OpsLevel · rocktavious · Nov 22, 2024 · Nov 5, 2024 · Nov 6, 2024 · Nov 12, 2024
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -18,38 +18,60 @@ tasks:
       - task: terraform-format-check
 
   plan:
-    desc: Run "terraform plan" in "{{.USER_WORKING_DIR}}"
+    desc: Run "terraform plan" in "{{.WORKSPACE_DIR}}"
     requires:
       vars: [OPSLEVEL_API_TOKEN]
     cmds:
-      - task: init
-      - task: terraform-command
-        vars: { TF_COMMAND: 'plan', TF_CMD_DIR: "{{.USER_WORKING_DIR}}" }
+      - task: init-and-plan
 
   apply:
-    desc: Run "terraform apply" in "{{.USER_WORKING_DIR}}"
+    desc: Run "terraform apply" in "{{.WORKSPACE_DIR}}"
     requires:
       vars: [OPSLEVEL_API_TOKEN]
     cmds:
-      - task: init
-      - task: terraform-command
-        vars: { TF_COMMAND: 'apply', TF_CMD_DIR: "{{.USER_WORKING_DIR}}" }
+      - task: init-and-apply
+
+  apply-demo:
+    desc: Run "terraform apply" to generate a demo account
+    requires:
+      vars: [PAYLOAD]
+    env:
+      OPSLEVEL_API_TOKEN:
+        sh: echo "$PAYLOAD" | jq -r '.api_token'
+      TF_VAR_account_token:
+        sh: echo "$PAYLOAD" | jq -r '.api_token'
+      TF_VAR_user_email:
+        sh: echo "$PAYLOAD" | jq -r '.user_email'
+    cmds:
+      - task: init-and-apply
 
   destroy:
-    desc: Run "terraform destroy" in "{{.USER_WORKING_DIR}}"
+    desc: Run "terraform destroy" in "{{.WORKSPACE_DIR}}"
     requires:
       vars: [OPSLEVEL_API_TOKEN]
     cmds:
-      - task: init
-      - task: terraform-command
-        vars: { TF_COMMAND: 'destroy', TF_CMD_DIR: "{{.USER_WORKING_DIR}}" }
+      - task: init-and-destroy
 
-  init:
+  factory-reset:
+    desc: Run script to destroy all resources in account
+    requires:
+      vars: [OPSLEVEL_API_TOKEN]
+    vars:
+      ACCOUNT_NAME:
+        sh: opslevel graphql -q='query { account { name }}' | jq -r '.[0].account.name'
+    cmds:
+      - echo "Destroying all resources in account '{{.ACCOUNT_NAME}}'..."
+      - ./clear_account.sh
+    prompt: "Are you sure you want to destroy all resources in account '{{.ACCOUNT_NAME}}'?"
+
+  init-and-*:
     internal: true
-    desc: Run "terraform init -upgrade" in "{{.USER_WORKING_DIR}}"
+    desc: Run "terraform init -upgrade" in "{{.WORKSPACE_DIR}}" then '{{index .MATCH 0}}'
     cmds:
       - task: terraform-command
-        vars: { TF_COMMAND: 'init --upgrade', TF_CMD_DIR: "{{.USER_WORKING_DIR}}" }
+        vars: { TF_COMMAND: 'init -upgrade', TF_CMD_DIR: "{{.WORKSPACE_DIR}}" }
+      - task: terraform-command
+        vars: { TF_COMMAND: '{{index .MATCH 0}}', TF_CMD_DIR: "{{.WORKSPACE_DIR}}" }
 
   terraform-validate:
     internal: true

diff --git a/clear_account.sh b/clear_account.sh
@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+echo "[opslevel] Deleting Services..."
+services=$(opslevel list services -o json)
+echo "$services" | jq -r '.[] | .id' | while read -r id; do
+  opslevel delete service "$id"
+done
+
+echo "[opslevel] Deleting Systems..."
+systems=$(opslevel list systems -o json)
+echo "$systems" | jq -r '.[] | .Id' | while read -r id; do
+  opslevel delete system "$id"
+done
+
+echo "[opslevel] Deleting Domains..."
+domains=$(opslevel list domains -o json)
+echo "$domains" | jq -r '.[] | .Id' | while read -r id; do
+  opslevel delete domain "$id"
+done
+
+echo "[opslevel] Deleting Infra..."
+infra=$(opslevel list infra -o json)
+echo "$infra" | jq -r '.[] | .id' | while read -r id; do
+  opslevel delete infra "$id"
+done
+
+echo "[opslevel] Deleting Teams (errors may occur that is ok)..."
+while true; do
+  teams=$(opslevel list teams -o json)
+  count=$(echo "$teams" | jq '. | length')
+  if [ "$count" -eq 0 ]; then
+    echo "[opslevel] All teams deleted."
+    break
+  fi
+  echo "$teams" | jq -r '.[] | .Id' | while read -r id; do
+    opslevel delete team "$id"
+  done
+
+  sleep 2
+done
+
+echo "[opslevel] Deleting Users..."
+users=$(opslevel list users -o json)
+echo "$users" | jq -r '.[] | select(.Email | test("@example.com$")) | .Email' | while read -r id; do
+  opslevel delete user "$id"
+done
+
+echo "[opslevel] Deleting Checks..."
+checks=$(opslevel list checks -o json)
+echo "$checks" | jq -r '.[] | .Id' | while read -r id; do
+  opslevel delete check "$id"
+done
+
+echo "[opslevel] Deleting Rubric..."
+categories=$(opslevel list category -o json)
+echo "$categories" | jq -r '.[] | .id' | while read -r id; do
+  opslevel delete category "$id"
+done
+levels=$(opslevel list level -o json)
+echo "$levels" | jq -r '.[] | select(.Index != 0) | .id' | while read -r id; do
+  opslevel delete level "$id"
+done
+
+echo "[opslevel] Deleting Integrations..."
+integrations=$(opslevel list integrations -o json)
+echo "$integrations" | jq -r '.[] | .id' | while read -r id; do
+  opslevel delete integration "$id"
+done
+
+echo "[opslevel] Clear Account Complete."
diff --git a/modules/demo_account/actions.tf b/modules/demo_account/actions.tf
@@ -0,0 +1,29 @@
+resource "opslevel_webhook_action" "security_scan" {
+  name        = "Security Scan"
+  description = "Runs a security scan for the service"
+  url         = "https://app.opslevel.com/upload/documents/sbom/{{service.id}}"
+  method      = "POST"
+  headers = {
+    content-type  = "application/json"
+    authorization = "Bearer ${var.account_token}"
+  }
+  payload = local.sbom_minimal
+}
+
+resource "opslevel_trigger_definition" "example" {
+  name              = "Security Scan"
+  description       = "Runs a security scan for the service"
+  owner             = module.internal-tools-team.this.id
+  action            = opslevel_webhook_action.security_scan.id
+  access_control    = "everyone"
+  response_template = <<EOT
+{% if response.status >= 200 and response.status < 300 %}
+## Congratulations!
+Your request for {{ service.name }} has succeeded. See the incident here: {{response.body.incident.html_url}}
+{% else %}
+## Oops something went wrong!
+Please contact [{{ action_owner.name }}]({{ action_owner.href }}) for more help.
+{% endif %}
+  EOT
+  published         = true
+}
diff --git a/modules/demo_account/rubric_gold.tf b/modules/demo_account/rubric_gold.tf
@@ -72,4 +72,21 @@ module "has_deployed_this_sprint" {
   days = 14
 }
 
-# No Medium Vulns - security
+module "github_check_package_version" {
+  source = "../check/package_version"
+
+  name     = "Uses Latest Github Actions Checkout"
+  category = opslevel_rubric_category.all["security"].id
+  level    = opslevel_rubric_level.all["gold"].id
+  owner    = module.internal-tools-team.this.id
+  enabled  = true
+
+  package_constraint     = "matches_version"
+  package_manager        = "github"
+  package_name           = "action/checkout"
+  missing_package_result = "passed"
+  version_constraint_predicate = {
+    type  = "matches_regex"
+    value = "^v5.*"
+  }
+}
diff --git a/modules/demo_account/services_order_management.tf b/modules/demo_account/services_order_management.tf
@@ -27,6 +27,13 @@ module "shopping-cart" {
   properties   = local.properties
 }
 
+resource "opslevel_alias" "shopping-cart" {
+  resource_type       = "service"
+  resource_identifier = module.shopping-cart.this.id
+
+  aliases = ["suez", "panana", "gibraltar"]
+}
+
 resource "terraform_data" "shopping-cart-deploys" {
   depends_on = [module.deploys]
 

diff --git a/modules/demo_account/teams.tf b/modules/demo_account/teams.tf
@@ -88,7 +88,7 @@ module "warehouse-team" {
 
 module "dev-experience-group" {
   source           = "../team"
-  name             = "Dev Experiance Group"
+  name             = "Dev Experience Group"
   responsibilities = "This groups is responsible for the developer experience."
   parent           = module.product-engineering-team.this.id
   members = [

diff --git a/modules/demo_account/users.tf b/modules/demo_account/users.tf
@@ -22,3 +22,11 @@ module "people" {
   name   = each.value.name
   email  = each.value.email
 }
+
+resource "opslevel_user" "user" {
+  for_each = var.account_users
+
+  name  = each.value
+  email = each.value
+  role  = "admin"
+}
diff --git a/modules/demo_account/variables.tf b/modules/demo_account/variables.tf
@@ -1,8 +1,20 @@
+variable "account_token" {
+  description = "The token for the account."
+  type        = string
+  sensitive   = true
+}
+
 variable "account_name" {
   description = "The name of the account, used to create unique identifiers where needed."
   type        = string
 }
 
+variable "account_users" {
+  description = "The email addresses of the users to invite to this demo account."
+  type        = set(string)
+  default     = []
+}
+
 resource "random_id" "account" {
   keepers = {
     # Generate a new id each time we switch

diff --git a/modules/versions.tf b/modules/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.7"
+  required_version = ">= 1.9"
 
   required_providers {
     opslevel = {

diff --git a/workspace/main.tf b/workspace/main.tf
@@ -4,7 +4,7 @@ provider "opslevel" {
 module "account" {
   source = "../modules/demo_account"
 
-  # Uncomment the following line to set the account name
-  # account_name = "Demo Account"
+  # account_token = ""
+  # account_name  = "Demo Account"
   #generate_services = 500  # Due note that due to API rate limits generating 500 services will take upwards of 10 mins and will significantly increase the time of future apply operations
 }
diff --git a/workspace/versions.tf b/workspace/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.7"
+  required_version = ">= 1.9"
 
   required_providers {
     opslevel = {
       source  = "OpsLevel/opslevel"
-      version = "1.3.1"
+      version = "1.3.3"
     }
   }
 }