rails_template_18f 2.2.0 → 2.3.0

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab-ci.yml.tt

@@ -1,42 +1,94 @@
 # Note that environment variables can be set in several places
 # See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+spec:
+  inputs:
+    enable-staging-deploy:
+      type: boolean
+      default: true
+      description: "Set to false for scheduled pipelines"
+    disable-tflint:
+      type: boolean
+      default: false
+      description: "Set to true for scheduled pipelines"
+    enable-tf-fmt:
+      type: boolean
+      default: true
+      description: "Set to false for scheduled pipelines"
+---
 
 workflow:
   rules:
     - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+    - if: $CI_PIPELINE_SOURCE == 'web'
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-    - if: $CI_COMMIT_BRANCH == "production"
+    - if: $CI_COMMIT_TAG =~ /^v?\d+\.\d+\.\d+$/
 
 stages:
   - build
   - test
-  - scan
-  - deploy
+  - publish
+  - infra
+  - dast
+  - infra-prod
 
 variables:
   POSTGRES_DB: <%= app_name %>_test
   POSTGRES_PASSWORD: not-actually-secret
   POSTGRES_VERSION: <%= postgres_version %>
   RUBY_VERSION: <%= RUBY_VERSION %>
+  NODE_MAJOR_VERSION: <%= node_major %>
+  CF_API_URL: https://api.fr.cloud.gov
+  TF_VAR_cf_user: $CF_USER
+  TF_VAR_rails_master_key: $RAILS_MASTER_KEY
 
 include:
   - local: ".gitlab/ruby.yml"
   - local: ".gitlab/node.yml"
   - local: ".gitlab/rails.yml"
-  - local: ".gitlab/terraform.yml"
+  - template: Jobs/SAST.gitlab-ci.yml
+  - template: Jobs/SAST-IaC.gitlab-ci.yml
+  - template: Security/DAST.gitlab-ci.yml
+  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
+  - template: Jobs/Secret-Detection.gitlab-ci.yml
+  - component: $CI_SERVER_FQDN/components/terraform/gitlab-ci-terraform@8
+    inputs:
+      project-dir: terraform
+      fmt-enabled: $[[ inputs.enable-tf-fmt ]]
+      tflint-disabled: $[[ inputs.disable-tflint ]]
+      validate-enabled: true
+      review-enabled: true
+      review-autostop-duration: "1 week"
+      staging-enabled: $[[ inputs.enable-staging-deploy ]]
+      prod-enabled: false # Switch to true when your project is ready for prod deploys
+      prod-plan-enabled: true
+
+check-tag-on-main:
+  stage: .pre
+  variables:
+    GIT_STRATEGY: clone
+    GIT_DEPTH: 0
+  script:
+    - git branch -r --contains "$CI_COMMIT_TAG" | grep "^\s*origin/${CI_DEFAULT_BRANCH}\$"
+  rules:
+    - if: $CI_COMMIT_TAG
+
+tf-review:
+  environment:
+    url: "https://<%= app_name.tr("_", "-") %>-${CI_ENVIRONMENT_SLUG}.app.cloud.gov"
+    on_stop: tf-destroy-review
 
-default:
-  image: "ruby:${RUBY_VERSION}"
-  before_script:
-    - !reference [.setup-ruby]
-  cache:
-    - !reference [.cache-dependencies, cache]
+tf-staging:
+  environment:
+    url: "https://<%= app_name.tr("_", "-") %>-${CI_ENVIRONMENT_SLUG}.app.cloud.gov"
+    on_stop: tf-destroy-staging
+
+tf-production:
+  environment:
+    url: "https://<%= app_name.tr("_", "-") %>-${CI_ENVIRONMENT_SLUG}.app.cloud.gov"
 
 build-project:
   stage: build
   extends: [.cache-dependencies, .setup-languages]
-  cache:
-    policy: pull-push
   script:
     - !reference [.bundle-install]
     - !reference [.yarn-install]
@@ -49,31 +101,9 @@ build-project:
   rules:
     - if: $CI_PIPELINE_SOURCE != "schedule"
 
-brakeman-scan:
-  stage: test
-  script:
-    - bin/brakeman --no-pager --ensure-ignore-notes -f sarif -o output.sarif.json
-  artifacts:
-    when: always
-    expose_as: "Brakeman results"
-    paths:
-      - output.sarif.json
-
-dependency_scanning:
-  stage: test
-  extends: .setup-languages
-  script:
-    - bin/rake bundler:audit
-    - bin/rake yarn:audit
-    - gem install cyclonedx-ruby
-    - cyclonedx-ruby -p . -o ruby_bom.xml
-  artifacts:
-    expose_as: "Ruby SBOM"
-    paths:
-      - ruby_bom.xml
-
 rspec:
   stage: test
+  needs: ["build-project"]
   extends: .setup-project
   script:
     - bundle exec rspec
@@ -81,7 +111,8 @@ rspec:
     - if: $CI_PIPELINE_SOURCE != "schedule"
 
 pa11y_scan:
-  stage: scan
+  stage: test
+  needs: ["build-project"]
   extends: .run-server
   script:
     - !reference [.install-puppet-deps]
@@ -89,125 +120,21 @@ pa11y_scan:
   rules:
     - if: $CI_PIPELINE_SOURCE != "schedule"
 
-owasp_scan:
-  extends: .owasp:setup
-  script:
-    - /zap/zap-baseline.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
-  rules:
-    - if: $CI_PIPELINE_SOURCE != "schedule"
-
-owasp_daily_scan:
-  extends: .owasp:setup
-  script:
-    - /zap/zap-full-scan.py -t http://localhost:3000 -c zap.conf -I -r zap_report.html
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
-
-terraform:fmt:
-  stage: test
-  extends: .terraform:setup
-  script:
-    - terraform fmt -check -recursive .
-
-terraform:validate:
-  stage: test
-  extends: .terraform:setup
-  script:
-    - terraform validate
-
-terraform:assets:staging:
-  extends: .assets:builder
-  cache:
-    - !reference [.cache-dependencies, cache]
-    - key: staging-assets
-      unprotect: true
-      paths:
-        - public/assets
-        - app/assets/builds
-      policy: $CACHE_POLICY
-  variables:
-    RAILS_ENV: staging
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
-      when: never
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      variables:
-        CACHE_POLICY: pull-push
-    - variables:
-        CACHE_POLICY: pull
-<% if terraform_manage_spaces? %>
-terraform:assets:production:
-  extends: .assets:builder
-  cache:
-    - !reference [.cache-dependencies, cache]
-    - key: production-assets
-      paths:
-        - public/assets
-        - app/assets/builds
-      policy: $CACHE_POLICY
+dast:
+  environment:
+    name: $DAST_ENVIRONMENT_NAME
+    action: access
   variables:
-    RAILS_ENV: production
-  rules:
-    - if: $CI_COMMIT_BRANCH == "production"
-      variables:
-        CACHE_POLICY: pull-push
-    - if: $CI_PIPELINE_SOURCE != "schedule"
-      variables:
-        CACHE_POLICY: pull
-<% end %>
-terraform:plan:staging:
-  extends:
-    - .terraform:setup
-    - .terraform:variables:staging
-  needs: ["terraform:assets:staging"]
+    DAST_TARGET_URL: "https://<%= app_name.tr("_", "-") %>-${CI_ENVIRONMENT_SLUG}.app.cloud.gov"
+    DAST_IMAGE_SUFFIX: "-fips"
+  tags:
+    - unsafe_egress
   script:
-    - apk add zip
-    - terraform plan -out=staging_plan.out -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
-  artifacts:
-    paths:
-      - terraform/staging_plan.out
-      - terraform/dist
-
-terraform:apply:staging:
-  extends:
-    - .terraform:setup
-    - .terraform:variables:staging
-  needs:
-    - terraform:plan:staging
-    - terraform:assets:staging
-  script:
-    - apk add zip
-    - terraform apply -var-file=staging.tfvars -var rails_master_key=$RAILS_MASTER_KEY -var cf_user=$CF_USERNAME staging_plan.out
+    - /browserker/entrypoint.sh /analyze
   rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
-      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      variables:
+        DAST_ENVIRONMENT_NAME: "review/$CI_COMMIT_REF_NAME"
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-<% if terraform_manage_spaces? %>
-terraform:plan:production:
-  extends:
-    - .terraform:setup
-    - .terraform:variables:production
-  needs: ["terraform:assets:production"]
-  script:
-    - apk add zip
-    - terraform plan -out=production_plan.out -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME
-  artifacts:
-    paths:
-      - terraform/production_plan.out
-      - terraform/dist
-
-terraform:apply:production:
-  extends:
-    - .terraform:setup
-    - .terraform:variables:production
-  needs:
-    - terraform:plan:production
-    - terraform:assets:production
-  script:
-    - apk add zip
-    - terraform apply -var-file=production.tfvars -var rails_master_key=$PRODUCTION_RAILS_MASTER_KEY -var cf_user=$CF_USERNAME production_plan.out
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
-      when: never
-    - if: $CI_COMMIT_BRANCH == "production"
-      when: manual<% end %>
+      variables:
+        DAST_ENVIRONMENT_NAME: "staging"

data/lib/generators/rails_template18f/public_egress/public_egress_generator.rb

@@ -88,7 +88,7 @@ EOB
             ### Public Egress Proxy
 
             Traffic to be delivered to the public internet must be proxied through the [cg-egress-proxy](https://github.com/GSA-TTS/cg-egress-proxy) app. Hostnames that the app should be able to
-            reach should be added to the `egress_allowlist` terraform variable in `terraform/production.tfvars` and `terraform/staging.tfvars`
+            reach should be added to the `egress_allowlist` terraform variable in `terraform/production.env.tfvars` and `terraform/staging.env.tfvars`
 
             See the [ruby troubleshooting doc](https://github.com/GSA-TTS/cg-egress-proxy/blob/main/docs/ruby.md) first if you have any problems making outbound connections through the proxy.
 

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/apply.sh

@@ -6,8 +6,8 @@ then
   exit 1
 fi
 
-if [ -z "$GITLAB_PROJECT_ID" ] || [ -z "$GITLAB_HOSTNAME" ]; then
-  echo "GITLAB_PROJECT_ID or GITLAB_HOSTNAME has not been set. Run ./setup_shadowenv.sh first"
+if [ -z "$GITLAB_PROJECT_ID" ] || [ -z "$GITLAB_BASE_URL" ]; then
+  echo "GITLAB_PROJECT_ID or GITLAB_BASE_URL has not been set. Run ./setup_shadowenv.sh first"
   exit 1
 fi
 
@@ -16,10 +16,10 @@ set -e
 # ensure we're logged in via cli
 cf spaces &> /dev/null || cf login -a api.fr.cloud.gov --sso
 
-tf_state_address="https://$GITLAB_HOSTNAME/api/v4/projects/$GITLAB_PROJECT_ID/terraform/state/bootstrap"
+tf_state_address="$GITLAB_BASE_URL/projects/$GITLAB_PROJECT_ID/terraform/state/bootstrap"
 terraform init \
   -backend-config="address=$tf_state_address" \
   -backend-config="lock_address=$tf_state_address/lock" \
   -backend-config="unlock_address=$tf_state_address/lock"
 
-terraform apply "$@"
+terraform apply -var project_id="$GITLAB_PROJECT_ID" "$@"

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/main.tf.tt

@@ -3,7 +3,11 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "~> 1.7"
+      version = "~> 1.10"
+    }
+    gitlab = {
+      source  = "gitlabhq/gitlab"
+      version = "~> 18.5"
     }
   }
   backend "http" {
@@ -14,6 +18,7 @@ terraform {
 }
 # empty config will let terraform borrow cf-cli's auth
 provider "cloudfoundry" {}
+provider "gitlab" {}
 
 locals {
   org_name   = "<%= cloud_gov_organization %>"
@@ -23,10 +28,16 @@ locals {
 data "cloudfoundry_org" "org" {
   name = local.org_name
 }
+
+variable "project_id" {
+  type        = number
+  description = "The GitLab project ID for this project"
+}
+
 <% if terraform_manage_spaces? %>
 variable "terraform_users" {
   type        = set(string)
-  description = "The list of developer emails and service account usernames who should be granted access to retrieve state bucket credentials"
+  description = "The list of developer emails and service account usernames who should be able to update the service bot user"
 
   validation {
     condition     = length(var.terraform_users) > 0
@@ -51,48 +62,53 @@ data "cloudfoundry_service_plans" "cg_service_account" {
   name                  = "<%= terraform_manage_spaces? ? "space-auditor" : "space-deployer" %>"
   service_offering_name = "cloud-gov-service-account"
 }
-locals {
-  sa_service_name    = "<%= app_name %>-cicd-deployer"
-  sa_key_name        = "cicd-deployer-access-key"
-  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
-  sa_cf_username     = nonsensitive(local.sa_bot_credentials.username)
-  sa_cf_password     = local.sa_bot_credentials.password
-}
 resource "cloudfoundry_service_instance" "runner_service_account" {
-  name         = local.sa_service_name
+  name         = "<%= app_name %>-cicd-deployer"
   type         = "managed"
-  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id<% if terraform_manage_spaces? %>
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans[0].id<% if terraform_manage_spaces? %>
   space        = module.mgmt_space.space_id
   depends_on   = [module.mgmt_space]<% else %>
   space        = data.cloudfoundry_space.space.id<% end %>
 }
 resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
-  name             = local.sa_key_name
+  name             = "cicd-deployer-access-key"
   service_instance = cloudfoundry_service_instance.runner_service_account.id
   type             = "key"
 }
-data "cloudfoundry_service_credential_binding" "runner_sa_key" {
-  name             = local.sa_key_name
-  service_instance = cloudfoundry_service_instance.runner_service_account.id
-  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
+locals {
+  sa_bot_credentials = jsondecode(cloudfoundry_service_credential_binding.runner_sa_key.credential_binding).credentials
+  sa_cf_username     = nonsensitive(local.sa_bot_credentials.username)
+  sa_cf_password     = local.sa_bot_credentials.password
 }<% if terraform_manage_spaces? %>
 data "cloudfoundry_user" "sa_user" {
   name = local.sa_cf_username
 }
 resource "cloudfoundry_org_role" "sa_org_manager" {
-  user = data.cloudfoundry_user.sa_user.users.0.id
+  user = data.cloudfoundry_user.sa_user.users[0].id
   type = "organization_manager"
   org  = data.cloudfoundry_org.org.id
 }<% end %>
 
-resource "local_sensitive_file" "bot_secrets_file" {
-  filename        = "${path.module}/secrets.cicd.tfvars"
-  file_permission = "0600"
+resource "gitlab_project_variable" "cf_user" {
+  project       = var.project_id
+  key           = "CF_USER"
+  value         = local.sa_cf_username
+  protected     = false
+  masked        = false
+  hidden        = false
+  raw           = true
+  variable_type = "env_var"
+  description   = "Set by terraform bootstrap module"
+}
 
-  content = templatefile("${path.module}/bot_secrets.tftpl", {
-    service_name = local.sa_service_name,
-    key_name     = local.sa_key_name,
-    username     = local.sa_cf_username,
-    password     = local.sa_cf_password
-  })
+resource "gitlab_project_variable" "cf_password" {
+  project       = var.project_id
+  key           = "CF_PASSWORD"
+  value         = local.sa_cf_password
+  protected     = false
+  masked        = true
+  hidden        = true
+  raw           = true
+  variable_type = "env_var"
+  description   = "Set by terraform bootstrap module"
 }

data/lib/generators/rails_template18f/terraform/templates/gitlab_bootstrap/setup_shadowenv.sh

@@ -19,7 +19,7 @@ prompt_ans() {
   read -r -p "$prompt: " ans
 }
 
-prompt_ans "GitLab hostname" "${GITLAB_HOSTNAME:=gsa.gitlab-dedicated.us}"
+prompt_ans "GitLab hostname" "${GITLAB_HOSTNAME:=workshop.cloud.gov}"
 if [ -n "$ans" ]; then
   GITLAB_HOSTNAME="$ans"
 fi
@@ -35,8 +35,9 @@ fi
 
 cat <<EOF > ../.shadowenv.d/100_gitlab_project.lisp
 (provide "gitlab-backend-config")
-(env/set "GITLAB_HOSTNAME" "$GITLAB_HOSTNAME")
 (env/set "GITLAB_PROJECT_ID" "$GITLAB_PROJECT_ID")
+(env/set "GITLAB_HOSTNAME" "$GITLAB_HOSTNAME")
+(env/set "GITLAB_BASE_URL" "https://${GITLAB_HOSTNAME}/api/v4")
 EOF
 
 prompt_ans "GitLab username" "$TF_HTTP_USERNAME"
@@ -56,4 +57,5 @@ cat <<EOF > ../.shadowenv.d/500_tf_backend_secrets.lisp
 (provide "tf-backend-secrets")
 (env/set "TF_HTTP_USERNAME" "$TF_HTTP_USERNAME")
 (env/set "TF_HTTP_PASSWORD" "$TF_HTTP_PASSWORD")
+(env/set "GITLAB_TOKEN" "$TF_HTTP_PASSWORD")
 EOF

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/full/main.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "~> 1.7"
+      version = "~> 1.10"
     }
   }
 }
@@ -59,7 +59,7 @@ data "cloudfoundry_service_plans" "cg_service_account" {
 locals {
   sa_service_name    = "<%= app_name %>-cicd-deployer"
   sa_key_name        = "cicd-deployer-access-key"
-  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+  sa_bot_credentials = jsondecode(cloudfoundry_service_credential_binding.runner_sa_key.credential_binding).credentials
   sa_cf_username     = nonsensitive(local.sa_bot_credentials.username)
   sa_cf_password     = local.sa_bot_credentials.password
 }
@@ -67,7 +67,7 @@ resource "cloudfoundry_service_instance" "runner_service_account" {
   name         = local.sa_service_name
   type         = "managed"
   space        = module.mgmt_space.space_id
-  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans[0].id
   depends_on   = [module.mgmt_space]
 }
 resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
@@ -75,11 +75,6 @@ resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
   service_instance = cloudfoundry_service_instance.runner_service_account.id
   type             = "key"
 }
-data "cloudfoundry_service_credential_binding" "runner_sa_key" {
-  name             = local.sa_key_name
-  service_instance = cloudfoundry_service_instance.runner_service_account.id
-  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
-}
 data "cloudfoundry_org" "org" {
   name = local.org_name
 }
@@ -87,24 +82,16 @@ data "cloudfoundry_user" "sa_user" {
   name = local.sa_cf_username
 }
 resource "cloudfoundry_org_role" "sa_org_manager" {
-  user = data.cloudfoundry_user.sa_user.users.0.id
+  user = data.cloudfoundry_user.sa_user.users[0].id
   type = "organization_manager"
   org  = data.cloudfoundry_org.org.id
 }
 
-locals {
-  bucket_creds_key_name = "backend-state-bucket-creds"
-}
 resource "cloudfoundry_service_credential_binding" "bucket_creds" {
-  name             = local.bucket_creds_key_name
+  name             = "backend-state-bucket-creds"
   service_instance = module.s3.bucket_id
   type             = "key"
 }
-data "cloudfoundry_service_credential_binding" "bucket_creds" {
-  name             = local.bucket_creds_key_name
-  service_instance = module.s3.bucket_id
-  depends_on       = [cloudfoundry_service_credential_binding.bucket_creds]
-}
 
 locals {
   import_map = {
@@ -129,7 +116,7 @@ resource "local_file" "recreate_script" {
 }
 
 locals {
-  bucket_creds   = jsondecode(data.cloudfoundry_service_credential_binding.bucket_creds.credential_bindings.0.credential_binding).credentials
+  bucket_creds   = jsondecode(cloudfoundry_service_credential_binding.bucket_creds.credential_binding).credentials
   backend_config = templatefile("${path.module}/templates/backend_config.tftpl", { creds = local.bucket_creds })
 }
 resource "local_sensitive_file" "bucket_creds" {

data/lib/generators/rails_template18f/terraform/templates/s3_bootstrap/sandbox/main.tf.tt

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     cloudfoundry = {
       source  = "cloudfoundry/cloudfoundry"
-      version = "~> 1.7"
+      version = "~> 1.10"
     }
   }
 }
@@ -44,38 +44,25 @@ data "cloudfoundry_service_plans" "cg_service_account" {
 locals {
   sa_service_name    = "<%= app_name %>-cicd-deployer"
   sa_key_name        = "cicd-deployer-access-key"
-  sa_bot_credentials = jsondecode(data.cloudfoundry_service_credential_binding.runner_sa_key.credential_bindings.0.credential_binding).credentials
+  sa_bot_credentials = jsondecode(cloudfoundry_service_credential_binding.runner_sa_key.credential_binding).credentials
 }
 resource "cloudfoundry_service_instance" "runner_service_account" {
   name         = local.sa_service_name
   type         = "managed"
   space        = data.cloudfoundry_space.space.id
-  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans.0.id
+  service_plan = data.cloudfoundry_service_plans.cg_service_account.service_plans[0].id
 }
 resource "cloudfoundry_service_credential_binding" "runner_sa_key" {
   name             = local.sa_key_name
   service_instance = cloudfoundry_service_instance.runner_service_account.id
   type             = "key"
 }
-data "cloudfoundry_service_credential_binding" "runner_sa_key" {
-  name             = local.sa_key_name
-  service_instance = cloudfoundry_service_instance.runner_service_account.id
-  depends_on       = [cloudfoundry_service_credential_binding.runner_sa_key]
-}
 
-locals {
-  bucket_creds_key_name = "backend-state-bucket-creds"
-}
 resource "cloudfoundry_service_credential_binding" "bucket_creds" {
-  name             = local.bucket_creds_key_name
+  name             = "backend-state-bucket-creds"
   service_instance = module.s3.bucket_id
   type             = "key"
 }
-data "cloudfoundry_service_credential_binding" "bucket_creds" {
-  name             = local.bucket_creds_key_name
-  service_instance = module.s3.bucket_id
-  depends_on       = [cloudfoundry_service_credential_binding.bucket_creds]
-}
 
 locals {
   import_map = {
@@ -94,7 +81,7 @@ resource "local_file" "recreate_script" {
 }
 
 locals {
-  bucket_creds   = jsondecode(data.cloudfoundry_service_credential_binding.bucket_creds.credential_bindings.0.credential_binding).credentials
+  bucket_creds   = jsondecode(cloudfoundry_service_credential_binding.bucket_creds.credential_binding).credentials
   backend_config = templatefile("${path.module}/templates/backend_config.tftpl", { creds = local.bucket_creds })
 }
 resource "local_sensitive_file" "bucket_creds" {

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -59,8 +59,8 @@ These steps only need to be run once per project.
 ### Steps:
 <% if use_gitlab_backend? %>
 1. Run `./bootstrap/setup_shadowenv.sh`<% end %>
-<% if terraform_manage_spaces? %>1. Create a new `sandbox-<NAME>.tfvars` file to hold variable values for your environment. A good starting point is copying `staging.tfvars` and editing it with your values
-1. Add a `cf_user = "your.email@gsa.gov"` line to the `sandbox-<NAME>.tfvars` file<% end %>
+<% if terraform_manage_spaces? %>1. Create a new `sandbox-<NAME>.env.tfvars` file to hold variable values for your environment. A good starting point is copying `staging.env.tfvars` and editing it with your values
+1. Add a `cf_user = "your.email@gsa.gov"` line to the `sandbox-<NAME>.env.tfvars` file<% end %>
 
 1. Run terraform plan with:
     ```bash
@@ -100,11 +100,11 @@ These steps only need to be run once per project.
 |- providers.tf
 |- terraform.sh
 |- variables.tf
-|- <env>.tfvars
+|- <env>.env.tfvars
 ```
 
 In the root module:
-- `<env>.tfvars` is where to set variable values for the given environment name
+- `<env>.env.tfvars` is where to set variable values for the given environment name
 - `terraform.sh` Helper script to setup terraform to point to the correct state file, create a service account to run the root module, and apply the root module.
 - `app.tf` defines the application resource and configuration
 - `main.tf` defines the persistent infrastructure

data/lib/generators/rails_template18f/terraform/templates/terraform/app.tf.tt

@@ -15,8 +15,8 @@ data "archive_file" "src" {
 }
 
 resource "cloudfoundry_app" "app" {
-  name       = "${local.app_name}-${var.env}"
-  space_name = var.cf_space_name
+  name       = "${local.app_name}-${var.environment_slug}"
+  space_name = <% if terraform_manage_spaces? %>module.app_space.space_name<% else %>var.cf_space_name<% end %>
   org_name   = local.cf_org_name
 
   path             = data.archive_file.src.output_path
@@ -26,7 +26,7 @@ resource "cloudfoundry_app" "app" {
   enable_ssh       = var.allow_ssh
 
   environment = {
-    RAILS_ENV                = var.env
+    RAILS_ENV                = var.environment_type
     RAILS_MASTER_KEY         = var.rails_master_key
     RAILS_LOG_TO_STDOUT      = "true"
     RAILS_SERVE_STATIC_FILES = "true"
@@ -44,9 +44,9 @@ resource "cloudfoundry_app" "app" {
   ]
 
   service_bindings = [
-<% if has_active_job? %>    { service_instance = "${local.app_name}-redis-${var.env}" },<% end %>
-<% if has_active_storage? %>    { service_instance = "${local.app_name}-s3-${var.env}" },<% end %>
-    { service_instance = "${local.app_name}-rds-${var.env}" }
+<% if has_active_job? %>    { service_instance = "${local.app_name}-redis-${var.environment_slug}" },<% end %>
+<% if has_active_storage? %>    { service_instance = "${local.app_name}-s3-${var.environment_slug}" },<% end %>
+    { service_instance = "${local.app_name}-rds-${var.environment_slug}" }
   ]
 
   depends_on = [