fix: Do not reuse anvil admin key

.github/workflows/devnet-deploys.yml

@@ -33,7 +33,7 @@ env:
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
   API_KEY: ${{ secrets.DEVNET_API_KEY }}
-  PUBLIC_API_KEY: ${{ secrets.DEVNET_API_KEY }}
+  FORK_ADMIN_API_KEY: ${{ secrets.DEVNET_API_KEY }}
   FORK_MNEMONIC: ${{ secrets.FORK_MNEMONIC }}
   CONTRACT_PUBLISHER_PRIVATE_KEY: ${{ secrets.CONTRACT_PUBLISHER_PRIVATE_KEY }}
   CONTRACT_S3_BUCKET: s3://static.aztec.network
@@ -65,7 +65,7 @@ env:
   # Anvil
   TF_VAR_FORK_MNEMONIC: ${{ secrets.FORK_MNEMONIC }}
   TF_VAR_INFURA_API_KEY: ${{ secrets.INFURA_API_KEY }}
-  TF_VAR_PUBLIC_API_KEY: ${{ secrets.DEVNET_API_KEY }}
+  TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets.DEVNET_API_KEY }}
 
   # Faucet
   TF_VAR_FAUCET_ACCOUNT_INDEX: 9
@@ -107,7 +107,7 @@ jobs:
       deploy_tag: ${{ steps.set_network_vars.outputs.deploy_tag }}
       branch_name: ${{ steps.set_network_vars.outputs.branch_name }}
       network_api_key: ${{ steps.set_network_vars.outputs.network_api_key }}
-      network_public_api_key: ${{ steps.set_network_vars.outputs.network_public_api_key }}
+      network_fork_admin_api_key: ${{ steps.set_network_vars.outputs.network_fork_admin_api_key }}
       agents_per_prover: ${{ steps.set_network_vars.outputs.agents_per_prover }}
       bot_interval: ${{ steps.set_network_vars.outputs.bot_interval }}
       node_tcp_range_start: ${{ steps.set_network_vars.outputs.node_tcp_range_start }}
@@ -134,7 +134,7 @@ jobs:
               echo "deploy_tag=devnet" >> $GITHUB_OUTPUT
               echo "branch_name=devnet" >> $GITHUB_OUTPUT
               echo "network_api_key=DEVNET_API_KEY" >> $GITHUB_OUTPUT
-              echo "network_public_api_key=DEVNET_API_KEY" >> $GITHUB_OUTPUT
+              echo "network_fork_admin_api_key=DEVNET_API_KEY" >> $GITHUB_OUTPUT
               echo "agents_per_prover=4" >> $GITHUB_OUTPUT
               echo "bot_interval=180" >> $GITHUB_OUTPUT
               echo "node_tcp_range_start=40100" >> $GITHUB_OUTPUT
@@ -155,7 +155,7 @@ jobs:
               echo "deploy_tag=provernet" >> $GITHUB_OUTPUT
               echo "branch_name=provernet" >> $GITHUB_OUTPUT
               echo "network_api_key=PROVERNET_API_KEY" >> $GITHUB_OUTPUT
-              echo "network_public_api_key=PROVERNET_PUBLIC_API_KEY" >> $GITHUB_OUTPUT
+              echo "network_fork_admin_api_key=PROVERNET_FORK_ADMIN_API_KEY" >> $GITHUB_OUTPUT
               echo "agents_per_prover=8" >> $GITHUB_OUTPUT
               echo "bot_interval=10" >> $GITHUB_OUTPUT
               echo "node_tcp_range_start=40200" >> $GITHUB_OUTPUT
@@ -176,7 +176,7 @@ jobs:
               echo "deploy_tag=alphanet" >> $GITHUB_OUTPUT
               echo "branch_name=alphanet" >> $GITHUB_OUTPUT
               echo "network_api_key=ALPHANET_API_KEY" >> $GITHUB_OUTPUT
-              echo "network_public_api_key=ALPHANET_API_KEY" >> $GITHUB_OUTPUT
+              echo "network_fork_admin_api_key=ALPHANET_API_KEY" >> $GITHUB_OUTPUT
               echo "agents_per_prover=1" >> $GITHUB_OUTPUT
               echo "bot_interval=30" >> $GITHUB_OUTPUT
               echo "node_tcp_range_start=40000" >> $GITHUB_OUTPUT
@@ -206,8 +206,8 @@ jobs:
       TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
       API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
       TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
-      PUBLIC_API_KEY: ${{ secrets[needs.set-network.outputs.network_public_api_key] }}
-      TF_VAR_PUBLIC_API_KEY: ${{ secrets[needs.set-network.outputs.network_public_api_key] }}
+      FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
+      TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
       API_KEY_NAME: ${{ needs.set-network.outputs.network_api_key }}
     runs-on: ${{ github.actor }}-x86
     steps:
@@ -334,6 +334,8 @@ jobs:
       TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
       API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
       TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
+      FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
+      TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
       API_KEY_NAME: ${{ needs.set-network.outputs.network_api_key }}
     runs-on: ${{ github.actor }}-x86
     steps:
@@ -451,8 +453,8 @@ jobs:
       TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
       API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
       TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
-      PUBLIC_API_KEY: ${{ secrets[needs.set-network.outputs.network_public_api_key] }}
-      TF_VAR_PUBLIC_API_KEY: ${{ secrets[needs.set-network.outputs.network_public_api_key] }}
+      FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
+      TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
       TF_VAR_AGENTS_PER_PROVER: ${{ needs.set-network.outputs.agents_per_prover }}
       TF_VAR_BOT_TX_INTERVAL_SECONDS: ${{ needs.set-network.outputs.bot_interval }}
       TF_VAR_NODE_LB_RULE_PRIORITY: ${{ needs.set-network.outputs.node_lb_priority_range_start }}
@@ -495,7 +497,7 @@ jobs:
           docker pull aztecprotocol/aztec:${{ env.DEPLOY_TAG }}
           docker run aztecprotocol/aztec:${{ env.DEPLOY_TAG }} deploy-l1-contracts \
             --private-key ${{ env.CONTRACT_PUBLISHER_PRIVATE_KEY }} \
-            --rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/${{ env.API_KEY }} \
+            --rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/admin-${{ env.FORK_ADMIN_API_KEY }} \
             --l1-chain-id ${{ env.L1_CHAIN_ID }} \
             --salt ${{ github.run_id }} \
             --json | tee ./l1_contracts.json
@@ -563,6 +565,8 @@ jobs:
       TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
       API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
       TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
+      FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
+      TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -600,7 +604,7 @@ jobs:
           set -o pipefail
           docker run aztecprotocol/aztec:${{ env.DEPLOY_TAG }} bootstrap-network \
             --rpc-url https://api.aztec.network/${{ env.DEPLOY_TAG }}/aztec-pxe/${{ env.API_KEY }} \
-            --l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/${{ env.API_KEY }} \
+            --l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/admin-${{ env.FORK_ADMIN_API_KEY }} \
             --l1-chain-id ${{ env.L1_CHAIN_ID }} \
             --l1-private-key ${{ env.CONTRACT_PUBLISHER_PRIVATE_KEY }} \
             --json | tee ./basic_contracts.json
@@ -617,6 +621,8 @@ jobs:
       TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
       API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
       TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
+      FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
+      TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
       TF_VAR_FAUCET_LB_RULE_PRIORITY: ${{ needs.set-network.outputs.faucet_lb_priority }}
     steps:
       - uses: actions/checkout@v4
@@ -659,6 +665,8 @@ jobs:
       TF_VAR_DEPLOY_TAG: ${{ needs.set-network.outputs.deploy_tag }}
       API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
       TF_VAR_API_KEY: ${{ secrets[needs.set-network.outputs.network_api_key] }}
+      FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
+      TF_VAR_FORK_ADMIN_API_KEY: ${{ secrets[needs.set-network.outputs.network_fork_admin_api_key] }}
       TF_VAR_AGENTS_PER_PROVER: ${{ needs.set-network.outputs.agents_per_prover }}
       TF_VAR_BOT_TX_INTERVAL_SECONDS: ${{ needs.set-network.outputs.bot_interval }}
       TF_VAR_NODE_LB_RULE_PRIORITY: ${{ needs.set-network.outputs.node_lb_priority_range_start }}
@@ -694,7 +702,7 @@ jobs:
       #     set -eo pipefail
       #     docker run aztecprotocol/aztec:${{ env.DEPLOY_TAG }} set-proven-until \
       #       --rpc-url https://api.aztec.network/${{ env.DEPLOY_TAG }}/aztec-pxe/${{ env.API_KEY }} \
-      #       --l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/${{ env.API_KEY }} \
+      #       --l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/admin-${{ env.FORK_ADMIN_API_KEY }} \
       #       --l1-chain-id ${{ env.L1_CHAIN_ID }} \
       #       --l1-private-key ${{ env.CONTRACT_PUBLISHER_PRIVATE_KEY }}
 
@@ -734,7 +742,7 @@ jobs:
           set -eo pipefail
           docker run aztecprotocol/aztec:${{ env.DEPLOY_TAG }} deploy-l1-verifier \
             --rpc-url https://api.aztec.network/${{ env.DEPLOY_TAG }}/aztec-pxe/${{ env.API_KEY }} \
-            --l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/${{ env.API_KEY }} \
+            --l1-rpc-url https://${{ env.DEPLOY_TAG }}-mainnet-fork.aztec.network:8545/admin-${{ env.FORK_ADMIN_API_KEY }} \
             --l1-chain-id ${{ env.L1_CHAIN_ID }} \
             --l1-private-key ${{ env.CONTRACT_PUBLISHER_PRIVATE_KEY }}
 

.github/workflows/devnet-smoke.yml

@@ -19,7 +19,7 @@ env:
   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
   AZTEC_NODE_URL: https://api.aztec.network/devnet/aztec-node-1/{{ secrets.DEVNET_API_KEY }}
   FAUCET_URL: https://api.aztec.network/devnet/aztec-faucet/{{ secrets.DEVNET_API_KEY }}
-  ETHEREUM_HOST: https://devnet-mainnet-fork.aztec.network:8545/${{ secrets.DEVNET_API_KEY }}
+  ETHEREUM_HOST: https://devnet-mainnet-fork.aztec.network:8545/admin-${{ secrets.DEVNET_API_KEY }}
 
 jobs:
   setup:

build-system/scripts/deploy_terraform

@@ -29,7 +29,7 @@ export TF_VAR_DOCKERHUB_ACCOUNT=$DOCKERHUB_ACCOUNT
 export TF_VAR_FORK_MNEMONIC=$FORK_MNEMONIC
 export TF_VAR_INFURA_API_KEY=$INFURA_API_KEY
 export TF_VAR_API_KEY=$FORK_API_KEY
-export TF_VAR_PUBLIC_API_KEY=${PUBLIC_FORK_API_KEY:-$FORK_API_KEY}
+export TF_VAR_FORK_ADMIN_API_KEY=${FORK_ADMIN_API_KEY:-$FORK_API_KEY}
 export TF_VAR_L1_CHAIN_ID=$CHAIN_ID
 
 # If given a repository name, use it to construct and set/override the backend key.

iac/mainnet-fork/nginx/gateway.conf

@@ -2,12 +2,12 @@ server {
     listen 80 default_server;
     listen 8545;
 
-    location /{{ADMIN_API_KEY}} {
+    location /admin-{{ADMIN_API_KEY}} {
         proxy_pass http://0.0.0.0:8544;
-        rewrite ^/{{ADMIN_API_KEY}}(.*) /$1 break;
+        rewrite ^/admin-{{ADMIN_API_KEY}}(.*) /$1 break;
     }
 
-    location /public-{{PUBLIC_API_KEY}} {
+    location /{{PUBLIC_API_KEY}} {
         client_body_buffer_size 20M;
         client_body_in_single_buffer on;
         js_import main from njs/anvil_validation.js;
@@ -16,7 +16,7 @@ server {
 
     location @anvil {
         proxy_pass http://0.0.0.0:8544;
-        rewrite ^/({{ADMIN_API_KEY}}|public-{{PUBLIC_API_KEY}})(.*) /$2 break;
+        rewrite ^/(admin-{{ADMIN_API_KEY}}|{{PUBLIC_API_KEY}})(.*) /$2 break;
     }
 
     # Error responses

iac/mainnet-fork/scripts/run_nginx_anvil.sh

@@ -4,8 +4,12 @@ set -eum pipefail
 
 # Replace API_KEYs in nginx config
 echo "Replacing api keys in nginx config..."
-sed -i 's/{{PUBLIC_API_KEY}}/'$PUBLIC_API_KEY'/g' /etc/nginx/gateway.conf
-sed -i 's/{{ADMIN_API_KEY}}/'$API_KEY'/g' /etc/nginx/gateway.conf
+sed -i 's/{{PUBLIC_API_KEY}}/'$API_KEY'/g' /etc/nginx/gateway.conf
+sed -i 's/{{ADMIN_API_KEY}}/'$FORK_ADMIN_API_KEY'/g' /etc/nginx/gateway.conf
+
+# Resulting config
+cat /etc/nginx/gateway.conf
+echo
 
 # Run nginx and anvil alongside each other
 trap 'kill $(jobs -p)' SIGTERM

iac/mainnet-fork/scripts/wait_for_fork

@@ -6,7 +6,7 @@ set -e
 # This script waits on a healthy status from the fork - a valid response to the chainid request
 # We retry every 20 seconds, and wait for a total of 5 minutes (15 times)
 
-export ETHEREUM_HOST="https://$DEPLOY_TAG-mainnet-fork.aztec.network:8545/$FORK_API_KEY"
+export ETHEREUM_HOST="https://$DEPLOY_TAG-mainnet-fork.aztec.network:8545/$API_KEY"
 
 curl -H "Content-Type: application/json" -X POST --data '{"method":"eth_chainId","params":[],"id":33,"jsonrpc":"2.0"}' \
   --connect-timeout 30 \

iac/mainnet-fork/terraform/main.tf

@@ -120,7 +120,7 @@ resource "aws_ecs_task_definition" "aztec_mainnet_fork" {
       essential = true
       environment = [
         { name = "API_KEY", value = "${var.API_KEY}" },
-        { name = "PUBLIC_API_KEY", value = "${var.PUBLIC_API_KEY}" },
+        { name = "FORK_ADMIN_API_KEY", value = "${var.FORK_ADMIN_API_KEY}" },
         { name = "MNEMONIC", value = "${var.FORK_MNEMONIC}" },
         { name = "INFURA_API_KEY", value = "${var.INFURA_API_KEY}" },
         { name = "L1_CHAIN_ID", value = "${var.L1_CHAIN_ID}" },

iac/mainnet-fork/terraform/variables.tf

@@ -10,7 +10,7 @@ variable "API_KEY" {
   type = string
 }
 
-variable "PUBLIC_API_KEY" {
+variable "FORK_ADMIN_API_KEY" {
   type = string
 }
 

yarn-project/aztec/terraform/node/main.tf

@@ -190,7 +190,7 @@ resource "aws_ecs_task_definition" "aztec-node" {
         },
         {
           name  = "ETHEREUM_HOST"
-          value = "https://${var.DEPLOY_TAG}-mainnet-fork.aztec.network:8545/${var.API_KEY}"
+          value = "https://${var.DEPLOY_TAG}-mainnet-fork.aztec.network:8545/admin-${var.FORK_ADMIN_API_KEY}"
         },
         {
           name  = "DATA_DIRECTORY"

yarn-project/aztec/terraform/node/variables.tf

@@ -11,6 +11,10 @@ variable "API_KEY" {
   type = string
 }
 
+variable "FORK_ADMIN_API_KEY" {
+  type = string
+}
+
 variable "SEQUENCER_PRIVATE_KEYS" {
   type = list(string)
 }