runner_service_account" {
   name         = local.sa_service_name
   type         = "managed"
   space        = module.mgmt_space.space_id
-  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans[0].id
   depends_on   = [module.mgmt_space]
 }
 resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
@@ -75,11 +75,6 @@ resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
   service_instance = cloudfoundry_service_instance.runner_service_account.id
   type             = "key"
 }
-data "cloudfoundry_service_credential_binding" "runner_sa_key" {
-  name             = local.sa_key_name
-  service_instance = cloudfoundry_service_instance.runner_service_account.id
-  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
-}
 data "cloudfoundry_org" "org" {
   name = local.org_name
 }
@@ -87,24 +82,16 @@ data "cloudfoundry_user" "sa_user" {
   name = local.sa_cf_username
 }
 resource "cloudfoundry_org_role" "sa_org_manager" {
-  user = data.cloudfoundry_user.sa_user.users.0.id
+  user = data.cloudfoundry_user.sa_user.users[0].id
   type = "organization_manager"
   org  = data.cloudfoundry_org.org.id
 }
 
-locals {
-  bucket_creds_key_name = "backend-state-bucket-creds"
-}
 resource "cloudfoundry_service_credential_binding" "bucket_creds" {
-  name             = local.bucket_creds_key_name
+  name             = "backend-state-bucket-creds"
   service_instance = module.s3.bucket_id
   type             = "key"
 }
-data "cloudfoundry_service_credential_binding" "bucket_creds" {
-  name             = local.bucket_creds_key_name
-  service_instance = module.s3.bucket_id
-  depends_on       = [cloudfoundry_service_credential_binding.bucket_creds]
-}
 
 locals {
   import_map = {
@@ -129,12 +116,12 @@ resource "local_file" "recreate_script" {
 }
 
 locals {
-  bucket_creds   = jsondecode(data.cloudfoundry_service_credential_binding.bucket_creds.credential_bindings.0.credential_binding).credentials
+  bucket_creds   = jsondecode(cloudfoundry_service_credential_binding.bucket_creds.credential_binding).credentials
   backend_config = templatefile("${path.module}/templates/backend_config.tftpl", { creds = local.bucket_creds })
 }
 resource "local_sensitive_file" "bucket_creds" {
   content         = local.backend_config
-  filename        = "${path.module}/../secrets.backend.tfvars"
+  filename        = "${path.module}/../.shadowenv.d/500_tf_backend_secrets.lisp"
   file_permission = "0600"
 }
 
@@ -150,10 +137,3 @@ resource "local_sensitive_file" "bot_secrets_file" {
     password     = local.sa_cf_password
   })
 }
-
-output "mgmt_space_id" {
-  value = module.mgmt_space.space_id
-}
-output "mgmt_org_id" {
-  value = data.cloudfoundry_org.org.id
-}

data/lib/generators/rails_template18f/terraform/templates/{sandbox_bootstrap → s3_bootstrap/sandbox}/main.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.2.0"
+      version = "~> 1.10"
     }
   }
 }
@@ -44,38 +44,25 @@ data "cloudfoundry_service_plans" "cg_service_account" {
 locals {
   sa_service_name    = "<%= app_name %>-cicd-deployer"
   sa_key_name        = "cicd-deployer-access-key"
-  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+  sa_bot_credentials = jsondecode(cloudfoundry_service_credential_binding.runner_sa_key.credential_binding).credentials
 }
 resource "cloudfoundry_service_instance" "runner_service_account" {
   name         = local.sa_service_name
   type         = "managed"
   space        = data.cloudfoundry_space.space.id
-  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans[0].id
 }
 resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
   name             = local.sa_key_name
   service_instance = cloudfoundry_service_instance.runner_service_account.id
   type             = "key"
 }
-data "cloudfoundry_service_credential_binding" "runner_sa_key" {
-  name             = local.sa_key_name
-  service_instance = cloudfoundry_service_instance.runner_service_account.id
-  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
-}
 
-locals {
-  bucket_creds_key_name = "backend-state-bucket-creds"
-}
 resource "cloudfoundry_service_credential_binding" "bucket_creds" {
-  name             = local.bucket_creds_key_name
+  name             = "backend-state-bucket-creds"
   service_instance = module.s3.bucket_id
   type             = "key"
 }
-data "cloudfoundry_service_credential_binding" "bucket_creds" {
-  name             = local.bucket_creds_key_name
-  service_instance = module.s3.bucket_id
-  depends_on       = [cloudfoundry_service_credential_binding.bucket_creds]
-}
 
 locals {
   import_map = {
@@ -94,12 +81,12 @@ resource "local_file" "recreate_script" {
 }
 
 locals {
-  bucket_creds   = jsondecode(data.cloudfoundry_service_credential_binding.bucket_creds.credential_bindings.0.credential_binding).credentials
+  bucket_creds   = jsondecode(cloudfoundry_service_credential_binding.bucket_creds.credential_binding).credentials
   backend_config = templatefile("${path.module}/templates/backend_config.tftpl", { creds = local.bucket_creds })
 }
 resource "local_sensitive_file" "bucket_creds" {
   content         = local.backend_config
-  filename        = "${path.module}/../secrets.backend.tfvars"
+  filename        = "${path.module}/../.shadowenv.d/500_tf_backend_secrets.lisp"
   file_permission = "0600"
 }
 

data/lib/generators/rails_template18f/terraform/templates/terraform/.shadowenv.d/.gitignore

@@ -0,0 +1,3 @@
+/*secrets.lisp
+/.*
+!/.gitignore

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -10,48 +10,57 @@ is very limited.
 When you are ready to move the application to a non-sandbox cloud.gov organization, please re-run the terraform generator with…
 
 ```bash
-bin/rails generate rails_template18f:terraform --cg-org=<ORG_NAME> --cg-staging=<STAGING_SPACE_NAME> --cg-prod=<PRODUCTION_SPACE_NAME>
+bin/rails generate rails_template18f:terraform --cg-org=<ORG_NAME> --cg-staging=<STAGING_SPACE_NAME> --cg-prod=<PRODUCTION_SPACE_NAME> --backend=<%= backend_unless_local %>
 ```
 
 …to take full advantage of the generator, and then re-run your CI generator of choice to add production terraform plan and apply steps to your workflow.
 <% end %>
-## Terraform State Credentials
+<% unless use_local_backend? %>## Terraform State Credentials
 
-The `bootstrap` module is used to create an s3 bucket for later terraform runs to store their state in as well as
-create credentials files so developers can use that s3 bucket to create their own sandbox environments.
+The `bootstrap` module is used to create resources that must be created by an individual developers credentials before automation can be run:
 
-### Initial project setup
+* service account and credentials to provide to the CI/CD pipeline to perform future updates<% unless use_gitlab_backend? %>
+* an s3 bucket for later terraform runs to store their state in<% end %>
+
+### Initial <%= use_gitlab_backend? ? "CI/CD pipeline" : "project" %> setup
 
 These steps only need to be run once per project.
 
-1. `cd bootstrap`<% if terraform_manage_spaces? %>
-1. Add any users who should have access to the terraform state bucket to `users.auto.tfvars`<% end %>
+1. `cd bootstrap`<% if use_gitlab_backend? %>
+1. Run `./setup_shadowenv.sh`<% end %><% if terraform_manage_spaces? %>
+1. Add any users who should have access to the management space to `users.auto.tfvars`<% end %><% if use_gitlab_backend? %>
+1. Run `./apply.sh`<% else %>
 1. Run `./apply.sh -var create_bot_secrets_file=true`
-1. Add `imports.tf` to git and commit the changes
-1. Setup your CI/CD Pipeline to run terraform and deploy your staging and production environments
-    1. Copy backend credentials from `/terraform/secrets.backend.tfvars` to your CI/CD secrets using the instructions in the base README
-    1. Copy the cf_user and cf_password credentials from `/terraform/secrets.cicd.tfvars` to your CI/CD secrets using the instructions in the base README
-1. Delete the two secrets files
+1. Add `imports.tf` to git and commit the changes<% end %>
+1. Setup your CI/CD Pipeline to run terraform and deploy your staging and production environments<% unless use_gitlab_backend? %>
+    1. Copy backend credentials from `/terraform/.shadowenv.d/500_tf_backend_secrets.lisp` to your CI/CD secrets using the instructions in the base README<% end %>
+    1. Copy the `cf_user` and `cf_password` credentials from `secrets.cicd.tfvars` to your CI/CD secrets using the instructions in the base README
+1. Delete `secrets.cicd.tfvars`
+1. Delete `.shadowenv.d/500_tf_backend_secrets.lisp` if you won't be running terraform locally
 
 ### To make changes to the bootstrap module
 
-*This should not be necessary in most cases<% if terraform_manage_spaces? %>, other than adding or removing users who should have access to the state bucket in `bootstrap/users.auto.tfvars`<% end %>*
+*This should not be necessary in most cases<% if terraform_manage_spaces? %>, other than adding or removing users who should have access to the mgmt space in `bootstrap/users.auto.tfvars`<% end %>*
 
 1. Make your changes
-1. Run `./apply.sh` and verify the plan before entering `yes`
-1. Commit any changes to `imports.tf`
+1. Run `./apply.sh` and verify the plan before entering `yes`<% unless use_gitlab_backend? %>
+1. Commit any changes to `imports.tf`<% end %><% end %>
 
-## Set up a sandbox environment or review app
+<% if use_local_backend? %>
+## Deploy the App
+<% else %>
+## Set up a sandbox environment or review app<% unless use_gitlab_backend? %>
 
 ### Pre-requisites:
 
 1. Someone on the team has run the [Initial project setup](#initial-project-setup) steps and `imports.tf` is up-to-date on your branch.
-<% if terraform_manage_spaces? %>1. You are included in the list of users in `bootstrap/users.auto.tfvars` and `bootstrap/imports.tf`<% end %>
+<% if terraform_manage_spaces? %>1. You are included in the list of users in `bootstrap/users.auto.tfvars` and `bootstrap/imports.tf`<% end %><% end %><% end %>
 
 ### Steps:
-
-<% if terraform_manage_spaces? %>1. Create a new `sandbox-<NAME>.tfvars` file to hold variable values for your environment. A good starting point is copying `staging.tfvars` and editing it with your values
-1. Add a `cf_user = "your.email@agency.gov"` line to the `sandbox-<NAME>.tfvars` file<% end %>
+<% if use_gitlab_backend? %>
+1. Run `./bootstrap/setup_shadowenv.sh`<% end %>
+<% if terraform_manage_spaces? %>1. Create a new `sandbox-<NAME>.env.tfvars` file to hold variable values for your environment. A good starting point is copying `staging.env.tfvars` and editing it with your values
+1. Add a `cf_user = "your.email@gsa.gov"` line to the `sandbox-<NAME>.env.tfvars` file<% end %>
 
 1. Run terraform plan with:
     ```bash
@@ -70,17 +79,19 @@ These steps only need to be run once per project.
 
 ## Structure
 
-```
+```<% unless use_local_backend? %>
 |- bootstrap/
 |  |- main.tf
 |  |- apply.sh
+|  |- users.auto.tfvars<% if use_gitlab_backend? %>
+|  |- setup_shadowenv.sh
+|  |- bot_secrets.tftpl<% else %>
 |  |- imports.tf (automatically generated)
-|  |- users.auto.tfvars
 |  |- terraform.tfstate(.backup) (automatically generated)
 |  |- templates/
 |     |- backend_config.tftpl
 |     |- bot_secrets.tftpl
-|     |- imports.tf.tftpl
+|     |- imports.tf.tftpl<% end %><% end %>
 |- dist/
 |  |- src.zip (automatically generated)
 |- README.md
@@ -89,19 +100,20 @@ These steps only need to be run once per project.
 |- providers.tf
 |- terraform.sh
 |- variables.tf
-|- <env>.tfvars
+|- <env>.env.tfvars
 ```
 
 In the root module:
-- `<env>.tfvars` is where to set variable values for the given environment name
+- `<env>.env.tfvars` is where to set variable values for the given environment name
 - `terraform.sh` Helper script to setup terraform to point to the correct state file, create a service account to run the root module, and apply the root module.
 - `app.tf` defines the application resource and configuration
 - `main.tf` defines the persistent infrastructure
 - `providers.tf` lists the required providers and shell backend config
 - `variables.tf` lists the variables that will be needed
 
-In the bootstrap module:
+<% unless use_local_backend? %>In the bootstrap module:
 - `main.tf` sets up a management space, an s3 bucket to store terraform state files, and an initial SpaceDeployer for the system
-- `apply.sh` Helper script to either recreate the state locally or call `terraform apply` Any arguments are passed through to the `apply` call
-- `imports.tf` import blocks to create a new local state file when new developers need to access the state file. This file is automatically generated by calling `./apply.sh` and should be checked into git on any changes
-- `users.auto.tfvars` this file defines the list of cloud.gov accounts that should have access to the terraform state bucket
+- `apply.sh` Helper script to setup terraform and call `terraform apply`. Any arguments are passed through to the `apply` call
+- `users.auto.tfvars` this file defines the list of cloud.gov accounts that should have access to the management space<% if use_gitlab_backend? %>
+- `setup_shadowenv.sh` helper script to set terraform backend values using the gitlab http backend in shadowenv<% else %>
+- `imports.tf` import blocks to create a new local state file when new developers need to access the state file. This file is automatically generated by calling `./apply.sh` and should be checked into git on any changes<% end %><% end %>

data/lib/generators/rails_template18f/terraform/templates/terraform/app.tf.tt

@@ -15,17 +15,18 @@ data "archive_file" "src" {
 }
 
 resource "cloudfoundry_app" "app" {
-  name       = "${local.app_name}-${var.env}"
-  space_name = var.cf_space_name
+  name       = "${local.app_name}-${var.environment_slug}"
+  space_name = <% if terraform_manage_spaces? %>module.app_space.space_name<% else %>var.cf_space_name<% end %>
   org_name   = local.cf_org_name
 
   path             = data.archive_file.src.output_path
   source_code_hash = data.archive_file.src.output_base64sha256
   buildpacks       = ["ruby_buildpack"]
   strategy         = "rolling"
+  enable_ssh       = var.allow_ssh
 
   environment = {
-    RAILS_ENV                = var.env
+    RAILS_ENV                = var.environment_type
     RAILS_MASTER_KEY         = var.rails_master_key
     RAILS_LOG_TO_STDOUT      = "true"
     RAILS_SERVE_STATIC_FILES = "true"
@@ -43,9 +44,9 @@ resource "cloudfoundry_app" "app" {
   ]
 
   service_bindings = [
-<% if has_active_job? %>    { service_instance = "${local.app_name}-redis-${var.env}" },<% end %>
-<% if has_active_storage? %>    { service_instance = "${local.app_name}-s3-${var.env}" },<% end %>
-    { service_instance = "${local.app_name}-rds-${var.env}" }
+<% if has_active_job? %>    { service_instance = "${local.app_name}-redis-${var.environment_slug}" },<% end %>
+<% if has_active_storage? %>    { service_instance = "${local.app_name}-s3-${var.environment_slug}" },<% end %>
+    { service_instance = "${local.app_name}-rds-${var.environment_slug}" }
   ]
 
   depends_on = [

data/lib/generators/rails_template18f/terraform/templates/terraform/main.tf.tt

@@ -1,17 +1,16 @@
 locals {
-  cf_org_name     = "<%= cloud_gov_organization %>"
-  app_name        = "<%= app_name %>"
-  space_deployers = setunion([var.cf_user], var.space_deployers)
+  cf_org_name = "<%= cloud_gov_organization %>"
+  app_name    = "<%= app_name.tr("_", "-") %>"
 }
 <% if terraform_manage_spaces? %>
 module "app_space" {
   source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v2.3.0"
 
   cf_org_name          = local.cf_org_name
-  cf_space_name        = var.cf_space_name
-  allow_ssh            = var.allow_space_ssh
-  deployers            = local.space_deployers
-  developers           = var.space_developers
+  cf_space_name        = coalesce(var.cf_space_name, "${local.app_name}-${var.environment_slug}")
+  allow_ssh            = var.allow_ssh
+  deployers            = var.space_deployers
+  developers           = setunion([var.cf_user], var.space_developers)
   auditors             = var.space_auditors
   security_group_names = ["trusted_local_networks_egress"]
 }
@@ -35,7 +34,7 @@ module "database" {
   source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v2.3.0"
 
   cf_space_id   = <% if terraform_manage_spaces? %>module.app_space.space_id<% else %>data.cloudfoundry_space.app_space.id<% end %>
-  name          = "${local.app_name}-rds-${var.env}"
+  name          = "${local.app_name}-rds-${var.environment_slug}"
   rds_plan_name = var.rds_plan_name<% if terraform_manage_spaces? %>
   # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
   depends_on = [module.app_space]<% end %>
@@ -45,8 +44,11 @@ module "redis" {
   source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v2.3.0"
 
   cf_space_id     = <% if terraform_manage_spaces? %>module.app_space.space_id<% else %>data.cloudfoundry_space.app_space.id<% end %>
-  name            = "${local.app_name}-redis-${var.env}"
-  redis_plan_name = var.redis_plan_name<% if terraform_manage_spaces? %>
+  name            = "${local.app_name}-redis-${var.environment_slug}"
+  redis_plan_name = var.redis_plan_name
+  json_params = jsonencode({
+    engineVersion = "7.0"
+  })<% if terraform_manage_spaces? %>
   # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
   depends_on = [module.app_space]<% end %>
 }
@@ -55,7 +57,7 @@ module "s3" {
   source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v2.3.0"
 
   cf_space_id  = <% if terraform_manage_spaces? %>module.app_space.space_id<% else %>data.cloudfoundry_space.app_space.id<% end %>
-  name         = "${local.app_name}-s3-${var.env}"
+  name         = "${local.app_name}-s3-${var.environment_slug}"
   s3_plan_name = var.s3_plan_name<% if terraform_manage_spaces? %>
   # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
   depends_on = [module.app_space]<% end %>
@@ -66,7 +68,7 @@ module "clamav" {
 
   cf_org_name   = local.cf_org_name
   cf_space_name = var.cf_space_name
-  name          = "${local.app_name}-clamapi-${var.env}"
+  name          = "${local.app_name}-clamapi-${var.environment_slug}"
   clamav_image  = "ghcr.io/gsa-tts/clamav-rest/clamav:latest"
   max_file_size = "30M"<% if terraform_manage_spaces? %>
   # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
@@ -109,9 +111,9 @@ module "app_route" {
   source = "github.com/gsa-tts/terraform-cloudgov//app_route?ref=v2.3.0"
 
   cf_org_name   = local.cf_org_name
-  cf_space_name = var.cf_space_name
+  cf_space_name = <% if terraform_manage_spaces? %>module.app_space.space_name<% else %>var.cf_space_name<% end %>
   app_ids       = [cloudfoundry_app.app.id]
-  hostname      = coalesce(var.host_name, "${local.app_name}-${var.env}")<% if terraform_manage_spaces? %>
+  hostname      = coalesce(var.host_name, "${local.app_name}-${var.environment_slug}")<% if terraform_manage_spaces? %>
   # depends_on line is required only for initial creation and destruction. It can be commented out for updates if you see unwanted cascading effects
   depends_on = [module.app_space]<% end %>
 }

data/lib/generators/rails_template18f/terraform/templates/terraform/{production.tfvars.tt → production.env.tfvars.tt}

@@ -1,5 +1,4 @@
 cf_space_name      = "<%= cloud_gov_production_space %>"
-env                = "production"
 rds_plan_name      = "TKTK-production-rds-plan"
 custom_domain_name = null
 host_name          = null

data/lib/generators/rails_template18f/terraform/templates/terraform/providers.tf.tt

@@ -3,16 +3,14 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "1.5.0"
+      version = "~> 1.10"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2"
     }
   }
 
-  backend "s3" {
-    encrypt           = true
-    use_lockfile      = true
-    use_fips_endpoint = true
-    region            = "us-gov-west-1"
-  }
-}
+<%= backend_block %>}
 
 provider "cloudfoundry" {}

data/lib/generators/rails_template18f/terraform/templates/terraform/staging.env.tfvars.tt

@@ -0,0 +1,7 @@
+cf_space_name = "<%= cloud_gov_staging_space %>"
+allow_ssh     = true
+# host_name must be unique across cloud.gov, default is "<%= app_name.tr("_", "-") %>-${var.environment_slug}"
+host_name = null<% if terraform_manage_spaces? %>
+space_developers = [
+  # enter developer emails that should have ssh access to staging
+]<% end %>

data/lib/generators/rails_template18f/terraform/templates/terraform/terraform.sh.tt

@@ -20,8 +20,8 @@ Options:
 "
 
 
-rmk=`cat $rmk_file || echo -n ""`
-env=""
+rmk=$(cat $rmk_file || echo -n "")
+env="<% unless terraform_manage_spaces? %>staging<% end %>"
 force=""
 args_to_shift=0
 
@@ -54,7 +54,21 @@ done
 shift $args_to_shift
 if [[ "$1" = "--" ]]; then
   shift 1
-fi
+fi<% if use_gitlab_backend? %>
+
+if [ -z "$GITLAB_PROJECT_ID" ] || [ -z "$GITLAB_BASE_URL" ]; then
+  echo "GITLAB_PROJECT_ID or GITLAB_BASE_URL have not been set. Running bootstrap/setup_shadowenv.sh now..."
+  (cd bootstrap && ./setup_shadowenv.sh)
+  eval "$(shadowenv hook)"
+fi<% elsif use_s3_backend? %>
+
+if [[ ! -f .shadowenv.d/500_tf_backend_secrets.lisp ]]; then
+  echo "=============================================================================================================="
+  echo "= Recreating backend config file. It is fine if this step wants to delete any local_sensitive_file resources"
+  echo "=============================================================================================================="
+  (cd bootstrap && ./apply.sh $force)
+  shadowenv trust && eval "$(shadowenv hook)"
+fi<% end %>
 
 if [[ -z "$env" ]]; then
   echo "-e <ENV_NAME> is required"
@@ -62,34 +76,54 @@ if [[ -z "$env" ]]; then
   exit 1
 fi
 
-if [[ ! -f "$env.tfvars" ]]; then
-  echo "$env.tfvars file is missing. Create it first"
+if [[ ! -f "$env.env.tfvars" ]]; then
+  echo "$env.env.tfvars file is missing. Create it first"
   exit 1
 fi
 
+if [[ "$env" = "staging" ]] || [[ "$env" = "production" ]]; then
+  echo "environment_type = \"$env\"" > env_vars.auto.tfvars
+  echo "environment_slug = \"$env\"" >> env_vars.auto.tfvars
+elif [[ "$env" = "sandbox" ]]; then
+  echo "environment_type = \"review\"" > env_vars.auto.tfvars
+else
+  rm env_vars.auto.tfvars
+fi
+
 # ensure we're logged in via cli
 cf spaces &> /dev/null || cf login -a api.fr.cloud.gov --sso
 
-tfm_needs_init=true
+tfm_needs_init=true<% if use_gitlab_backend? %>
+tf_state_address="$GITLAB_BASE_URL/projects/$GITLAB_PROJECT_ID/terraform/state/$env"
 if [[ -f .terraform/terraform.tfstate ]]; then
-  backend_state_env=`cat .terraform/terraform.tfstate | jq -r ".backend.config.key" | cut -d '.' -f3`
+  backend_state_address=$(cat .terraform/terraform.tfstate | jq -r ".backend.config.address")
+  if [[ "$backend_state_address" = "$tf_state_address" ]]; then
+    tfm_needs_init=false
+  fi
+fi<% elsif use_s3_backend? %>
+if [[ -f .terraform/terraform.tfstate ]]; then
+  backend_state_env=$(cat .terraform/terraform.tfstate | jq -r ".backend.config.key" | cut -d '.' -f3)
   if [[ "$backend_state_env" = "$env" ]]; then
     tfm_needs_init=false
   fi
-fi
+else
+  echo "Sleeping for 10 seconds to avoid a bucket creation race condition"
+  sleep 10
+fi<% else %>
+if [[ -f .terraform.lock.hcl ]]; then
+  tfm_needs_init=false
+fi<% end %>
 
-if [[ $tfm_needs_init = true ]]; then
-  if [[ ! -f secrets.backend.tfvars ]]; then
-    echo "=============================================================================================================="
-    echo "= Recreating backend config file. It is fine if this step wants to delete any local_sensitive_file resources"
-    echo "=============================================================================================================="
-    (cd bootstrap && ./apply.sh -auto-approve)
-  fi
-  terraform init -backend-config=secrets.backend.tfvars -backend-config="key=terraform.tfstate.$env" -reconfigure
-  rm secrets.backend.tfvars
+if [[ $tfm_needs_init = true ]]; then<% if use_gitlab_backend? %>
+  terraform init -reconfigure \
+    -backend-config="address=$tf_state_address" \
+    -backend-config="lock_address=$tf_state_address/lock" \
+    -backend-config="unlock_address=$tf_state_address/lock"<% elsif use_s3_backend? %>
+  terraform init -backend-config="bucket=$S3_BUCKET_NAME" -backend-config="key=terraform.tfstate.$env" -reconfigure<% else %>
+  terraform init<% end %>
 fi
 
 echo "=============================================================================================================="
 echo "= Calling $cmd $force on the application infrastructure"
 echo "=============================================================================================================="
-terraform "$cmd" -var-file="$env.tfvars" -var rails_master_key="$rmk" $force "$@"
+terraform "$cmd" -var-file="$env.env.tfvars" -var rails_master_key="$rmk" $force "$@"