diff --git a/.github/workflows/terraform-dev.yml b/.github/workflows/terraform-dev.yml index 1aea0ba54..c7e1a4cef 100644 --- a/.github/workflows/terraform-dev.yml +++ b/.github/workflows/terraform-dev.yml @@ -54,13 +54,17 @@ jobs: env: GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }} + # Build Docker image. + - name: Docker Image + id: build + run: docker build .. -t near/mpc-recovery + # Generates an execution plan for Terraform - name: Terraform Plan id: plan run: | terraform plan -input=false -no-color -lock-timeout=1h -var-file terraform-dev.tfvars \ - -var "credentials=$GOOGLE_CREDENTIALS" \ - -var docker_image=us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev:${{ github.sha }} + -var "credentials=$GOOGLE_CREDENTIALS" env: GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }} @@ -136,7 +140,6 @@ jobs: if: github.ref == 'refs/heads/develop' && github.event_name == 'push' run: | terraform apply -auto-approve -input=false -lock-timeout=1h -var-file terraform-dev.tfvars \ - -var "credentials=$GOOGLE_CREDENTIALS" \ - -var docker_image=us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev:${{ github.sha }} + -var "credentials=$GOOGLE_CREDENTIALS" env: GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }} diff --git a/.github/workflows/terraform-feature-env.yml b/.github/workflows/terraform-feature-env.yml index 35c8c7efa..2e3d4a4dc 100644 --- a/.github/workflows/terraform-feature-env.yml +++ b/.github/workflows/terraform-feature-env.yml @@ -42,13 +42,10 @@ jobs: GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }} PR_NUMBER: ${{ env.PR_NUMBER }} - - name: Wait for Docker Image to be Ready - uses: lewagon/wait-on-check-action@v1.3.1 - with: - ref: ${{ github.event.pull_request.head.sha }} - check-name: 'Build and Push' - repo-token: ${{ secrets.GITHUB_TOKEN }} - wait-interval: 10 + # Build Docker image. + - name: Docker Image + id: build + run: docker build .. -t near/mpc-recovery # Applies Terraform configuration to the temporary environment - name: Terraform Apply @@ -56,8 +53,7 @@ jobs: run: | terraform apply -auto-approve -input=false -no-color -lock-timeout=1h -var-file terraform-dev.tfvars \ -var "credentials=$GOOGLE_CREDENTIALS" \ - -var "env=dev-$PR_NUMBER" \ - -var docker_image=us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev:${{ github.sha }} + -var "env=dev-$PR_NUMBER" env: GOOGLE_CREDENTIALS: ${{ secrets.GCP_CREDENTIALS_DEV }} PR_NUMBER: ${{ env.PR_NUMBER }} diff --git a/infra/modules/leader/main.tf b/infra/modules/leader/main.tf index 26093915c..06928252d 100644 --- a/infra/modules/leader/main.tf +++ b/infra/modules/leader/main.tf @@ -55,7 +55,7 @@ resource "google_cloud_run_v2_service" "leader" { value_source { secret_key_ref { secret = var.account_creator_sk_secret_id - version = "1" + version = "latest" } } } diff --git a/infra/modules/signer/main.tf b/infra/modules/signer/main.tf index 7800b806d..b4f704d1c 100644 --- a/infra/modules/signer/main.tf +++ b/infra/modules/signer/main.tf @@ -56,10 +56,6 @@ resource "google_cloud_run_v2_service" "signer" { } } } - env { - name = "MPC_RECOVERY_JWT_SIGNATURE_PK_URL" - value = var.jwt_signature_pk_url - } env { name = "RUST_LOG" value = "mpc_recovery=debug" diff --git a/infra/modules/signer/variables.tf b/infra/modules/signer/variables.tf index e78de7762..4f68e07b0 100644 --- a/infra/modules/signer/variables.tf +++ b/infra/modules/signer/variables.tf @@ -44,5 +44,4 @@ variable "service_name" { } variable "jwt_signature_pk_url" { - type = string } diff --git a/infra/partner/main.tf b/infra/partner/main.tf index 0cafcc930..ec25be594 100644 --- a/infra/partner/main.tf +++ b/infra/partner/main.tf @@ -21,6 +21,14 @@ provider "google" { zone = var.zone } +provider "docker" { + registry_auth { + address = "${var.region}-docker.pkg.dev" + username = "_json_key" + password = local.credentials + } +} + /* * Create brand new service account with basic IAM */ @@ -62,6 +70,31 @@ resource "google_secret_manager_secret_iam_member" "secret_share_secret_access" member = "serviceAccount:${google_service_account.service_account.email}" } +resource "google_secret_manager_secret_iam_member" "oidc_providers_secret_access" { + secret_id = var.oidc_providers_secret_id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${google_service_account.service_account.email}" +} + +/* + * Create Artifact Registry repo, tag existing Docker image and push to the repo + */ +resource "google_artifact_registry_repository" "mpc_recovery" { + repository_id = "mpc-recovery-partner-${var.env}" + format = "DOCKER" +} + +resource "google_secret_manager_secret_iam_member" "secret_share_secret_access" { + secret_id = var.sk_share_secret_id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${google_service_account.service_account.email}" +} + +resource "docker_tag" "mpc_recovery" { + source_image = var.docker_image + target_image = "${var.region}-docker.pkg.dev/${var.project}/${google_artifact_registry_repository.mpc_recovery.name}/mpc-recovery-${var.env}" +} + /* * Create a partner signer node */ @@ -80,14 +113,13 @@ module "signer" { cipher_key_secret_id = var.cipher_key_secret_id sk_share_secret_id = var.sk_share_secret_id - - # optional - connector_id = "partner-vpc-connector-id" - jwt_signature_pk_url = var.jwt_signature_pk_url + connector_id = var.connector_id depends_on = [ + docker_registry_image.mpc_recovery, google_secret_manager_secret_iam_member.cipher_key_secret_access, google_secret_manager_secret_iam_member.secret_share_secret_access, + google_secret_manager_secret_iam_member.oidc_providers_secret_access ] } diff --git a/infra/partner/template.tfvars b/infra/partner/template.tfvars index 008e28150..a9a77bf3b 100644 --- a/infra/partner/template.tfvars +++ b/infra/partner/template.tfvars @@ -3,7 +3,7 @@ project = "pagoda-discovery-platform-dev" region = "us-east1" zone = "us-east1-c" -docker_image = "us-east1-docker.pkg.dev/pagoda-discovery-platform-dev/mpc-recovery/mpc-recovery-dev" +docker_image = "near/mpc-recovery" node_id = "0" oidc_providers_secret_id = "mpc-recovery-allowed-oidc-providers-0-dev" diff --git a/infra/partner/variables.tf b/infra/partner/variables.tf index 8eaee70c4..668b91ce8 100644 --- a/infra/partner/variables.tf +++ b/infra/partner/variables.tf @@ -20,6 +20,10 @@ variable "docker_image" { variable "node_id" { } +variable "connector_id" { + default = null +} + # Secrets variable "cipher_key_secret_id" { type = string @@ -29,6 +33,10 @@ variable "sk_share_secret_id" { type = string } -variable "jwt_signature_pk_url" { +variable "oidc_providers_secret_id" { type = string } + +variable "jwt_signature_pk_url" { + +} \ No newline at end of file diff --git a/infra/variables.tf b/infra/variables.tf deleted file mode 100644 index 5917e1d50..000000000 --- a/infra/variables.tf +++ /dev/null @@ -1,65 +0,0 @@ -variable "env" { -} - -variable "project" { -} - -variable "credentials_file" { - default = null -} - -variable "credentials" { - default = null -} - -variable "region" { - default = "us-east1" -} - -variable "zone" { - default = "us-east1-c" -} - -variable "docker_image" { - type = string -} - -# Application variables -variable "account_creator_id" { - default = "tmp_acount_creator.serhii.testnet" -} - -variable "external_signer_node_urls" { - type = list(string) - default = [] -} - -# Secrets -variable "account_creator_sk_secret_id" { - type = string -} - -variable "fast_auth_partners_secret_id" { - type = string -} - -variable "signer_configs" { - type = list(object({ - cipher_key_secret_id = string - sk_share_secret_id = string - })) -} - -variable "jwt_signature_pk_url" { - type = string -} - -variable "otlp_endpoint" { - type = string - default = "http://localhost:4317" -} - -variable "opentelemetry_level" { - type = string - default = "off" -}