diff --git a/DEPLOY.md b/DEPLOY.md index a816ae3b7..3108226e5 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -26,7 +26,7 @@ Make sure that: 4. Press `ADD KEY` and then `Create new key`. 5. Choose `JSON` and press `CREATE`. 6. Save the keys somewhere to your filesystem, we will refer to its location as `GCP_SERVICE_ACCOUNT_KEY_PATH`. - + ## Requirements ⚠️ **Warning: You must use an x86 machine, M1 will not work** @@ -99,7 +99,7 @@ $ gcloud run deploy \ --memory=2Gi \ --min-instances=1 \ --max-instances=1 \ - --set-env-vars=MPC_RECOVERY_NODE_ID=,MPC_RECOVERY_GCP_PROJECT_ID=,MPC_RECOVERY_WEB_PORT=3000,RUST_LOG=mpc_recovery=debug,PAGODA_FIREBASE_AUDIENCE_ID=near-fastauth-prod \ + --set-env-vars=MPC_RECOVERY_NODE_ID=,MPC_RECOVERY_GCP_PROJECT_ID=,MPC_RECOVERY_WEB_PORT=3000,RUST_LOG=mpc_recovery=debug,PAGODA_ALLOWLIST='{"entries":[{"issuer":"https://securetoken.google.com/near-fastauth-prod","audience":"near-fastauth-prod"}]}' \ --set-secrets=MPC_RECOVERY_SK_SHARE=:latest,MPC_RECOVERY_CIPHER_KEY=:latest \ --no-cpu-throttling \ --region= \ diff --git a/infra/main.tf b/infra/main.tf index ce3f18b22..dc49aa26f 100644 --- a/infra/main.tf +++ b/infra/main.tf @@ -110,7 +110,7 @@ module "signer" { docker_image = docker_image.mpc_recovery.name node_id = count.index - firebase_audience_id = var.firebase_audience_id + allowlist = var.allowlist cipher_key = var.cipher_keys[count.index] sk_share = var.sk_shares[count.index] @@ -134,7 +134,7 @@ module "leader" { relayer_url = local.workspace.relayer_url near_root_account = local.workspace.near_root_account account_creator_id = var.account_creator_id - firebase_audience_id = var.firebase_audience_id + allowlist = var.allowlist account_creator_sk = var.account_creator_sk diff --git a/infra/modules/leader/main.tf b/infra/modules/leader/main.tf index 623c3c1b4..2345fa921 100644 --- a/infra/modules/leader/main.tf +++ b/infra/modules/leader/main.tf @@ -16,6 +16,24 @@ resource "google_secret_manager_secret_iam_member" "account_creator_secret_acces member = "serviceAccount:${var.service_account_email}" } +resource "google_secret_manager_secret" "allowlist" { + secret_id = "mpc-recovery-allowlist-leader-${var.env}" + replication { + automatic = true + } +} + +resource "google_secret_manager_secret_version" "allowlist_data" { + secret = google_secret_manager_secret.allowlist.name + secret_data = var.allowlist +} + +resource "google_secret_manager_secret_iam_member" "allowlist_secret_access" { + secret_id = google_secret_manager_secret.allowlist.id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${var.service_account_email}" +} + resource "google_cloud_run_v2_service" "leader" { name = "mpc-recovery-leader-${var.env}" location = var.region @@ -65,8 +83,8 @@ resource "google_cloud_run_v2_service" "leader" { value = var.account_creator_id } env { - name = "PAGODA_FIREBASE_AUDIENCE_ID" - value = var.firebase_audience_id + name = "PAGODA_ALLOWLIST" + value = var.allowlist } env { name = "MPC_RECOVERY_GCP_PROJECT_ID" @@ -97,7 +115,9 @@ resource "google_cloud_run_v2_service" "leader" { } depends_on = [ google_secret_manager_secret_version.account_creator_sk_data, + google_secret_manager_secret_version.allowlist_data, google_secret_manager_secret_iam_member.account_creator_secret_access + google_secret_manager_secret_iam_member.allowlist_secret_access ] } diff --git a/infra/modules/leader/variables.tf b/infra/modules/leader/variables.tf index 43b550fef..39b9a93f7 100644 --- a/infra/modules/leader/variables.tf +++ b/infra/modules/leader/variables.tf @@ -36,7 +36,7 @@ variable "near_root_account" { variable "account_creator_id" { } -variable "firebase_audience_id" { +variable "allowlist" { } # Secrets diff --git a/infra/modules/signer/main.tf b/infra/modules/signer/main.tf index 37c4eb071..95c7cbb41 100644 --- a/infra/modules/signer/main.tf +++ b/infra/modules/signer/main.tf @@ -34,6 +34,24 @@ resource "google_secret_manager_secret_iam_member" "secret_share_secret_access" member = "serviceAccount:${var.service_account_email}" } +resource "google_secret_manager_secret" "allowlist" { + secret_id = "mpc-recovery-allowlist-${var.node_id}-${var.env}" + replication { + automatic = true + } +} + +resource "google_secret_manager_secret_version" "allowlist_data" { + secret = google_secret_manager_secret.allowlist.name + secret_data = var.allowlist +} + +resource "google_secret_manager_secret_iam_member" "allowlist_secret_access" { + secret_id = google_secret_manager_secret.allowlist.id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${var.service_account_email}" +} + resource "google_cloud_run_v2_service" "signer" { name = "mpc-recovery-signer-${var.node_id}-${var.env}" location = var.region @@ -60,8 +78,8 @@ resource "google_cloud_run_v2_service" "signer" { value = var.node_id } env { - name = "PAGODA_FIREBASE_AUDIENCE_ID" - value = var.firebase_audience_id + name = "PAGODA_ALLOWLIST" + value = var.allowlist } env { name = "MPC_RECOVERY_GCP_PROJECT_ID" @@ -93,8 +111,10 @@ resource "google_cloud_run_v2_service" "signer" { depends_on = [ google_secret_manager_secret_version.cipher_key_data, google_secret_manager_secret_version.secret_share_data, + google_secret_manager_secret_version.allowlist_data, google_secret_manager_secret_iam_member.cipher_key_secret_access, google_secret_manager_secret_iam_member.secret_share_secret_access + google_secret_manager_secret_iam_member.allowlist_secret_access, ] } diff --git a/infra/modules/signer/variables.tf b/infra/modules/signer/variables.tf index 6496a6876..b75c1984c 100644 --- a/infra/modules/signer/variables.tf +++ b/infra/modules/signer/variables.tf @@ -20,7 +20,7 @@ variable "docker_image" { variable "node_id" { } -variable "firebase_audience_id" { +variable "allowlist" { } # Secrets diff --git a/infra/variables.tf b/infra/variables.tf index 4fc9ebb2f..0a3d5095a 100644 --- a/infra/variables.tf +++ b/infra/variables.tf @@ -25,8 +25,9 @@ variable "account_creator_id" { default = "tmp_acount_creator.serhii.testnet" } -variable "firebase_audience_id" { - default = "pagoda-oboarding-dev" +variable "allowlist" { + type = list(string) + default = [] } variable "external_signer_node_urls" { diff --git a/mpc-recovery/src/main.rs b/mpc-recovery/src/main.rs index e9ac2912f..9b8368fe7 100644 --- a/mpc-recovery/src/main.rs +++ b/mpc-recovery/src/main.rs @@ -177,6 +177,7 @@ async fn load_account_creator_sk( async fn load_allowlist( gcp_service: &GcpService, env: &str, + node_id: &str, allowlist: Option, allowlist_path: Option, ) -> anyhow::Result { @@ -191,7 +192,7 @@ async fn load_allowlist( Ok(serde_json::from_reader(reader)?) } None => { - let name = format!("mpc-recovery-allowlist-{env}/versions/latest"); + let name = format!("mpc-recovery-allowlist-{node_id}-{env}/versions/latest"); Ok(serde_json::from_slice( &gcp_service.load_secret(name).await?, )?) @@ -249,6 +250,7 @@ async fn main() -> anyhow::Result<()> { let allowlist = load_allowlist( &gcp_service, &env, + "leader", pagoda_allowlist, pagoda_allowlist_filepath, ) @@ -293,6 +295,7 @@ async fn main() -> anyhow::Result<()> { let allowlist = load_allowlist( &gcp_service, &env, + node_id.to_string().as_str(), pagoda_allowlist, pagoda_allowlist_filepath, )