rails_template_18f 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 957ad56e218689b3d05f7c31ae6354a4e2c42877567ea87478845b30129cef43
-  data.tar.gz: f5d6045a2632863b50209c557f7460f61f9bacb90a99883b6b090f6580c528d0
+  metadata.gz: 24d43ee8d10fdaa457658cfab2ce12e28e9d65364147ad46e96ef8d8d2f6f15c
+  data.tar.gz: 686546614e2d8205fce7ccd575842645effeb30add6d08fe3057b6623f1800f6
 SHA512:
-  metadata.gz: ea0332afd7b819bcd2b03acca406467f9404de6f8e065e980bdabf81ef7083377f8dfc4d6754baaf1a4e6525eaa5190402f7a5307d35fb472960089a62ddba9e
-  data.tar.gz: 5720c1340a3065354de210dd4deccb5577656876501514ac09faf91a133511e92796e0cb18aee299e8894b16394fbacde12419e6c97795a3be086242e9afa815
+  metadata.gz: ebc79caba4f53280dbf1dffa76ba9268ecbd6ae9634fd463f1920770a02531f0d5cd350a26ecbc439accf57fbe96d824e76349ce29492075fb2d4151b40cd46a
+  data.tar.gz: 79fa51828475fac62b1a5e4ec4562eb9b563da24760f85c41c42f123bdb3e882124a38686050a52c0c6b3ffa29577eaa547405e78ef14ad1b6b99f7fff5df0e8

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 ## [Unreleased]
 
+## [1.3.0] - 2024-12-18
+
+- Set up app space via terraform, with proper restricted egress security group
+- Create rails_template18f:public_egress generator for integrating with cg-egress-proxy
+- [Use exec when starting rails server](https://docs.cloudfoundry.org/devguide/deploy-apps/manifest-attributes.html#start-commands:~:text=To%20resolve%20this,process.%20For%20example%3A)
+- Upgrade the i18n-js integration to 4.x
+
 ## [1.2.0] - 2024-09-20
 
 - new applications are now on Rails 7.2.x

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (1.2.0)
+    rails_template_18f (1.3.0)
       activesupport (~> 7.2.0)
       colorize (~> 1.1)
       railties (~> 7.2.0)
@@ -10,9 +10,9 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (7.2.0)
-      actionview (= 7.2.0)
-      activesupport (= 7.2.0)
+    actionpack (7.2.1)
+      actionview (= 7.2.1)
+      activesupport (= 7.2.1)
       nokogiri (>= 1.8.5)
       racc
       rack (>= 2.2.4, < 3.2)
@@ -21,13 +21,13 @@ GEM
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
-    actionview (7.2.0)
-      activesupport (= 7.2.0)
+    actionview (7.2.1)
+      activesupport (= 7.2.1)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activesupport (7.2.0)
+    activesupport (7.2.1)
       base64
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
@@ -54,16 +54,16 @@ GEM
     diff-lcs (1.5.1)
     drb (2.2.1)
     erubi (1.13.0)
-    i18n (1.14.5)
+    i18n (1.14.6)
       concurrent-ruby (~> 1.0)
     io-console (0.7.2)
-    irb (1.14.0)
+    irb (1.14.1)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     json (2.7.2)
     language_server-protocol (3.17.0.3)
     lint_roller (1.1.0)
-    logger (1.6.0)
+    logger (1.6.1)
     loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
@@ -75,7 +75,7 @@ GEM
     nokogiri (1.16.7-x86_64-linux)
       racc (~> 1.4)
     parallel (1.26.3)
-    parser (3.3.4.2)
+    parser (3.3.5.0)
       ast (~> 2.4.1)
       racc
     psych (5.1.2)
@@ -96,9 +96,9 @@ GEM
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
       nokogiri (~> 1.14)
-    railties (7.2.0)
-      actionpack (= 7.2.0)
-      activesupport (= 7.2.0)
+    railties (7.2.1)
+      actionpack (= 7.2.1)
+      activesupport (= 7.2.1)
       irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -109,26 +109,25 @@ GEM
     rdoc (6.7.0)
       psych (>= 4.0.0)
     regexp_parser (2.9.2)
-    reline (0.5.9)
+    reline (0.5.10)
       io-console (~> 0.5)
-    rexml (3.3.6)
-      strscan
+    rexml (3.3.8)
     rspec (3.13.0)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.0)
+    rspec-core (3.13.1)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.2)
+    rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.1)
+    rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (6.1.4)
-      actionpack (>= 6.1)
-      activesupport (>= 6.1)
-      railties (>= 6.1)
+    rspec-rails (7.0.1)
+      actionpack (>= 7.0)
+      activesupport (>= 7.0)
+      railties (>= 7.0)
       rspec-core (~> 3.13)
       rspec-expectations (~> 3.13)
       rspec-mocks (~> 3.13)
@@ -145,14 +144,14 @@ GEM
       rubocop-ast (>= 1.31.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.32.1)
+    rubocop-ast (1.32.3)
       parser (>= 3.3.1.0)
     rubocop-performance (1.21.1)
       rubocop (>= 1.48.1, < 2.0)
       rubocop-ast (>= 1.31.1, < 2.0)
     ruby-progressbar (1.13.0)
     securerandom (0.3.1)
-    standard (1.40.0)
+    standard (1.40.1)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.0)
       rubocop (~> 1.65.0)
@@ -165,14 +164,13 @@ GEM
       lint_roller (~> 1.1)
       rubocop-performance (~> 1.21.0)
     stringio (3.1.1)
-    strscan (3.1.0)
-    thor (1.3.1)
+    thor (1.3.2)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
+    unicode-display_width (2.6.0)
     useragent (0.16.10)
-    webrick (1.8.1)
-    zeitwerk (2.6.17)
+    webrick (1.8.2)
+    zeitwerk (2.6.18)
 
 PLATFORMS
   arm64-darwin-23

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -71,6 +71,11 @@ commands:
               -p ${<< parameters.cloudgov_password >>} \
               -o << parameters.cloudgov_org >> \
               -s << parameters.cloudgov_space >>
+      - run:
+          name: Set restricted egress
+          command: |
+            cf bind-security-group trusted_local_networks_egress << parameters.cloudgov_org >> \
+              --space << parameters.cloudgov_space >>
       - run:
           name: Push application with deployment vars
           command: |

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt

@@ -32,6 +32,14 @@ jobs:
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
       <% end %>
+      - name: Set restricted egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: <%= cloud_gov_organization %>
+          cf_space: <%= cloud_gov_production_space %>
+          cf_command: bind-security-group trusted_local_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
       - name: Deploy app
         uses: cloud-gov/cg-cli-tools@main
         with:

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt

@@ -32,6 +32,14 @@ jobs:
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
       <% end %>
+      - name: Set restricted egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: <%= cloud_gov_organization %>
+          cf_space: <%= cloud_gov_staging_space %>
+          cf_command: bind-security-group trusted_local_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
       - name: Deploy app
         uses: cloud-gov/cg-cli-tools@main
         with:

data/lib/generators/rails_template18f/i18n_js/i18n_js_generator.rb

@@ -12,37 +12,29 @@ module RailsTemplate18f
           Install and configure i18n-js gem to provide translations to JS code.
 
           By default, will only export translations with keys that match `*.js.*`
+
+          To use, add the following to your js code:
+
+          1. `import { i18n } from './i18n';`
+          2. `i18n.t('path.to.translation.key')`
       DESC
 
-      def install_gem_and_tasks
-        return if gem_installed?("i18n-js")
-        gem "i18n-js", "~> 3.9"
+      def install_gems
+        gem "i18n-js", "~> 4.2" unless gem_installed?("i18n-js")
+        gem "listen", "~> 3.9", group: :development unless gem_installed?("listen")
         bundle_install do
           run "yarn add i18n-js"
-          generate "i18n:js:config"
         end
       end
 
       def configure_translation_yaml
-        append_to_file "config/i18n-js.yml", <<~EOYAML
-          # remove `only` to include all translations
-          translations:
-            - file: "app/assets/builds/translations.js"
-              only: "*.js.*"
-        EOYAML
+        copy_file "config/i18n-js.yml"
       end
 
       def configure_asset_pipeline
         copy_file "lib/tasks/i18n.rake"
-        environment "config.middleware.use I18n::JS::Middleware", env: :development
-        insert_into_file "app/views/layouts/application.html.erb", indent(<<~EOHTML, 4), after: /<%= stylesheet_link_tag "application".*$\n/
-          <%= javascript_include_tag "i18n", "data-turbo-track": "reload" %>
-          <%= javascript_include_tag "translations", "data-turbo-track": "reload" %>
-        EOHTML
-        append_to_file "app/assets/config/manifest.js", <<~EOJS
-          //= link i18n.js
-          //= link translations.js
-        EOJS
+        copy_file "config/initializers/i18n_js.rb"
+        copy_file "app/javascript/i18n.js"
       end
 
       def ignore_generated_file
@@ -50,7 +42,7 @@ module RailsTemplate18f
           append_to_file ".gitignore", <<~EOM
 
             # Generated by i18n-js
-            /public/javascripts/i18n.js
+            /app/javascript/generated
           EOM
         end
       end

data/lib/generators/rails_template18f/i18n_js/templates/app/javascript/i18n.js

@@ -0,0 +1,11 @@
+import { I18n } from 'i18n-js';
+import translations from './generated/translations.json';
+
+const userLocale = document.documentElement.lang;
+
+export const i18n = new I18n();
+
+i18n.store(translations);
+i18n.defaultLocale = "en";
+i18n.enableFallback = true;
+i18n.locale = userLocale;

data/lib/generators/rails_template18f/i18n_js/templates/config/i18n-js.yml

@@ -0,0 +1,4 @@
+translations:
+  - file: "app/javascript/generated/translations.json"
+    patterns:
+      - "*.js.*"

data/lib/generators/rails_template18f/i18n_js/templates/config/initializers/i18n_js.rb

@@ -0,0 +1,5 @@
+Rails.application.config.after_initialize do
+  require "i18n-js/listen"
+  # This will only run in development
+  I18nJS.listen config_file: Rails.root.join("config/i18n-js.yml")
+end

data/lib/generators/rails_template18f/i18n_js/templates/lib/tasks/i18n.rake

@@ -1,9 +1,10 @@
 # export translations as part of asset precompile
-
-Rake::Task["assets:precompile"].enhance(["i18n:js:export"])
-
-if Rake::Task.task_defined?("test:prepare")
-  Rake::Task["test:prepare"].enhance(["i18n:js:export"])
-elsif Rake::Task.task_defined?("db:test:prepare")
-  Rake::Task["db:test:prepare"].enhance(["i18n:js:export"])
+namespace "i18n:js" do
+  desc "Call the i18n-js export method"
+  task :export do
+    require "i18n-js"
+    I18nJS.call(config_file: "config/i18n-js.yml")
+  end
 end
+
+Rake::Task["javascript:build"].enhance(["i18n:js:export"])

data/lib/generators/rails_template18f/public_egress/public_egress_generator.rb

@@ -0,0 +1,136 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "colorize"
+
+module RailsTemplate18f
+  module Generators
+    class PublicEgressGenerator < ::Rails::Generators::Base
+      include Base
+      include CloudGovParsing
+
+      desc <<~DESC
+        Description:
+          Install files for running cg-egress-proxy in <env>-egress cloud.gov spaces
+          Prerequisite: the terraform generator has been run already
+      DESC
+
+      def check_terraform_exists
+        unless terraform_dir_exists?
+          fail "Run `rails g rails_template18f:terraform` before running this generator"
+        end
+      end
+
+      def use_terraform_module
+        append_to_file file_path("terraform/staging/main.tf"), terraform_module
+        append_to_file file_path("terraform/production/main.tf"), terraform_module
+      end
+
+      def add_to_deploy_steps
+        if file_exists?(".github/workflows/deploy-staging.yml")
+          insert_into_file ".github/workflows/deploy-staging.yml", <<EOD, before: "      - name: Deploy app"
+      - name: Set public egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: #{cloud_gov_organization}
+          cf_space: #{cloud_gov_staging_space}-egress
+          cf_command: bind-security-group public_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
+EOD
+        end
+        if file_exists?(".github/workflows/deploy-production.yml")
+          insert_into_file ".github/workflows/deploy-production.yml", <<EOD, before: "      - name: Deploy app"
+      - name: Set public egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: #{cloud_gov_organization}
+          cf_space: #{cloud_gov_production_space}-egress
+          cf_command: bind-security-group public_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
+EOD
+        end
+        if file_exists?(".circleci/config.yml")
+          insert_into_file ".circleci/config.yml", <<EOD, before: "          name: Push application with deployment vars"
+          name: Set public egress
+          command: |
+            cf bind-security-group public_networks_egress << parameters.cloudgov_org >> \
+              --space << parameters.cloudgov_space >>-egress
+        - run:
+EOD
+        end
+      end
+
+      def update_readme
+        insert_into_file "README.md", readme_content, before: "## Documentation"
+      end
+
+      def update_boundary_diagram
+        boundary_filename = "doc/compliance/apps/application.boundary.md"
+        insert_into_file boundary_filename, <<EOB, after: "System_Boundary(inventory, \"Application\") {\n"
+                Boundary(restricted_space, "Restricted egress space") {
+                }
+                Boundary(egress_space, "Public egress space") {
+                    Container(proxy, "<&layers> Egress Proxy", "Caddy, cg-egress-proxy", "Proxy with allow-list of external connections")
+                }
+EOB
+        insert_into_file boundary_filename, <<~EOB, before: "@enduml"
+          Rel(app, proxy, "Proxy outbound connections", "https (443)")
+        EOB
+        puts "\n ================ TODO ================ \n".yellow
+        puts "Update your application boundary to:"
+        puts "1. Place application and services within the Restricted egress space"
+        puts "2. Connect outbound connections through the egress proxy"
+      end
+
+      def update_oscal_doc
+        copy_remote_oscal_component "cg-egress-proxy", "https://raw.githubusercontent.com/GSA-TTS/cg-egress-proxy/refs/heads/main/docs/compliance/component-definitions/cg-egress-proxy/component-definition.json"
+      end
+
+      no_tasks do
+        def readme_content
+          <<~README
+            ### Public Egress Proxy
+
+            Traffic to be delivered to the public internet must be proxied through the [cg-egress-proxy](https://github.com/GSA-TTS/cg-egress-proxy) app. Hostnames that the app should be able to
+            reach should be added to the `allowlist` terraform configuration in `terraform/staging/main.tf` and `terraform/production/main.tf`
+
+            See the [ruby troubleshooting doc](https://github.com/GSA-TTS/cg-egress-proxy/blob/main/docs/ruby.md) first if you have any problems making outbound connections through the proxy.
+          README
+        end
+
+        def terraform_module
+          <<~EOT
+
+            module "egress_space" {
+              source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v1.1.0"
+
+              cf_org_name   = local.cf_org_name
+              cf_space_name = "${local.cf_space_name}-egress"
+              # deployers should include any user or service account ID that will deploy the egress proxy
+              deployers = [
+                var.cf_user
+              ]
+            }
+
+            module "egress_proxy" {
+              source = "github.com/gsa-tts/terraform-cloudgov//egress_proxy?ref=v1.1.0"
+
+              cf_org_name   = local.cf_org_name
+              cf_space_name = module.egress_space.space_name
+              client_space  = local.cf_space_name
+              name          = "egress-proxy-${local.env}"
+              # comment out allowlist if this module is being deployed before the app has ever been deployed
+              allowlist = {
+                "${local.app_name}-${local.env}" = []
+              }
+              # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+              depends_on = [module.app_space, module.egress_space]
+            }
+          EOT
+        end
+      end
+    end
+  end
+end

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -64,7 +64,7 @@ These steps are run once per project.
 A [SpaceDeployer](https://cloud.gov/docs/services/cloud-gov-service-account/) account is required to run terraform or
 deploy the application from the CI/CD pipeline. Create a new account by running:
 
-`../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME>`
+`../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> -m`
 
 ## Set up a new environment manually
 
@@ -80,7 +80,7 @@ The below steps rely on you first configuring access to the Terraform state in s
     # something that communicates the purpose of the deployer
     # for example: circleci-deployer for the credentials CircleCI uses to
     # deploy the application or <your_name>-terraform for credentials to run terraform manually
-    ../../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> > secrets.auto.tfvars
+    ../../bin/ops/create_service_account.sh -s <SPACE_NAME> -u <ACCOUNT_NAME> -m > secrets.auto.tfvars
     ```
 
     The script will output the `username` (as `cf_user`) and `password` (as `cf_password`) for your `<ACCOUNT_NAME>`. Read more in the [cloud.gov service account documentation](https://cloud.gov/docs/services/cloud-gov-service-account/).

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/main.tf.tt

@@ -6,7 +6,7 @@ module "s3" {
   source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
 
   cf_org_name   = "<%= cloud_gov_organization %>"
-  cf_space_name = "<%= cloud_gov_production_space %>"
+  cf_space_name = "<%= cloud_gov_production_space %>-mgmt"
   name          = local.s3_service_name<% if cloud_gov_organization == "sandbox-gsa" %>
   s3_plan_name  = "basic-sandbox"<% end %>
 }

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/run.sh.tt

@@ -16,7 +16,8 @@ dig_output () {
 }
 
 if [[ ! -f "secrets.auto.tfvars" ]]; then
-  ../../bin/ops/create_service_account.sh -s <%= cloud_gov_production_space %> -u config-bootstrap-deployer > secrets.auto.tfvars
+  cf target -s <%= cloud_gov_production_space %>-mgmt || cf create-space <%= cloud_gov_production_space %>-mgmt && cf disallow-space-ssh <%= cloud_gov_production_space %>-mgmt
+  ../../bin/ops/create_service_account.sh -s <%= cloud_gov_production_space %>-mgmt -u config-bootstrap-deployer > secrets.auto.tfvars
 fi
 
 if [[ $# -gt 0 ]]; then

data/lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/teardown_creds.sh.tt

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 
-../../bin/ops/destroy_service_account.sh -s <%= cloud_gov_production_space %> -u config-bootstrap-deployer
+../../bin/ops/destroy_service_account.sh -s <%= cloud_gov_production_space %>-mgmt -u config-bootstrap-deployer
 
 rm secrets.auto.tfvars

data/lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt

@@ -5,32 +5,48 @@ locals {
   app_name      = "<%= app_name %>"
 }
 
+module "app_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v1.1.0"
+
+  cf_org_name   = local.cf_org_name
+  cf_space_name = local.cf_space_name
+  deployers     = [var.cf_user]
+  # developers should include any users that will potentially need to run `cf ssh` on the app
+  developers = []
+}
+
 module "database" {
-  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.1.0"
 
   cf_org_name   = local.cf_org_name
   cf_space_name = local.cf_space_name
   name          = "${local.app_name}-rds-${local.env}"
   rds_plan_name = "TKTK-production-rds-plan"
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 <% if has_active_job? %>
 module "redis" {
-  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.1.0"
 
   cf_org_name     = local.cf_org_name
   cf_space_name   = local.cf_space_name
   name            = "${local.app_name}-redis-${local.env}"
   redis_plan_name = "TKTK-production-redis-plan"
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 <% end %>
 <% if has_active_storage? %>
 module "s3" {
-  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.1.0"
 
   cf_org_name   = local.cf_org_name
   cf_space_name = local.cf_space_name
   name          = "${local.app_name}-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
   s3_plan_name  = "basic-sandbox"<% end %>
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 
 ###########################################################################
@@ -40,7 +56,7 @@ module "s3" {
 # 2) Your organization has sufficient memory. Each clamav app requires 3GB
 ###########################################################################
 # module "clamav" {
-#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.0.0"
+#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.1.0"
 #
 #   cf_org_name    = local.cf_org_name
 #   cf_space_name  = local.cf_space_name
@@ -48,6 +64,8 @@ module "s3" {
 #   name           = "${local.app_name}-clamapi-${local.env}"
 #   clamav_image   = "ghcr.io/gsa-tts/clamav-rest/clamav:20240602"
 #   max_file_size  = "30M"
+#   # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+#   depends_on = [module.app_space]
 # }
 <% end %>
 
@@ -59,7 +77,7 @@ module "s3" {
 #     `cf create-domain <%= cloud_gov_organization %> TKTK-production-domain-name`
 ###########################################################################
 # module "domain" {
-#   source = "github.com/gsa-tts/terraform-cloudgov//domain?ref=v1.0.0"
+#   source = "github.com/gsa-tts/terraform-cloudgov//domain?ref=v1.1.0"
 #
 #   cf_org_name    = local.cf_org_name
 #   cf_space_name  = local.cf_space_name
@@ -67,4 +85,6 @@ module "s3" {
 #   cdn_plan_name  = "domain"
 #   domain_name    = "TKTK-production-domain-name"
 #   host_name      = "TKTK-production-hostname (optional)"
+#   # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+#   depends_on = [module.app_space]
 # }

data/lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt

@@ -5,32 +5,48 @@ locals {
   app_name      = "<%= app_name %>"
 }
 
+module "app_space" {
+  source = "github.com/gsa-tts/terraform-cloudgov//cg_space?ref=v1.1.0"
+
+  cf_org_name   = local.cf_org_name
+  cf_space_name = local.cf_space_name
+  deployers     = [var.cf_user]
+  # developers should include any users that will potentially need to run `cf ssh` on the app
+  developers = []
+}
+
 module "database" {
-  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//database?ref=v1.1.0"
 
   cf_org_name   = local.cf_org_name
   cf_space_name = local.cf_space_name
   name          = "${local.app_name}-rds-${local.env}"
   rds_plan_name = "micro-psql"
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 <% if has_active_job? %>
 module "redis" {
-  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//redis?ref=v1.1.0"
 
   cf_org_name     = local.cf_org_name
   cf_space_name   = local.cf_space_name
   name            = "${local.app_name}-redis-${local.env}"
   redis_plan_name = "redis-dev"
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 <% end %>
 <% if has_active_storage? %>
 module "s3" {
-  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
+  source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.1.0"
 
   cf_org_name   = local.cf_org_name
   cf_space_name = local.cf_space_name
   name          = "${local.app_name}-s3-${local.env}"<% if cloud_gov_organization == "sandbox-gsa" %>
   s3_plan_name  = "basic-sandbox"<% end %>
+  # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+  depends_on = [module.app_space]
 }
 
 ###########################################################################
@@ -40,7 +56,7 @@ module "s3" {
 # 2) Your organization has sufficient memory. Each clamav app requires 3GB
 ###########################################################################
 # module "clamav" {
-#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.0.0"
+#   source = "github.com/gsa-tts/terraform-cloudgov//clamav?ref=v1.1.0"
 #
 #   cf_org_name    = local.cf_org_name
 #   cf_space_name  = local.cf_space_name
@@ -48,5 +64,7 @@ module "s3" {
 #   name           = "${local.app_name}-clamapi-${local.env}"
 #   clamav_image   = "ghcr.io/gsa-tts/clamav-rest/clamav:20240602"
 #   max_file_size  = "30M"
+#   # depends_on line is needed only for initial creation and destruction. It should be commented out for updates to prevent unwanted cascading effects
+#   depends_on = [module.app_space]
 # }
 <% end %>

data/lib/rails_template18f/generators/base.rb

@@ -59,6 +59,13 @@ module RailsTemplate18f
         Dir.exist? file_path("doc/compliance/oscal")
       end
 
+      def copy_remote_oscal_component(component_name, cd_url)
+        get cd_url, File.join(oscal_component_path, component_name, "component-definition.json")
+        if oscal_dir_exists?
+          insert_into_file "doc/compliance/oscal/trestle-config.yaml", "  - #{component_name}\n"
+        end
+      end
+
       def copy_oscal_component(component_name)
         template "oscal/component-definitions/#{component_name}/component-definition.json",
           File.join(oscal_component_path, component_name, "component-definition.json")

data/lib/rails_template18f/generators/cloud_gov_options.rb

@@ -4,6 +4,7 @@ module RailsTemplate18f
   module Generators
     module CloudGovOptions
       extend ActiveSupport::Concern
+      include CloudGovParsing
 
       included do
         class_option :cg_org, desc: "cloud.gov organization name"
@@ -14,39 +15,18 @@ module RailsTemplate18f
       private
 
       def cloud_gov_organization
-        if options[:cg_org].present?
-          return options[:cg_org]
-        elsif terraform_dir_exists?
-          staging_main = file_content("terraform/staging/main.tf")
-          if (matches = staging_main.match(/cf_org_name\s+= "(?<org_name>.*)"/))
-            return matches[:org_name]
-          end
-        end
-        "TKTK-cloud.gov-org-name"
+        return options[:cg_org] if options[:cg_org].present?
+        super
       end
 
       def cloud_gov_staging_space
-        if options[:cg_staging].present?
-          return options[:cg_staging]
-        elsif terraform_dir_exists?
-          staging_main = file_content("terraform/staging/main.tf")
-          if (matches = staging_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
-            return matches[:space_name]
-          end
-        end
-        "staging"
+        return options[:cg_staging] if options[:cg_staging].present?
+        super
       end
 
       def cloud_gov_production_space
-        if options[:cg_prod].present?
-          return options[:cg_prod]
-        elsif terraform_dir_exists?
-          prod_main = file_content("terraform/production/main.tf")
-          if (matches = prod_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
-            return matches[:space_name]
-          end
-        end
-        "prod"
+        return options[:cg_prod] if options[:cg_prod].present?
+        super
       end
     end
   end

data/lib/rails_template18f/generators/cloud_gov_parsing.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module RailsTemplate18f
+  module Generators
+    module CloudGovParsing
+      extend ActiveSupport::Concern
+
+      private
+
+      def cloud_gov_organization
+        if terraform_dir_exists?
+          staging_main = file_content("terraform/staging/main.tf")
+          if (matches = staging_main.match(/cf_org_name\s+= "(?<org_name>.*)"/))
+            return matches[:org_name]
+          end
+        end
+        "TKTK-cloud.gov-org-name"
+      end
+
+      def cloud_gov_staging_space
+        if terraform_dir_exists?
+          staging_main = file_content("terraform/staging/main.tf")
+          if (matches = staging_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
+            return matches[:space_name]
+          end
+        end
+        "staging"
+      end
+
+      def cloud_gov_production_space
+        if terraform_dir_exists?
+          prod_main = file_content("terraform/production/main.tf")
+          if (matches = prod_main.match(/cf_space_name\s+= "(?<space_name>.*)"/))
+            return matches[:space_name]
+          end
+        end
+        "prod"
+      end
+    end
+  end
+end

data/lib/rails_template18f/generators.rb

@@ -6,6 +6,7 @@ module RailsTemplate18f
 
     autoload :Base
     autoload :CloudGovOptions
+    autoload :CloudGovParsing
     autoload :PipelineOptions
   end
 end

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "1.2.0"
+  VERSION = "1.3.0"
 end

data/templates/bin/ops/create_service_account.sh.tt

@@ -7,14 +7,18 @@ $0: Create a Service User Account for a given space
 
 Usage:
   $0 -h
-  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>]
+  $0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>] [-m]
 
 Options:
 -h: show help and exit
 -s <SPACE NAME>: configure the space to act on. Required
 -u <USER NAME>: set the service user name. Required
 -r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer
+-m: If provided, make the service user an OrgManager
 -o <ORG NAME>: configure the organization to act on. Default: $org
+
+Notes:
+* OrgManager is required for terraform to create <env>-egress spaces
 "
 
 set -e
@@ -23,8 +27,9 @@ set -o pipefail
 space=""
 service=""
 role="space-deployer"
+org_manager="false"
 
-while getopts ":hs:u:r:o:" opt; do
+while getopts ":hms:u:r:o:" opt; do
   case "$opt" in
     s)
       space=${OPTARG}
@@ -38,6 +43,9 @@ while getopts ":hs:u:r:o:" opt; do
     o)
       org=${OPTARG}
       ;;
+    m)
+      org_manager="true"
+      ;;
     h)
       echo "$usage"
       exit 0
@@ -69,6 +77,10 @@ creds=`cf service-key $service service-account-key | tail -n +2 | jq '.credentia
 username=`echo $creds | jq -r '.username'`
 password=`echo $creds | jq -r '.password'`
 
+if [[ "$org_manager" = "true" ]]; then
+  cf set-org-role $username $org OrgManager 1>&2
+fi
+
 cat << EOF
 # generated with $0 -s $space -u $service -r $role -o $org
 # revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org

data/templates/bin/ops/destroy_service_account.sh.tt

@@ -46,8 +46,5 @@ fi
 
 cf target -o $org -s $space
 
-# destroy service key
-cf delete-service-key $service service-account-key -f
-
 # destroy service
 cf delete-service $service -f

data/templates/manifest.yml.tt

@@ -12,6 +12,6 @@ applications:
   - type: web
     instances: ((web_instances))
     memory: ((web_memory))
-    command: bundle exec rake cf:on_first_instance db:migrate && bundle exec rails s -b 0.0.0.0 -p $PORT -e $RAILS_ENV
+    command: bundle exec rake cf:on_first_instance db:migrate && exec bundle exec rails s -b 0.0.0.0 -p $PORT -e $RAILS_ENV
   services:
   - <%= app_name %>-rds-((env))

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_template_18f
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Ryan Ahearn
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-09-20 00:00:00.000000000 Z
+date: 2024-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -174,6 +174,9 @@ files:
 - lib/generators/rails_template18f/i18n/templates/config/locales/fr.yml
 - lib/generators/rails_template18f/i18n/templates/config/locales/zh.yml
 - lib/generators/rails_template18f/i18n_js/i18n_js_generator.rb
+- lib/generators/rails_template18f/i18n_js/templates/app/javascript/i18n.js
+- lib/generators/rails_template18f/i18n_js/templates/config/i18n-js.yml
+- lib/generators/rails_template18f/i18n_js/templates/config/initializers/i18n_js.rb
 - lib/generators/rails_template18f/i18n_js/templates/lib/tasks/i18n.rake
 - lib/generators/rails_template18f/newrelic/newrelic_generator.rb
 - lib/generators/rails_template18f/newrelic/templates/config/newrelic.yml.tt
@@ -182,6 +185,7 @@ files:
 - lib/generators/rails_template18f/oscal/templates/bin/trestle.tt
 - lib/generators/rails_template18f/oscal/templates/doc/compliance/oscal/trestle-config.yaml.tt
 - lib/generators/rails_template18f/oscal/templates/github/actions/trestle-cmd/action.yml.tt
+- lib/generators/rails_template18f/public_egress/public_egress_generator.rb
 - lib/generators/rails_template18f/rails_erd/rails_erd_generator.rb
 - lib/generators/rails_template18f/rails_erd/templates/erdconfig
 - lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb
@@ -194,15 +198,16 @@ files:
 - lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/teardown_creds.sh.tt
 - lib/generators/rails_template18f/terraform/templates/terraform/bootstrap/variables.tf
 - lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf.tt
+- lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf
 - lib/generators/rails_template18f/terraform/templates/terraform/production/variables.tf
 - lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt
-- lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf.tt
+- lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf
 - lib/generators/rails_template18f/terraform/templates/terraform/staging/variables.tf
 - lib/generators/rails_template18f/terraform/terraform_generator.rb
 - lib/rails_template18f/generators.rb
 - lib/rails_template18f/generators/base.rb
 - lib/rails_template18f/generators/cloud_gov_options.rb
+- lib/rails_template18f/generators/cloud_gov_parsing.rb
 - lib/rails_template18f/generators/pipeline_options.rb
 - lib/rails_template18f/version.rb
 - lib/rails_template_18f.rb