Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: split mainnet and testnet infra #365

Merged
merged 1 commit into from
Nov 16, 2023
Merged

fix: split mainnet and testnet infra #365

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 2 additions & 87 deletions infra/mpc-recovery-prod/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,12 +89,6 @@ resource "google_secret_manager_secret_iam_member" "secret_share_secret_access"
member = "serviceAccount:${google_service_account.service_account.email}"
}

resource "google_secret_manager_secret_iam_member" "oidc_providers_secret_access" {
secret_id = var.oidc_providers_secret_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.service_account.email}"
}

resource "google_secret_manager_secret_iam_member" "account_creator_secret_access" {
secret_id = var.account_creator_sk_secret_id
role = "roles/secretmanager.secretAccessor"
Expand All @@ -119,18 +113,6 @@ module "mpc-signer-lb-mainnet" {
service_name = "mpc-recovery-signer-${count.index}-mainnet"
}

module "mpc-signer-lb-testnet" {

count = length(var.signer_configs)
source = "../modules/internal_cloudrun_lb"
name = "mpc-prod-signer-${count.index}-testnet"
network_id = data.google_compute_network.prod_network.id
subnetwork_id = data.google_compute_subnetwork.prod_subnetwork.id
project_id = var.project
region = "us-central1"
service_name = "mpc-recovery-signer-${count.index}-testnet"
}

module "mpc-leader-lb-mainnet" {
source = "../modules/internal_cloudrun_lb"
name = "mpc-prod-leader-mainnet"
Expand All @@ -141,15 +123,6 @@ module "mpc-leader-lb-mainnet" {
service_name = "mpc-recovery-leader-mainnet"
}

module "mpc-leader-lb-testnet" {
source = "../modules/internal_cloudrun_lb"
name = "mpc-prod-leader-testnet"
network_id = data.google_compute_network.prod_network.id
subnetwork_id = data.google_compute_subnetwork.prod_subnetwork.id
project_id = var.project
region = "us-central1"
service_name = "mpc-recovery-leader-testnet"
}
/*
* Create multiple signer nodes
*/
Expand All @@ -175,33 +148,6 @@ module "signer-mainnet" {
depends_on = [
google_secret_manager_secret_iam_member.cipher_key_secret_access,
google_secret_manager_secret_iam_member.secret_share_secret_access,
google_secret_manager_secret_iam_member.oidc_providers_secret_access
]
}

module "signer-testnet" {
count = length(var.signer_configs)
source = "../modules/signer"

env = "prod"
service_name = "mpc-recovery-signer-${count.index}-testnet"
project = var.project
region = var.region
zone = var.zone
service_account_email = google_service_account.service_account.email
docker_image = var.docker_image
connector_id = var.prod-connector
jwt_signature_pk_url = var.jwt_signature_pk_url

node_id = count.index

cipher_key_secret_id = var.signer_configs[count.index].cipher_key_secret_id
sk_share_secret_id = var.signer_configs[count.index].sk_share_secret_id

depends_on = [
google_secret_manager_secret_iam_member.cipher_key_secret_access,
google_secret_manager_secret_iam_member.secret_share_secret_access,
google_secret_manager_secret_iam_member.oidc_providers_secret_access
]
}

Expand All @@ -223,48 +169,17 @@ module "leader-mainnet" {
opentelemetry_level = var.opentelemetry_level
otlp_endpoint = var.otlp_endpoint

signer_node_urls = concat(module.signer.*.node.uri, var.external_signer_node_urls)
near_rpc = local.workspace.near_rpc
near_root_account = local.workspace.near_root_account
account_creator_id = var.account_creator_id

account_creator_sk_secret_id = var.account_creator_sk_secret_id
fast_auth_partners_secret_id = var.fast_auth_partners_secret_id

depends_on = [
google_secret_manager_secret_iam_member.account_creator_secret_access,
google_secret_manager_secret_iam_member.fast_auth_partners_secret_access,
module.signer
]
}

module "leader-testnet" {
source = "../modules/leader"

env = "prod"
service_name = "mpc-recovery-leader-testnet"
project = var.project
region = var.region
zone = var.zone
service_account_email = google_service_account.service_account.email
docker_image = var.docker_image
connector_id = var.prod-connector
jwt_signature_pk_url = var.jwt_signature_pk_url
opentelemetry_level = var.opentelemetry_level
otlp_endpoint = var.otlp_endpoint

signer_node_urls = concat(module.signer.*.node.uri, var.external_signer_node_urls)
signer_node_urls = concat(module.signer-mainnet.*.node.uri, var.external_signer_node_urls)
near_rpc = local.workspace.near_rpc
near_root_account = local.workspace.near_root_account
account_creator_id = var.account_creator_id


account_creator_sk_secret_id = var.account_creator_sk_secret_id
fast_auth_partners_secret_id = var.fast_auth_partners_secret_id

depends_on = [
google_secret_manager_secret_iam_member.account_creator_secret_access,
google_secret_manager_secret_iam_member.fast_auth_partners_secret_access,
module.signer
module.signer-mainnet
]
}
22 changes: 0 additions & 22 deletions infra/mpc-recovery-prod/migration.py
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion infra/mpc-recovery-prod/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
output "leader_node" {
value = module.leader.node.uri
value = module.leader-mainnet.node.uri
}
6 changes: 1 addition & 5 deletions infra/mpc-recovery-prod/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,6 @@ variable "account_creator_sk_secret_id" {
type = string
}

variable "oidc_providers_secret_id" {
type = string
}

variable "fast_auth_partners_secret_id" {
type = string
}
Expand Down Expand Up @@ -94,4 +90,4 @@ variable "otlp_endpoint" {

variable "opentelemetry_level" {
type = string
}
}
1 change: 1 addition & 0 deletions infra/mpc-recovery-testnet/backend-config-prod.tfvars
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
bucket = "mpc-recovery-terraform-prod"
180 changes: 180 additions & 0 deletions infra/mpc-recovery-testnet/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,180 @@
terraform {
backend "gcs" {
bucket = "mpc-recovery-terraform-prod"
prefix = "state/mpc-recovery"
}

required_providers {
google = {
source = "hashicorp/google"
version = "4.73.0"
}
}
}

locals {
credentials = var.credentials != null ? var.credentials : file(var.credentials_file)
client_email = jsondecode(local.credentials).client_email
client_id = jsondecode(local.credentials).client_id

env = {
defaults = {
near_rpc = "https://rpc.testnet.near.org"
near_root_account = "testnet"
}
testnet = {
}
mainnet = {
near_rpc = "https://rpc.mainnet.near.org"
near_root_account = "near"
}
}

workspace = merge(local.env["defaults"], contains(keys(local.env), terraform.workspace) ? local.env[terraform.workspace] : local.env["defaults"])
}

data "external" "git_checkout" {
program = ["${path.module}/../scripts/get_sha.sh"]
}

provider "google" {
credentials = local.credentials
# credentials = file("~/.config/gcloud/application_default_credentials.json")

project = var.project
region = var.region
zone = var.zone
}

/*
* Create brand new service account with basic IAM
*/
resource "google_service_account" "service_account" {
account_id = "mpc-recovery-prod"
display_name = "MPC Recovery prod Account"
}

resource "google_service_account_iam_binding" "serivce-account-iam" {
service_account_id = google_service_account.service_account.name
role = "roles/iam.serviceAccountUser"

members = [
"serviceAccount:${local.client_email}",
# "serviceAccount:mpc-recovery@pagoda-discovery-platform-prod.iam.gserviceaccount.com"
]
}

resource "google_project_iam_member" "service-account-datastore-user" {
project = var.project
role = "roles/datastore.user"
member = "serviceAccount:${google_service_account.service_account.email}"
}

/*
* Ensure service account has access to Secret Manager variables
*/
resource "google_secret_manager_secret_iam_member" "cipher_key_secret_access" {
count = length(var.signer_configs)

secret_id = var.signer_configs[count.index].cipher_key_secret_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.service_account.email}"
}

resource "google_secret_manager_secret_iam_member" "secret_share_secret_access" {
count = length(var.signer_configs)

secret_id = var.signer_configs[count.index].sk_share_secret_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.service_account.email}"
}

resource "google_secret_manager_secret_iam_member" "account_creator_secret_access" {
secret_id = var.account_creator_sk_secret_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.service_account.email}"
}

resource "google_secret_manager_secret_iam_member" "fast_auth_partners_secret_access" {
secret_id = var.fast_auth_partners_secret_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.service_account.email}"
}

module "mpc-signer-lb-testnet" {

count = length(var.signer_configs)
source = "../modules/internal_cloudrun_lb"
name = "mpc-prod-signer-${count.index}-testnet"
network_id = data.google_compute_network.prod_network.id
subnetwork_id = data.google_compute_subnetwork.prod_subnetwork.id
project_id = var.project
region = "us-central1"
service_name = "mpc-recovery-signer-${count.index}-testnet"
}

module "mpc-leader-lb-testnet" {
source = "../modules/internal_cloudrun_lb"
name = "mpc-prod-leader-testnet"
network_id = data.google_compute_network.prod_network.id
subnetwork_id = data.google_compute_subnetwork.prod_subnetwork.id
project_id = var.project
region = "us-central1"
service_name = "mpc-recovery-leader-testnet"
}

module "signer-testnet" {
count = length(var.signer_configs)
source = "../modules/signer"

env = "testnet"
service_name = "mpc-recovery-signer-${count.index}-testnet"
project = var.project
region = var.region
zone = var.zone
service_account_email = google_service_account.service_account.email
docker_image = var.docker_image
connector_id = var.prod-connector
jwt_signature_pk_url = var.jwt_signature_pk_url

node_id = count.index

cipher_key_secret_id = var.signer_configs[count.index].cipher_key_secret_id
sk_share_secret_id = var.signer_configs[count.index].sk_share_secret_id

depends_on = [
google_secret_manager_secret_iam_member.cipher_key_secret_access,
google_secret_manager_secret_iam_member.secret_share_secret_access,
]
}

module "leader-testnet" {
source = "../modules/leader"

env = "testnet"
service_name = "mpc-recovery-leader-testnet"
project = var.project
region = var.region
zone = var.zone
service_account_email = google_service_account.service_account.email
docker_image = var.docker_image
connector_id = var.prod-connector
jwt_signature_pk_url = var.jwt_signature_pk_url
opentelemetry_level = var.opentelemetry_level
otlp_endpoint = var.otlp_endpoint

signer_node_urls = concat(module.signer-testnet.*.node.uri, var.external_signer_node_urls)
near_rpc = local.workspace.near_rpc
near_root_account = local.workspace.near_root_account
account_creator_id = var.account_creator_id


account_creator_sk_secret_id = var.account_creator_sk_secret_id
fast_auth_partners_secret_id = var.fast_auth_partners_secret_id

depends_on = [
google_secret_manager_secret_iam_member.account_creator_secret_access,
google_secret_manager_secret_iam_member.fast_auth_partners_secret_access,
module.signer-testnet
]
}
3 changes: 3 additions & 0 deletions infra/mpc-recovery-testnet/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
output "leader_node" {
value = module.leader-testnet.node.uri
}
Loading