merged changes from develop branch

.github/workflows/terraform-dev.yml

@@ -54,13 +54,17 @@ jobs:
         env:
           GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }}
 
+      # Build Docker image.
+      - name: Docker Image
+        id: build
+        run: docker build .. -t near/mpc-recovery
+
       # Generates an execution plan for Terraform
       - name: Terraform Plan
         id: plan
         run: |
           terraform plan -input=false -no-color -lock-timeout=1h -var-file terraform-dev.tfvars \
-            -var "credentials=$GOOGLE_CREDENTIALS" \
-            -var docker_image=us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev:${{ github.sha }}
+            -var "credentials=$GOOGLE_CREDENTIALS"
         env:
           GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }}
 
@@ -136,7 +140,6 @@ jobs:
         if: github.ref == 'refs/heads/develop' && github.event_name == 'push'
         run: |
           terraform apply -auto-approve -input=false -lock-timeout=1h -var-file terraform-dev.tfvars \
-            -var "credentials=$GOOGLE_CREDENTIALS" \
-            -var docker_image=us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev:${{ github.sha }}
+            -var "credentials=$GOOGLE_CREDENTIALS"
         env:
           GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }}

.github/workflows/terraform-feature-env.yml

@@ -42,22 +42,18 @@ jobs:
           GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }}
           PR_NUMBER: ${{ env.PR_NUMBER }}
 
-      - name: Wait for Docker Image to be Ready
-        uses: lewagon/wait-on-check-action@v1.3.1
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          check-name: 'Build and Push'
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          wait-interval: 10
+      # Build Docker image.
+      - name: Docker Image
+        id: build
+        run: docker build .. -t near/mpc-recovery
 
       # Applies Terraform configuration to the temporary environment
       - name: Terraform Apply
         id: apply
         run: |
           terraform apply -auto-approve -input=false -no-color -lock-timeout=1h -var-file terraform-dev.tfvars \
             -var "credentials=$GOOGLE_CREDENTIALS" \
-            -var "env=dev-$PR_NUMBER" \
-            -var docker_image=us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev:${{ github.sha }}
+            -var "env=dev-$PR_NUMBER"
         env:
           GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }}
           PR_NUMBER: ${{ env.PR_NUMBER }}

infra/modules/leader/main.tf

@@ -55,7 +55,7 @@ resource "google_cloud_run_v2_service" "leader" {
         value_source {
           secret_key_ref {
             secret  = var.account_creator_sk_secret_id
-            version = "1"
+            version = "latest"
           }
         }
       }

infra/modules/signer/main.tf

@@ -56,10 +56,6 @@ resource "google_cloud_run_v2_service" "signer" {
           }
         }
       }
-      env {
-        name  = "MPC_RECOVERY_JWT_SIGNATURE_PK_URL"
-        value = var.jwt_signature_pk_url
-      }
       env {
         name  = "RUST_LOG"
         value = "mpc_recovery=debug"

infra/modules/signer/variables.tf

@@ -44,5 +44,4 @@ variable "service_name" {
 }
 
 variable "jwt_signature_pk_url" {
-  type = string
 }

infra/partner/main.tf

@@ -21,6 +21,14 @@ provider "google" {
   zone    = var.zone
 }
 
+provider "docker" {
+  registry_auth {
+    address  = "${var.region}-docker.pkg.dev"
+    username = "_json_key"
+    password = local.credentials
+  }
+}
+
 /*
  * Create brand new service account with basic IAM
  */
@@ -62,6 +70,31 @@ resource "google_secret_manager_secret_iam_member" "secret_share_secret_access"
   member    = "serviceAccount:${google_service_account.service_account.email}"
 }
 
+resource "google_secret_manager_secret_iam_member" "oidc_providers_secret_access" {
+  secret_id = var.oidc_providers_secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.service_account.email}"
+}
+
+/*
+ * Create Artifact Registry repo, tag existing Docker image and push to the repo
+ */
+resource "google_artifact_registry_repository" "mpc_recovery" {
+  repository_id = "mpc-recovery-partner-${var.env}"
+  format        = "DOCKER"
+}
+
+resource "google_secret_manager_secret_iam_member" "secret_share_secret_access" {
+  secret_id = var.sk_share_secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.service_account.email}"
+}
+
+resource "docker_tag" "mpc_recovery" {
+  source_image = var.docker_image
+  target_image = "${var.region}-docker.pkg.dev/${var.project}/${google_artifact_registry_repository.mpc_recovery.name}/mpc-recovery-${var.env}"
+}
+
 /*
  * Create a partner signer node
  */
@@ -80,14 +113,13 @@ module "signer" {
 
   cipher_key_secret_id = var.cipher_key_secret_id
   sk_share_secret_id   = var.sk_share_secret_id
-
-  # optional
-  connector_id = "partner-vpc-connector-id"
-
   jwt_signature_pk_url = var.jwt_signature_pk_url
+  connector_id         = var.connector_id
 
   depends_on = [
+    docker_registry_image.mpc_recovery,
     google_secret_manager_secret_iam_member.cipher_key_secret_access,
     google_secret_manager_secret_iam_member.secret_share_secret_access,
+    google_secret_manager_secret_iam_member.oidc_providers_secret_access
   ]
 }

infra/partner/template.tfvars

@@ -3,7 +3,7 @@ project = "pagoda-discovery-platform-dev"
 region  = "us-east1"
 zone    = "us-east1-c"
 
-docker_image = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev"
+docker_image = "near/mpc-recovery"
 node_id      = "0"
 
 oidc_providers_secret_id = "mpc-recovery-allowed-oidc-providers-0-dev"

infra/partner/variables.tf

@@ -20,6 +20,10 @@ variable "docker_image" {
 variable "node_id" {
 }
 
+variable "connector_id" {
+  default = null
+}
+
 # Secrets
 variable "cipher_key_secret_id" {
   type = string
@@ -29,6 +33,10 @@ variable "sk_share_secret_id" {
   type = string
 }
 
-variable "jwt_signature_pk_url" {
+variable "oidc_providers_secret_id" {
   type = string
 }
+
+variable "jwt_signature_pk_url" {
+
+}