Feat: added partner code for infrastructure, and updated dev code (#493)

* added partner code for infrastructure, and updated dev code * added VPC network creation * changes to PR requests * added conditional to VPC creation and removed old partner code
near · Mar 18, 2024 · dbe9c05 · dbe9c05
1 parent 2dc7b0a
commit dbe9c05
Show file tree

Hide file tree

Showing 12 changed files with 464 additions and 149 deletions.
diff --git a/infra/.gitignore b/infra/.gitignore
@@ -17,6 +17,7 @@ crash.*.log
 *.tfvars.json
 !terraform-dev.tfvars
 !backend-config-*.tfvars
+!terraform-testnet-example.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

diff --git a/infra/multichain-vm-dev/main.tf b/infra/multichain-vm-dev/main.tf
@@ -10,7 +10,7 @@ module "gce-container" {
   version = "~> 3.0"
 
   container = {
-    image = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/multichain/multichain-dev:latest"
+    image = "us-east1-docker.pkg.dev/pagoda-discovery-platform-prod/multichain-public/multichain-dev:latest"
     args  = ["start"]
     port  = "3000"
 
@@ -82,6 +82,8 @@ module "mig_template" {
   source_image_project = "cos-cloud"
   machine_type         = "n2-standard-2"
 
+  startup_script = "docker rm watchtower ; docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --debug --interval 30"
+
   source_image = reverse(split("/", module.gce-container[count.index].source_image))[0]
   metadata     = merge(var.additional_metadata, { "gce-container-declaration" = module.gce-container["${count.index}"].metadata_value })
   tags = [

diff --git a/infra/multichain-vm-dev/terraform-dev.tfvars b/infra/multichain-vm-dev/terraform-dev.tfvars
@@ -20,5 +20,40 @@ node_configs = [
     account_sk_secret_id = "multichain-account-sk-dev-2"
     cipher_sk_secret_id  = "multichain-cipher-sk-dev-2"
     sk_share_secret_id   = "multichain-sk-share-dev-2"
-  }
-]
+  },
+  {
+    account              = "multichain-node-dev-3.testnet"
+    cipher_pk            = "f0bc3ec25105301e0dfaafffb043fafd98b520692610bf09d688b77a3de4f16e"
+    account_sk_secret_id = "multichain-account-sk-dev-3"
+    cipher_sk_secret_id  = "multichain-cipher-sk-dev-3"
+    sk_share_secret_id   = "multichain-sk-share-dev-3"
+  },
+  {
+    account              = "multichain-node-dev-4.testnet"
+    cipher_pk            = "4d4df6855b2b3825ed2b7f4becfbe2ea7c940817bb54eaa5c4baef7c73df426b"
+    account_sk_secret_id = "multichain-account-sk-dev-4"
+    cipher_sk_secret_id  = "multichain-cipher-sk-dev-4"
+    sk_share_secret_id   = "multichain-sk-share-dev-4"
+  },
+  {
+    account              = "multichain-node-dev-5.testnet"
+    cipher_pk            = "9c228aedc6bd9c49f7cbbfebe68a61e2ecb5ba015fde8ec178b798d022fec528"
+    account_sk_secret_id = "multichain-account-sk-dev-5"
+    cipher_sk_secret_id  = "multichain-cipher-sk-dev-5"
+    sk_share_secret_id   = "multichain-sk-share-dev-5"
+  },
+  {
+    account              = "multichain-node-dev-6.testnet"
+    cipher_pk            = "490cdcec451c9d34d186af4b0747f82c3dbc45df0d9a6d4b8cd68a783592073b"
+    account_sk_secret_id = "multichain-account-sk-dev-6"
+    cipher_sk_secret_id  = "multichain-cipher-sk-dev-6"
+    sk_share_secret_id   = "multichain-sk-share-dev-6"
+  },
+  {
+    account              = "multichain-node-dev-7.testnet"
+    cipher_pk            = "5f49047f95ab9705f325d573ea6fcd2bbe681ab1f90b6b0d736669c34b483a07"
+    account_sk_secret_id = "multichain-account-sk-dev-7"
+    cipher_sk_secret_id  = "multichain-cipher-sk-dev-7"
+    sk_share_secret_id   = "multichain-sk-share-dev-7"
+  },
+]
diff --git a/infra/multichain-vm-dev/variables.tf b/infra/multichain-vm-dev/variables.tf
@@ -97,7 +97,7 @@ variable "static_env" {
     },
     {
       name  = "MPC_RECOVERY_INDEXER_START_BLOCK_HEIGHT"
-      value = 158767549
+      value = 159307004
     },
     {
       name  = "AWS_DEFAULT_REGION"

diff --git a/infra/partner-vm-testnet/main.tf b/infra/partner-vm-testnet/main.tf
@@ -0,0 +1,198 @@
+provider "google" {
+  project = var.project_id
+}
+provider "google-beta" {
+  project = var.project_id
+}
+module "gce-container" {
+  count   = length(var.node_configs)
+  source  = "terraform-google-modules/container-vm/google"
+  version = "~> 3.0"
+
+  container = {
+    image = "us-east1-docker.pkg.dev/pagoda-discovery-platform-prod/multichain-public/multichain-dev:latest"
+    args  = ["start"]
+    port  = "3000"
+
+    env = concat(var.static_env, [
+      {
+        name  = "MPC_RECOVERY_NODE_ID"
+        value = "${count.index}"
+      },
+      {
+        name  = "MPC_RECOVERY_ACCOUNT_ID"
+        value = var.node_configs["${count.index}"].account
+      },
+      {
+        name  = "MPC_RECOVERY_CIPHER_PK"
+        value = var.node_configs["${count.index}"].cipher_pk
+      },
+      {
+        name  = "MPC_RECOVERY_ACCOUNT_SK"
+        value = data.google_secret_manager_secret_version.account_sk_secret_id[count.index].secret_data
+      },
+      {
+        name  = "MPC_RECOVERY_CIPHER_SK"
+        value = data.google_secret_manager_secret_version.cipher_sk_secret_id[count.index].secret_data
+      },
+      {
+        name  = "AWS_ACCESS_KEY_ID"
+        value = data.google_secret_manager_secret_version.aws_access_key_secret_id.secret_data
+      },
+      {
+        name  = "AWS_SECRET_ACCESS_KEY"
+        value = data.google_secret_manager_secret_version.aws_secret_key_secret_id.secret_data
+      },
+      {
+        name  = "MPC_RECOVERY_LOCAL_ADDRESS"
+        value = "http://${google_compute_global_address.external_ips[count.index].address}"
+      },
+      {
+        name = "MPC_RECOVERY_SK_SHARE_SECRET_ID"
+        value = var.node_configs["${count.index}"].sk_share_secret_id
+      },
+      {
+        name = "MPC_RECOVERY_ENV",
+        value = var.env
+      }
+    ])
+  }
+}
+
+resource "google_service_account" "service_account" {
+  account_id   = "multichain-${var.env}"
+  display_name = "Multichain ${var.env} Account"
+}
+
+resource "google_project_iam_binding" "sa-roles" {
+  for_each = toset([
+      "roles/datastore.user",
+      "roles/secretmanager.admin",
+      "roles/storage.objectAdmin",
+      "roles/iam.serviceAccountAdmin",
+  ])
+
+  role = each.key
+  members = [ 
+    "serviceAccount:${google_service_account.service_account.email}"
+   ]
+   project = var.project_id
+}
+
+resource "google_compute_global_address" "external_ips" {
+  count        = length(var.node_configs)
+  name         = "multichain-dev-parnter-${count.index}"
+  address_type = "EXTERNAL"
+}
+
+module "ig_template" {
+  count      = length(var.node_configs)
+  source     = "../modules/mig_template"
+  network    = var.network
+  subnetwork = var.subnetwork
+  region     = var.region
+  service_account = {
+    email  = google_service_account.service_account.email,
+    scopes = ["cloud-platform"]
+  }
+  name_prefix          = "multichain-partner-${count.index}"
+  source_image_family  = "cos-stable"
+  source_image_project = "cos-cloud"
+  machine_type         = "n2d-standard-2"
+
+  startup_script = "docker rm watchtower ; docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --debug --interval 3600"
+
+  source_image = reverse(split("/", module.gce-container[count.index].source_image))[0]
+  metadata     = merge(var.additional_metadata, { "gce-container-declaration" = module.gce-container["${count.index}"].metadata_value })
+  tags = [
+    "multichain",
+    "allow-ssh"
+  ]
+  labels = {
+    "container-vm" = module.gce-container[count.index].vm_container_label
+  }
+
+  depends_on = [google_compute_global_address.external_ips]
+}
+
+
+module "instances" {
+  count      = length(var.node_configs)
+  source     = "../modules/instance-from-tpl"
+  region     = var.region
+  project_id = var.project_id
+  hostname   = "multichain-dev-partner-${count.index}"
+  network    = var.network
+  subnetwork = var.subnetwork
+
+  instance_template = module.ig_template[count.index].self_link_unique
+
+}
+
+resource "google_compute_health_check" "multichain_healthcheck" {
+  name = "multichain-dev-partner-healthcheck"
+
+  http_health_check {
+    port         = 3000
+    request_path = "/"
+  }
+
+}
+
+resource "google_compute_global_forwarding_rule" "default" {
+  count      = length(var.node_configs)
+  name       = "multichain-partner-rule-${count.index}"
+  target     = google_compute_target_http_proxy.default[count.index].id
+  port_range = "80"
+  load_balancing_scheme = "EXTERNAL"
+  ip_address = google_compute_global_address.external_ips[count.index].address
+}
+
+resource "google_compute_target_http_proxy" "default" {
+  count      = length(var.node_configs)
+  name        = "multichain-partner-target-proxy-${count.index}"
+  description = "a description"
+  url_map     = google_compute_url_map.default[count.index].id
+}
+
+resource "google_compute_url_map" "default" {
+  count           = length(var.node_configs)
+  name            = "multichain-partner-url-map-${count.index}"
+  default_service = google_compute_backend_service.multichain_backend.id
+}
+
+resource "google_compute_backend_service" "multichain_backend" {
+  name                  = "multichain-partner-backend-service"
+  load_balancing_scheme = "EXTERNAL"
+
+  backend {
+    group = google_compute_instance_group.multichain_group.id
+  }
+
+  health_checks = [google_compute_health_check.multichain_healthcheck.id]
+}
+
+resource "google_compute_instance_group" "multichain_group" {
+  name      = "multichain-partner-instance-group"
+  instances = module.instances[*].self_links[0]
+
+  zone = "us-central1-a"
+  named_port {
+    name = "http"
+    port = 3000
+  }
+}
+
+resource "google_compute_firewall" "app_port" {
+  name = "allow-multichain-healthcheck-access"
+  network = var.network
+
+  source_ranges = [ "130.211.0.0/22", "35.191.0.0/16" ]
+  source_tags = [ "multichain" ]
+
+  allow {
+    protocol = "tcp"
+    ports = [ "80" ]
+  }
+
+}
diff --git a/infra/partner-vm-testnet/network.tf b/infra/partner-vm-testnet/network.tf
@@ -0,0 +1,42 @@
+module "vpc" {
+    count = var.create_network ? 1 : 0
+    source  = "terraform-google-modules/network/google"
+    version = "~> 9.0"
+
+    project_id   = var.project_id
+    network_name = var.network
+    routing_mode = "GLOBAL"
+
+    subnets = [
+        {
+            subnet_name           = var.subnetwork
+            subnet_ip             = "10.10.10.0/24"
+            subnet_region         = var.region
+        }
+    ]
+
+    routes = [
+        {
+            name                   = "egress-internet"
+            description            = "route through IGW to access internet"
+            destination_range      = "0.0.0.0/0"
+            tags                   = "egress-inet"
+            next_hop_internet      = "true"
+        }
+    ]
+
+    ingress_rules = [ 
+      {
+        name = "allow-iap-ssh"
+        description = "this rule allows you to connect to your VM via SSH without port 22 being public"
+        source_ranges = [ "35.235.240.0/20" ]
+        target_tags = [ "allow-ssh" ]
+        allow = [ 
+            {
+            protocol = "tcp",
+            ports = ["22"]
+          } 
+        ]
+      },
+     ]
+}
diff --git a/infra/partner-vm-testnet/resources.tf b/infra/partner-vm-testnet/resources.tf
@@ -0,0 +1,41 @@
+terraform {
+  backend "gcs" {
+    bucket = "multichain-terraform-dev" # Example: terraform-multichain-state-bucket
+    prefix = "state/multichain-vm-partner-test" # Example: state/multichain-vm
+  }
+
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "4.73.0"
+    }
+  }
+}
+
+# These data blocks grab the values from your GCP secret manager, please adjust secret names as desired
+data "google_secret_manager_secret_version" "account_sk_secret_id" {
+  count   = length(var.node_configs)
+  secret  = var.node_configs[0].account_sk_secret_id
+  project = var.project_id
+}
+
+data "google_secret_manager_secret_version" "cipher_sk_secret_id" {
+  count   = length(var.node_configs)
+  secret  = var.node_configs[0].cipher_sk_secret_id
+  project = var.project_id
+}
+
+data "google_secret_manager_secret_version" "sk_share_secret_id" {
+  count   = length(var.node_configs)
+  secret  = var.node_configs[0].sk_share_secret_id
+  project = var.project_id
+}
+
+# This is the AWS access key and secret key for our public S3 bucket with Lake data
+data "google_secret_manager_secret_version" "aws_access_key_secret_id" {
+  secret = "multichain-indexer-aws-access-key"
+}
+
+data "google_secret_manager_secret_version" "aws_secret_key_secret_id" {
+  secret = "multichain-indexer-aws-secret-key"
+}
diff --git a/infra/partner-vm-testnet/terraform-testnet-example.tfvars b/infra/partner-vm-testnet/terraform-testnet-example.tfvars
@@ -0,0 +1,13 @@
+env          = "testnet"
+# These will be specific to your node
+node_configs = [
+  {
+    # Each node has a unique account ID
+    account              = "multichain-node-testnet-7.testnet"
+    cipher_pk            = "<your_cipher_pk>"
+    # These 3 values below should match your secret names in google secrets manager
+    account_sk_secret_id = "multichain-account-sk-testnet-0"
+    cipher_sk_secret_id  = "multichain-cipher-sk-testnet-0"
+    sk_share_secret_id   = "multichain-sk-share-testnet-0"
+  },
+]