rails_template_18f 2.1.0 → 2.3.0

data/lib/generators/rails_template18f/terraform/templates/terraform/variables.tf.tt

@@ -1,13 +1,14 @@
-# Deploy user settings
+<% if terraform_manage_spaces? %># Deploy user settings
 variable "cf_user" {
   type        = string
   description = "The user email or service account running the terraform"
 }
-
+<% end %>
 # app_space settings
 variable "cf_space_name" {
   type        = string
   description = "The space name to deploy the app into"
+  default     = null
 }<% if terraform_manage_spaces? %>
 variable "space_deployers" {
   type        = set(string)
@@ -23,12 +24,12 @@ variable "space_auditors" {
   type        = set(string)
   default     = []
   description = "A list of users to be granted SpaceAuditor on cf_space_name"
-}
-variable "allow_space_ssh" {
+}<% end %>
+variable "allow_ssh" {
   type        = bool
   default     = false
-  description = "Whether to allow ssh to cf_space_name"
-}<% end %>
+  description = "Whether to allow ssh to the space and/or app"
+}
 
 # supporting services settings
 variable "rds_plan_name" {
@@ -63,10 +64,14 @@ variable "host_name" {
 }
 
 # App environment settings
-variable "env" {
+variable "environment_type" {
   type        = string
   description = "The RAILS_ENV to set for the app (staging or production)"
 }
+variable "environment_slug" {
+  type        = string
+  description = "environment_name after being sluggified"
+}
 
 variable "rails_master_key" {
   type        = string
@@ -83,8 +88,8 @@ variable "web_memory" {
   type        = string
   default     = "256M"
   description = "The amount of memory to assign to the web processes"
-}
-<% if has_active_job? %>
+}<% if has_active_job? %>
+
 variable "worker_instances" {
   type        = number
   default     = 1
@@ -94,5 +99,4 @@ variable "worker_memory" {
   type        = string
   default     = "256M"
   description = "The amount of memory to assign to the worker processes"
-}
-<% end %>
+}<% end %>

data/lib/generators/rails_template18f/terraform/terraform_generator.rb

@@ -8,6 +8,8 @@ module RailsTemplate18f
       include Base
       include CloudGovOptions
 
+      class_option :backend, default: "s3", desc: "Which terraform backend to use. Options: [s3, gitlab, local]"
+
       desc <<~DESC
         Description:
           Install terraform files for cloud.gov database and s3 services
@@ -16,14 +18,40 @@ module RailsTemplate18f
       def install
         directory "terraform", mode: :preserve
         chmod "terraform/terraform.sh", 0o755
-        if terraform_manage_spaces?
-          template "full_bootstrap/main.tf", "terraform/bootstrap/main.tf"
-          copy_file "full_bootstrap/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+      end
+
+      def install_bootstrap
+        if use_gitlab_backend?
+          directory "gitlab_bootstrap", "terraform/bootstrap", mode: :preserve
+        elsif use_s3_backend?
+          directory "s3_bootstrap/common", "terraform/bootstrap", mode: :preserve
+          if terraform_manage_spaces?
+            template "s3_bootstrap/full/main.tf", "terraform/bootstrap/main.tf"
+            copy_file "s3_bootstrap/full/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+          else
+            template "s3_bootstrap/sandbox/main.tf", "terraform/bootstrap/main.tf"
+            copy_file "s3_bootstrap/sandbox/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+          end
         else
-          template "sandbox_bootstrap/main.tf", "terraform/bootstrap/main.tf"
-          copy_file "sandbox_bootstrap/imports.tf.tftpl", "terraform/bootstrap/templates/imports.tf.tftpl"
+          remove_dir "terraform/.shadowenv.d"
+        end
+        unless terraform_manage_spaces?
           remove_file "terraform/bootstrap/users.auto.tfvars"
-          remove_file "terraform/production.tfvars"
+          remove_file "terraform/production.env.tfvars"
+        end
+      end
+
+      def install_shadowenv
+        unless use_local_backend?
+          append_to_file "Brewfile", <<~EOB
+
+            # shadowenv for loading terraform backend secrets
+            brew "shadowenv"
+          EOB
+          insert_into_file "README.md", indent(<<~EOR), after: /\* Install homebrew dependencies: `brew bundle`\n/
+            * [shadowenv](https://shopify.github.io/shadowenv/)
+              * See the [quick start](https://shopify.github.io/shadowenv/getting-started/#add-to-your-shell-profile) for instructions on loading shadowenv in your shell
+          EOR
         end
       end
 
@@ -35,6 +63,7 @@ module RailsTemplate18f
             .terraform.lock.hcl
             **/.terraform/*
             secrets.*.tfvars
+            env_vars.auto.tfvars
             terraform.tfstate
             terraform.tfstate.backup
             terraform/dist
@@ -86,6 +115,51 @@ module RailsTemplate18f
             done
           EOM
         end
+
+        def use_gitlab_backend?
+          backend == "gitlab"
+        end
+
+        def use_s3_backend?
+          backend == "s3"
+        end
+
+        def use_local_backend?
+          backend == "local"
+        end
+
+        def backend
+          options[:backend]
+        end
+
+        def backend_unless_local
+          if use_local_backend?
+            "<s3 or gitlab>"
+          else
+            backend
+          end
+        end
+
+        def backend_block
+          if use_gitlab_backend?
+            <<EOB
+  backend "http" {
+    lock_method    = "POST"
+    unlock_method  = "DELETE"
+    retry_wait_min = 5
+  }
+EOB
+          elsif use_s3_backend?
+            <<EOB
+  backend "s3" {
+    encrypt           = true
+    use_lockfile      = true
+    use_fips_endpoint = true
+    region            = "us-gov-west-1"
+  }
+EOB
+          end
+        end
       end
     end
   end

data/lib/rails_template18f/generators/cloud_gov_parsing.rb

@@ -19,7 +19,7 @@ module RailsTemplate18f
 
       def cloud_gov_staging_space
         if terraform_dir_exists?
-          staging_vars = file_content("terraform/staging.tfvars")
+          staging_vars = file_content("terraform/staging.env.tfvars")
           if (matches = staging_vars.match(/cf_space_name\s+= "(?<space_name>.*)"/))
             return matches[:space_name]
           end
@@ -29,7 +29,7 @@ module RailsTemplate18f
 
       def cloud_gov_production_space
         if terraform_dir_exists?
-          production_vars = file_content("terraform/production.tfvars")
+          production_vars = file_content("terraform/production.env.tfvars")
           if (matches = production_vars.match(/cf_space_name\s+= "(?<space_name>.*)"/))
             return matches[:space_name]
           end

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "2.1.0"
+  VERSION = "2.3.0"
 end

data/template.rb

@@ -102,6 +102,10 @@ cloud_gov_production_space = default_prod_space if cloud_gov_production_space.bl
 @gitlab_ci = yes?("Create GitLab CI config? (y/n)")
 @github_actions = yes?("Create GitHub Actions? (y/n)")
 @circleci_pipeline = yes?("Create CircleCI config? (y/n)")
+local_terraform_backend = false
+unless [@gitlab_ci, @github_actions, @circleci_pipeline].any?
+  local_terraform_backend = yes?("Use a local file to store terraform state? This is only appropriate for short-lived proofs of concept but will make it easier to deploy for a single dev. (y/n)")
+end
 newrelic = yes?("Create FEDRAMP New Relic config files? (y/n)")
 dap = yes?("If this will be a public site, should we include Digital Analytics Program code? (y/n)")
 supported_languages = []
@@ -128,22 +132,27 @@ register_announcement("Documentation", <<~EOM)
 EOM
 
 # do early so later generators register files in the correct location
-if compliance_trestle
-  after_bundle do
-    generator_arguments = []
-    generator_arguments << "--oscal_repo=#{compliance_trestle_repo}" if compliance_trestle_submodule
-    generator_arguments << "--ci=github" if @github_actions
-    generator_arguments << "--ci=gitlab" if @gitlab_ci
-    generator_arguments << "--ci=circleci" if @circleci_pipeline
-    generate "rails_template18f:oscal", *generator_arguments
-  end
-  register_announcement("OSCAL Documentation", <<~EOM)
-    OSCAL files have been generated with some default implementation statements in `doc/compliance/oscal`
+run_oscal_generator = ->(register_announcement = false) {
+  if compliance_trestle
+    after_bundle do
+      generator_arguments = []
+      generator_arguments << "--oscal_repo=#{compliance_trestle_repo}" if compliance_trestle_submodule
+      generator_arguments << "--ci=github" if @github_actions
+      generator_arguments << "--ci=gitlab" if @gitlab_ci
+      generator_arguments << "--ci=circleci" if @circleci_pipeline
+      generate "rails_template18f:oscal", *generator_arguments
+    end
+    if register_announcement
+      register_announcement("OSCAL Documentation", <<~EOM)
+        OSCAL files have been generated with some default implementation statements in `doc/compliance/oscal`
 
-    All generated statements must be reviewed for accuracy with your system's implementation before being
-    submitted for authorization.
-  EOM
-end
+        All generated statements must be reviewed for accuracy with your system's implementation before being
+        submitted for authorization.
+      EOM
+    end
+  end
+}
+run_oscal_generator.call(true)
 
 # ensure dependencies are installed
 copy_file "Brewfile"
@@ -401,6 +410,11 @@ after_bundle do
     "--cg-staging=#{cloud_gov_staging_space}",
     "--cg-prod=#{cloud_gov_production_space}"
   ]
+  if @gitlab_ci
+    generator_arguments << "--backend=gitlab"
+  elsif local_terraform_backend
+    generator_arguments << "--backend=local"
+  end
   generate "rails_template18f:terraform", *generator_arguments
 end
 if cloud_gov_org_tktk?
@@ -408,7 +422,7 @@ if cloud_gov_org_tktk?
     Fill in the cloud.gov organization and space information in:
       * terraform/bootstrap/main.tf
       * terraform/main.tf
-      * terraform/*.tfvars
+      * terraform/*.env.tfvars
   EOM
 end
 register_announcement("Terraform", "Run the bootstrap script and update the appropriate CI/CD environment variables defined in the Deployment section of the README")
@@ -467,6 +481,9 @@ if @gitlab_ci
   EOM
 end
 
+# rerun so we can update the correct CI systems
+run_oscal_generator.call
+
 if auditree
   after_bundle do
     generate "rails_template18f:auditree", "--evidence_locker=#{auditree_evidence_repo}"

data/templates/README.md.tt

@@ -150,7 +150,7 @@ Otherwise:
 
 #### Non-secrets
 
-Configuration that changes by environment, but is public, should be added to the `tfvars` files, such as `terraform/production.tfvars` and `terraform/staging.tfvars`
+Configuration that changes by environment, but is public, should be added to the `tfvars` files, such as `terraform/production.env.tfvars` and `terraform/staging.env.tfvars`
 
 ## Documentation
 

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rails_template_18f
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Ryan Ahearn
 bindir: exe
 cert_chain: []
-date: 2025-04-29 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -138,6 +138,7 @@ files:
 - lib/generators/rails_template18f/auditree/templates/bin/auditree.tt
 - lib/generators/rails_template18f/auditree/templates/github/actions/auditree-cmd/action.yml.tt
 - lib/generators/rails_template18f/auditree/templates/github/workflows/auditree-validation.yml.tt
+- lib/generators/rails_template18f/auditree/templates/gitlab/auditree.yml.tt
 - lib/generators/rails_template18f/circleci/circleci_generator.rb
 - lib/generators/rails_template18f/circleci/templates/Dockerfile.ci.tt
 - lib/generators/rails_template18f/circleci/templates/bin/ci-server-start
@@ -154,7 +155,6 @@ files:
 - lib/generators/rails_template18f/github_actions/templates/github/actions/setup-languages/action.yml.tt
 - lib/generators/rails_template18f/github_actions/templates/github/actions/setup-project/action.yml.tt
 - lib/generators/rails_template18f/github_actions/templates/github/dependabot.yml.tt
-- lib/generators/rails_template18f/github_actions/templates/github/workflows/assemble-ssp.yml.tt
 - lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml
 - lib/generators/rails_template18f/github_actions/templates/github/workflows/dependency-scans.yml
 - lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml
@@ -165,14 +165,12 @@ files:
 - lib/generators/rails_template18f/github_actions/templates/github/workflows/rspec.yml.tt
 - lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml
 - lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml
-- lib/generators/rails_template18f/github_actions/templates/github/workflows/validate-ssp.yml
 - lib/generators/rails_template18f/github_actions/templates/oscal/component-definitions/github_actions/component-definition.json.tt
 - lib/generators/rails_template18f/gitlab_ci/gitlab_ci_generator.rb
 - lib/generators/rails_template18f/gitlab_ci/templates/gitlab-ci.yml.tt
-- lib/generators/rails_template18f/gitlab_ci/templates/gitlab/node.yml.tt
+- lib/generators/rails_template18f/gitlab_ci/templates/gitlab/node.yml
 - lib/generators/rails_template18f/gitlab_ci/templates/gitlab/rails.yml
 - lib/generators/rails_template18f/gitlab_ci/templates/gitlab/ruby.yml
-- lib/generators/rails_template18f/gitlab_ci/templates/gitlab/terraform.yml
 - lib/generators/rails_template18f/i18n/i18n_generator.rb
 - lib/generators/rails_template18f/i18n/templates/config/locales/en.yml.tt
 - lib/generators/rails_template18f/i18n/templates/config/locales/es.yml
@@ -190,25 +188,33 @@ files:
 - lib/generators/rails_template18f/oscal/templates/bin/trestle.tt
 - lib/generators/rails_template18f/oscal/templates/doc/compliance/oscal/trestle-config.yaml.tt
 - lib/generators/rails_template18f/oscal/templates/github/actions/trestle-cmd/action.yml.tt
+- lib/generators/rails_template18f/oscal/templates/github/workflows/assemble-ssp.yml.tt
+- lib/generators/rails_template18f/oscal/templates/github/workflows/validate-ssp.yml
+- lib/generators/rails_template18f/oscal/templates/gitlab/trestle.yml.tt
 - lib/generators/rails_template18f/public_egress/public_egress_generator.rb
 - lib/generators/rails_template18f/rails_erd/rails_erd_generator.rb
 - lib/generators/rails_template18f/rails_erd/templates/erdconfig
 - lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb
 - lib/generators/rails_template18f/sidekiq/templates/config/initializers/redis.rb
-- lib/generators/rails_template18f/terraform/templates/full_bootstrap/imports.tf.tftpl
-- lib/generators/rails_template18f/terraform/templates/full_bootstrap/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/sandbox_bootstrap/imports.tf.tftpl
-- lib/generators/rails_template18f/terraform/templates/sandbox_bootstrap/main.tf.tt
+- lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/apply.sh
+- lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/main.tf.tt
+- lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/setup_shadowenv.sh
+- lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/users.auto.tfvars
+- lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/apply.sh
+- lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/templates/backend_config.tftpl
+- lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/templates/bot_secrets.tftpl
+- lib/generators/rails_template18f/terraform/templates/s3_bootstrap/common/users.auto.tfvars
+- lib/generators/rails_template18f/terraform/templates/s3_bootstrap/full/imports.tf.tftpl
+- lib/generators/rails_template18f/terraform/templates/s3_bootstrap/full/main.tf.tt
+- lib/generators/rails_template18f/terraform/templates/s3_bootstrap/sandbox/imports.tf.tftpl
+- lib/generators/rails_template18f/terraform/templates/s3_bootstrap/sandbox/main.tf.tt
+- lib/generators/rails_template18f/terraform/templates/terraform/.shadowenv.d/.gitignore
 - lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/app.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/apply.sh
-- lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/templates/backend_config.tftpl
-- lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/templates/bot_secrets.tftpl
-- lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/users.auto.tfvars
 - lib/generators/rails_template18f/terraform/templates/terraform/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/production.tfvars.tt
+- lib/generators/rails_template18f/terraform/templates/terraform/production.env.tfvars.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/providers.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/staging.tfvars.tt
+- lib/generators/rails_template18f/terraform/templates/terraform/staging.env.tfvars.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/terraform.sh.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/variables.tf.tt
 - lib/generators/rails_template18f/terraform/terraform_generator.rb
@@ -280,7 +286,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Generators for creating an 18F-flavored Rails app
 test_files: []

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/terraform.yml

@@ -1,28 +0,0 @@
-# Shared setup helpers for terraform jobs
-.terraform:setup:
-  stage: deploy
-  inherit:
-    default: false
-  image:
-    name: "hashicorp/terraform"
-    entrypoint: ["sh"]
-  variables:
-    CF_API_URL: https://api.fr.cloud.gov
-    TERRAFORM_BACKEND_KEY: terraform.tfstate.staging
-  dependencies: []
-  before_script:
-    - cd terraform
-    - terraform init -backend-config=$TERRAFORM_PUBLIC_BACKEND_CONFIG -backend-config=$TERRAFORM_SECRET_BACKEND_CONFIG -backend-config="key=$TERRAFORM_BACKEND_KEY"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != "schedule"
-
-.terraform:variables:staging:
-  dependencies: null
-  variables:
-    CF_USER: $CF_USERNAME
-
-.terraform:variables:production:
-  dependencies: null
-  variables:
-    CF_USER: $CF_USERNAME
-    TERRAFORM_BACKEND_KEY: terraform.tfstate.production

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/templates/backend_config.tftpl

@@ -1,8 +0,0 @@
-# remove this file after initializing your terraform
-# you can always regenerate it by running ./apply.sh
-# within the bootstrap module
-
-bucket     = "${creds.bucket}"
-region     = "${creds.region}"
-access_key = "${creds.access_key_id}"
-secret_key = "${creds.secret_access_key}"

data/lib/generators/rails_template18f/terraform/templates/terraform/staging.tfvars.tt

@@ -1,8 +0,0 @@
-cf_space_name   = "<%= cloud_gov_staging_space %>"
-env             = "staging"
-allow_space_ssh = true
-# host_name must be unique across cloud.gov, default is "<%= app_name %>-${var.env}"
-host_name = null
-space_developers = [
-  # enter developer emails that should have ssh access to staging
-]