Try fix infra/terraform

near · Aug 17, 2023 · 8a2ab84 · 8a2ab84
1 parent c96a978
commit 8a2ab84
Show file tree

Hide file tree

Showing 8 changed files with 57 additions and 13 deletions.
diff --git a/DEPLOY.md b/DEPLOY.md
@@ -26,7 +26,7 @@ Make sure that:
     4. Press `ADD KEY` and then `Create new key`.
     5. Choose `JSON` and press `CREATE`.
     6. Save the keys somewhere to your filesystem, we will refer to its location as `GCP_SERVICE_ACCOUNT_KEY_PATH`.
-    
+
 ## Requirements
 
 ⚠️ **Warning: You must use an x86 machine, M1 will not work**
@@ -99,7 +99,7 @@ $ gcloud run deploy <GCP_CLOUD_RUN_SERVICE> \
     --memory=2Gi \
     --min-instances=1 \
     --max-instances=1 \
-    --set-env-vars=MPC_RECOVERY_NODE_ID=<MPC_NODE_ID>,MPC_RECOVERY_GCP_PROJECT_ID=<GCP_PROJECT_ID>,MPC_RECOVERY_WEB_PORT=3000,RUST_LOG=mpc_recovery=debug,PAGODA_FIREBASE_AUDIENCE_ID=near-fastauth-prod \
+    --set-env-vars=MPC_RECOVERY_NODE_ID=<MPC_NODE_ID>,MPC_RECOVERY_GCP_PROJECT_ID=<GCP_PROJECT_ID>,MPC_RECOVERY_WEB_PORT=3000,RUST_LOG=mpc_recovery=debug,PAGODA_ALLOWLIST='{"entries":[{"issuer":"https://securetoken.google.com/near-fastauth-prod","audience":"near-fastauth-prod"}]}' \
     --set-secrets=MPC_RECOVERY_SK_SHARE=<GCP_SM_KEY_NAME>:latest,MPC_RECOVERY_CIPHER_KEY=<GCP_SM_CIPHER_NAME>:latest \
     --no-cpu-throttling \
     --region=<GCP_REGION> \

diff --git a/infra/main.tf b/infra/main.tf
@@ -110,7 +110,7 @@ module "signer" {
   docker_image          = docker_image.mpc_recovery.name
 
   node_id              = count.index
-  firebase_audience_id = var.firebase_audience_id
+  allowlist            = var.allowlist
 
   cipher_key = var.cipher_keys[count.index]
   sk_share   = var.sk_shares[count.index]
@@ -134,7 +134,7 @@ module "leader" {
   relayer_url          = local.workspace.relayer_url
   near_root_account    = local.workspace.near_root_account
   account_creator_id   = var.account_creator_id
-  firebase_audience_id = var.firebase_audience_id
+  allowlist            = var.allowlist
 
   account_creator_sk = var.account_creator_sk
 

diff --git a/infra/modules/leader/main.tf b/infra/modules/leader/main.tf
@@ -16,6 +16,24 @@ resource "google_secret_manager_secret_iam_member" "account_creator_secret_acces
   member    = "serviceAccount:${var.service_account_email}"
 }
 
+resource "google_secret_manager_secret" "allowlist" {
+  secret_id = "mpc-recovery-allowlist-leader-${var.env}"
+  replication {
+    automatic = true
+  }
+}
+
+resource "google_secret_manager_secret_version" "allowlist_data" {
+  secret      = google_secret_manager_secret.allowlist.name
+  secret_data = var.allowlist
+}
+
+resource "google_secret_manager_secret_iam_member" "allowlist_secret_access" {
+  secret_id = google_secret_manager_secret.allowlist.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${var.service_account_email}"
+}
+
 resource "google_cloud_run_v2_service" "leader" {
   name     = "mpc-recovery-leader-${var.env}"
   location = var.region
@@ -65,8 +83,8 @@ resource "google_cloud_run_v2_service" "leader" {
         value = var.account_creator_id
       }
       env {
-        name  = "PAGODA_FIREBASE_AUDIENCE_ID"
-        value = var.firebase_audience_id
+        name  = "PAGODA_ALLOWLIST"
+        value = var.allowlist
       }
       env {
         name  = "MPC_RECOVERY_GCP_PROJECT_ID"
@@ -97,7 +115,9 @@ resource "google_cloud_run_v2_service" "leader" {
   }
   depends_on = [
     google_secret_manager_secret_version.account_creator_sk_data,
+    google_secret_manager_secret_version.allowlist_data,
     google_secret_manager_secret_iam_member.account_creator_secret_access
+    google_secret_manager_secret_iam_member.allowlist_secret_access
   ]
 }
 

diff --git a/infra/modules/leader/variables.tf b/infra/modules/leader/variables.tf
@@ -36,7 +36,7 @@ variable "near_root_account" {
 variable "account_creator_id" {
 }
 
-variable "firebase_audience_id" {
+variable "allowlist" {
 }
 
 # Secrets

diff --git a/infra/modules/signer/main.tf b/infra/modules/signer/main.tf
@@ -34,6 +34,24 @@ resource "google_secret_manager_secret_iam_member" "secret_share_secret_access"
   member    = "serviceAccount:${var.service_account_email}"
 }
 
+resource "google_secret_manager_secret" "allowlist" {
+  secret_id = "mpc-recovery-allowlist-${var.node_id}-${var.env}"
+  replication {
+    automatic = true
+  }
+}
+
+resource "google_secret_manager_secret_version" "allowlist_data" {
+  secret      = google_secret_manager_secret.allowlist.name
+  secret_data = var.allowlist
+}
+
+resource "google_secret_manager_secret_iam_member" "allowlist_secret_access" {
+  secret_id = google_secret_manager_secret.allowlist.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${var.service_account_email}"
+}
+
 resource "google_cloud_run_v2_service" "signer" {
   name     = "mpc-recovery-signer-${var.node_id}-${var.env}"
   location = var.region
@@ -60,8 +78,8 @@ resource "google_cloud_run_v2_service" "signer" {
         value = var.node_id
       }
       env {
-        name  = "PAGODA_FIREBASE_AUDIENCE_ID"
-        value = var.firebase_audience_id
+        name  = "PAGODA_ALLOWLIST"
+        value = var.allowlist
       }
       env {
         name  = "MPC_RECOVERY_GCP_PROJECT_ID"
@@ -93,8 +111,10 @@ resource "google_cloud_run_v2_service" "signer" {
   depends_on = [
     google_secret_manager_secret_version.cipher_key_data,
     google_secret_manager_secret_version.secret_share_data,
+    google_secret_manager_secret_version.allowlist_data,
     google_secret_manager_secret_iam_member.cipher_key_secret_access,
     google_secret_manager_secret_iam_member.secret_share_secret_access
+    google_secret_manager_secret_iam_member.allowlist_secret_access,
   ]
 }
 

diff --git a/infra/modules/signer/variables.tf b/infra/modules/signer/variables.tf
@@ -20,7 +20,7 @@ variable "docker_image" {
 variable "node_id" {
 }
 
-variable "firebase_audience_id" {
+variable "allowlist" {
 }
 
 # Secrets

diff --git a/infra/variables.tf b/infra/variables.tf
@@ -25,8 +25,9 @@ variable "account_creator_id" {
   default = "tmp_acount_creator.serhii.testnet"
 }
 
-variable "firebase_audience_id" {
-  default = "pagoda-oboarding-dev"
+variable "allowlist" {
+  type    = list(string)
+  default = []
 }
 
 variable "external_signer_node_urls" {

diff --git a/mpc-recovery/src/main.rs b/mpc-recovery/src/main.rs
@@ -177,6 +177,7 @@ async fn load_account_creator_sk(
 async fn load_allowlist(
     gcp_service: &GcpService,
     env: &str,
+    node_id: &str,
     allowlist: Option<String>,
     allowlist_path: Option<PathBuf>,
 ) -> anyhow::Result<AllowList> {
@@ -191,7 +192,7 @@ async fn load_allowlist(
             Ok(serde_json::from_reader(reader)?)
         }
         None => {
-            let name = format!("mpc-recovery-allowlist-{env}/versions/latest");
+            let name = format!("mpc-recovery-allowlist-{node_id}-{env}/versions/latest");
             Ok(serde_json::from_slice(
                 &gcp_service.load_secret(name).await?,
             )?)
@@ -249,6 +250,7 @@ async fn main() -> anyhow::Result<()> {
             let allowlist = load_allowlist(
                 &gcp_service,
                 &env,
+                "leader",
                 pagoda_allowlist,
                 pagoda_allowlist_filepath,
             )
@@ -293,6 +295,7 @@ async fn main() -> anyhow::Result<()> {
             let allowlist = load_allowlist(
                 &gcp_service,
                 &env,
+                node_id.to_string().as_str(),
                 pagoda_allowlist,
                 pagoda_allowlist_filepath,
             )