From c694a7e8cda97a71511cd411886f03f3e5e3f678 Mon Sep 17 00:00:00 2001
From: Ryan Ahearn <ryan.ahearn@gsa.gov>
Date: Thu, 10 Oct 2024 16:47:31 -0400
Subject: [PATCH 1/2] Set up rahearn-mgmt management space

---
 terraform/bootstrap/import.sh         | 4 ++--
 terraform/bootstrap/main.tf           | 2 +-
 terraform/bootstrap/run.sh            | 3 ++-
 terraform/bootstrap/teardown_creds.sh | 2 +-
 terraform/staging/main.tf             | 6 +++---
 terraform/staging/providers.tf        | 2 +-
 6 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/terraform/bootstrap/import.sh b/terraform/bootstrap/import.sh
index ba88135..5bfde26 100755
--- a/terraform/bootstrap/import.sh
+++ b/terraform/bootstrap/import.sh
@@ -5,8 +5,8 @@ read -p "Are you sure you want to import terraform state (y/n)? " verify
 if [[ $verify == "y" ]]; then
   echo "Importing bootstrap state"
   ./run.sh init
-  ./run.sh import module.s3.cloudfoundry_service_instance.bucket a26c2475-be53-4b1d-a61c-240530426fde
-  ./run.sh import cloudfoundry_service_key.bucket_creds b2e6d07e-d72a-4880-b364-c9d39e87d5db
+  ./run.sh import module.s3.cloudfoundry_service_instance.bucket 7ecc7fa5-6da9-4df7-bfbc-59d957a2d61e
+  ./run.sh import cloudfoundry_service_key.bucket_creds da42df77-ee50-43ba-87a7-ecedd872620d
   ./run.sh plan
 else
   echo "Not importing bootstrap state"
diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf
index 70904a7..021c04f 100644
--- a/terraform/bootstrap/main.tf
+++ b/terraform/bootstrap/main.tf
@@ -6,7 +6,7 @@ module "s3" {
   source = "github.com/gsa-tts/terraform-cloudgov//s3?ref=v1.0.0"
 
   cf_org_name   = "gsa-tts-devtools-prototyping"
-  cf_space_name = "rahearn"
+  cf_space_name = "rahearn-mgmt"
   name          = local.s3_service_name
 }
 
diff --git a/terraform/bootstrap/run.sh b/terraform/bootstrap/run.sh
index 5f73e6d..503b875 100755
--- a/terraform/bootstrap/run.sh
+++ b/terraform/bootstrap/run.sh
@@ -16,7 +16,8 @@ dig_output () {
 }
 
 if [[ ! -f "secrets.auto.tfvars" ]]; then
-  ../../bin/ops/create_service_account.sh -s rahearn -u config-bootstrap-deployer > secrets.auto.tfvars
+  cf target -s rahearn-mgmt || cf create-space rahearn-mgmt
+  ../../bin/ops/create_service_account.sh -s rahearn-mgmt -u config-bootstrap-deployer > secrets.auto.tfvars
 fi
 
 if [[ $# -gt 0 ]]; then
diff --git a/terraform/bootstrap/teardown_creds.sh b/terraform/bootstrap/teardown_creds.sh
index dde9393..5d910e4 100755
--- a/terraform/bootstrap/teardown_creds.sh
+++ b/terraform/bootstrap/teardown_creds.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 
-../../bin/ops/destroy_service_account.sh -s rahearn -u config-bootstrap-deployer
+../../bin/ops/destroy_service_account.sh -s rahearn-mgmt -u config-bootstrap-deployer
 
 rm secrets.auto.tfvars
diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf
index 56d74f6..2722e75 100644
--- a/terraform/staging/main.tf
+++ b/terraform/staging/main.tf
@@ -56,7 +56,7 @@ module "egress_proxy" {
   cf_space_name = module.egress_space.space_name
   client_space  = local.cf_space_name
   name          = "tfm-egress-proxy-${local.env}"
-  allowlist = {
-    "${local.app_name}-${local.env}" = ["raw.githubusercontent.com"]
-  }
+  # allowlist = {
+    # "${local.app_name}-${local.env}" = ["raw.githubusercontent.com"]
+  # }
 }
diff --git a/terraform/staging/providers.tf b/terraform/staging/providers.tf
index cc2f52f..25b1075 100644
--- a/terraform/staging/providers.tf
+++ b/terraform/staging/providers.tf
@@ -8,7 +8,7 @@ terraform {
   }
 
   backend "s3" {
-    bucket  = "cg-a26c2475-be53-4b1d-a61c-240530426fde"
+    bucket  = "cg-7ecc7fa5-6da9-4df7-bfbc-59d957a2d61e"
     key     = "terraform.tfstate.stage"
     encrypt = "true"
     region  = "us-gov-west-1"

From 7a521f8d9b24d15e8b2baecaed9c347136291961 Mon Sep 17 00:00:00 2001
From: Ryan Ahearn <ryan.ahearn@gsa.gov>
Date: Fri, 11 Oct 2024 08:52:54 -0400
Subject: [PATCH 2/2] Completely configure spaces in terraform

---
 terraform/bootstrap/run.sh |  2 +-
 terraform/staging/main.tf  | 23 ++++++++++++-----------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/terraform/bootstrap/run.sh b/terraform/bootstrap/run.sh
index 503b875..2fd2266 100755
--- a/terraform/bootstrap/run.sh
+++ b/terraform/bootstrap/run.sh
@@ -16,7 +16,7 @@ dig_output () {
 }
 
 if [[ ! -f "secrets.auto.tfvars" ]]; then
-  cf target -s rahearn-mgmt || cf create-space rahearn-mgmt
+  cf target -s rahearn-mgmt || cf create-space rahearn-mgmt && cf disallow-space-ssh rahearn-mgmt
   ../../bin/ops/create_service_account.sh -s rahearn-mgmt -u config-bootstrap-deployer > secrets.auto.tfvars
 fi
 
diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf
index 2722e75..c257368 100644
--- a/terraform/staging/main.tf
+++ b/terraform/staging/main.tf
@@ -10,12 +10,11 @@ module "app_space" {
 
   cf_org_name   = local.cf_org_name
   cf_space_name = local.cf_space_name
+  allow_ssh     = false
   # deployers should include any user or service account ID that will deploy the app
-  deployers = [
-    "ryan.ahearn@gsa.gov",
-    var.cf_user
-  ]
-  asg_names = ["trusted_local_networks_egress"]
+  deployers  = ["ryan.ahearn@gsa.gov"]
+  developers = [var.cf_user]
+  asg_names  = ["trusted_local_networks_egress"]
 }
 
 module "database" {
@@ -25,6 +24,7 @@ module "database" {
   cf_space_name = local.cf_space_name
   name          = "${local.app_name}-rds-${local.env}"
   rds_plan_name = "micro-psql"
+  depends_on    = [module.app_space]
 }
 
 module "redis" {
@@ -34,6 +34,7 @@ module "redis" {
   cf_space_name   = local.cf_space_name
   name            = "${local.app_name}-redis-${local.env}"
   redis_plan_name = "redis-dev"
+  depends_on      = [module.app_space]
 }
 
 module "egress_space" {
@@ -41,12 +42,11 @@ module "egress_space" {
 
   cf_org_name   = local.cf_org_name
   cf_space_name = "${local.cf_space_name}-egress"
+  allow_ssh     = false
   # deployers should include any user or service account ID that will deploy the egress proxy
-  deployers = [
-    "ryan.ahearn@gsa.gov",
-    var.cf_user
-  ]
-  asg_names = ["public_networks_egress"]
+  deployers  = ["ryan.ahearn@gsa.gov"]
+  developers = [var.cf_user]
+  asg_names  = ["public_networks_egress"]
 }
 
 module "egress_proxy" {
@@ -57,6 +57,7 @@ module "egress_proxy" {
   client_space  = local.cf_space_name
   name          = "tfm-egress-proxy-${local.env}"
   # allowlist = {
-    # "${local.app_name}-${local.env}" = ["raw.githubusercontent.com"]
+  # "${local.app_name}-${local.env}" = ["raw.githubusercontent.com"]
   # }
+  depends_on = [module.app_space, module.egress_space]
 }