diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ca43eb0..e3bb888 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -68,7 +68,7 @@ plan_satapi: -var "rpcpass=$RPCPASS" -input=false) -# This plan gets triggered only for miscellaneous branches/tags (i.e. tor and others), so make sure the branch/tag name starts with misc_ +# This plan gets triggered only for miscellaneous branches/tags (i.e. tor, prometheus, etc), so make sure the branch/tag name starts with misc_ plan_misc: stage: plan only: @@ -94,55 +94,7 @@ plan_misc: -var "satellite_api_lb_staging=$SATELLITE_API_LB_STAGING" -input=false) -# Tag with staging_v.* to deploy staging (e.g. staging_v0.1.1) -deploy_staging: - stage: deploy - only: - - /^staging_v.*/ - script: - - (cd terraform - && terraform init -input=false - && terraform workspace select staging - && terraform apply - -var "ionosphere_docker=blockstream/satellite-api:$CI_COMMIT_SHA" - -var "ionosphere_sse_docker=blockstream/satellite-api-sse:$CI_COMMIT_SHA" - -var "region=$REGION" - -var "zone=$ZONE" - -var "instance_type=$INSTANCE_TYPE" - -var "host=$HOST_STAGING" - -var "ssl_cert=$SSL_CERT_STAGING" - -var "timeout=$TIMEOUT" - -var "prom_service_acct=$PROM_SA" - -var "opsgenie_key=$OPSGENIE_KEY" - -var "rpcuser=$RPCUSER" - -var "rpcpass=$RPCPASS" - -input=false -auto-approve) - -# Tag with production_v.* to deploy production (e.g. production_v0.1.1) -deploy_production: - stage: deploy - only: - - /^prod_v.*/ - script: - - (cd terraform - && terraform init -input=false - && terraform workspace select prod - && terraform apply - -var "ionosphere_docker=blockstream/satellite-api:$CI_COMMIT_SHA" - -var "ionosphere_sse_docker=blockstream/satellite-api-sse:$CI_COMMIT_SHA" - -var "region=$REGION" - -var "zone=$ZONE" - -var "instance_type=$INSTANCE_TYPE" - -var "host=$HOST" - -var "ssl_cert=$SSL_CERT" - -var "timeout=$TIMEOUT" - -var "prom_service_acct=$PROM_SA" - -var "opsgenie_key=$OPSGENIE_KEY" - -var "rpcuser=$RPCUSER" - -var "rpcpass=$RPCPASS" - -input=false -auto-approve) - -# This deploys only tags/branches starting with misc_v.* (i.e. tor and others) +# This deploys only tags/branches starting with misc_v.* (i.e. tor, prometheus, etc) deploy_misc: stage: deploy only: @@ -166,6 +118,103 @@ deploy_misc: -var "satellite_api_lb_staging=$SATELLITE_API_LB_STAGING" -input=false -auto-approve) + +# Tag with staging_v.* to deploy mainnet staging (e.g. staging_v0.1.1) +deploy_staging: + stage: deploy + only: + - /^staging_v.*/ + script: + - (cd terraform + && terraform init -input=false + && terraform workspace select staging + && terraform apply + -var "ionosphere_docker=blockstream/satellite-api:$CI_COMMIT_SHA" + -var "ionosphere_sse_docker=blockstream/satellite-api-sse:$CI_COMMIT_SHA" + -var "region=$REGION" + -var "zone=$ZONE" + -var "instance_type=$INSTANCE_TYPE" + -var "host=$HOST_STAGING" + -var "ssl_cert=$SSL_CERT_STAGING" + -var "timeout=$TIMEOUT" + -var "prom_service_acct=$PROM_SA" + -var "opsgenie_key=$OPSGENIE_KEY" + -var "rpcuser=$RPCUSER" + -var "rpcpass=$RPCPASS" + -input=false -auto-approve) + +# Tag with production_v.* to deploy mainnet production (e.g. prod_v0.1.1) +deploy_production: + stage: deploy + only: + - /^prod_v.*/ + script: + - (cd terraform + && terraform init -input=false + && terraform workspace select prod + && terraform apply + -var "ionosphere_docker=blockstream/satellite-api:$CI_COMMIT_SHA" + -var "ionosphere_sse_docker=blockstream/satellite-api-sse:$CI_COMMIT_SHA" + -var "region=$REGION" + -var "zone=$ZONE" + -var "instance_type=$INSTANCE_TYPE" + -var "host=$HOST" + -var "ssl_cert=$SSL_CERT" + -var "timeout=$TIMEOUT" + -var "prom_service_acct=$PROM_SA" + -var "opsgenie_key=$OPSGENIE_KEY" + -var "rpcuser=$RPCUSER" + -var "rpcpass=$RPCPASS" + -input=false -auto-approve) + +# Tag with staging_v.* to deploy testnet staging (e.g. testnet_staging_v0.1.1) +deploy_staging_testnet: + stage: deploy + only: + - /^testnet_staging_v.*/ + script: + - (cd terraform + && terraform init -input=false + && terraform workspace select testnet-staging + && terraform apply + -var "ionosphere_docker=blockstream/satellite-api:$CI_COMMIT_SHA" + -var "ionosphere_sse_docker=blockstream/satellite-api-sse:$CI_COMMIT_SHA" + -var "region=$REGION" + -var "zone=$ZONE" + -var "instance_type=$INSTANCE_TYPE" + -var "host=$HOST_STAGING" + -var "ssl_cert=$SSL_CERT_STAGING" + -var "timeout=$TIMEOUT" + -var "prom_service_acct=$PROM_SA" + -var "opsgenie_key=$OPSGENIE_KEY" + -var "rpcuser=$RPCUSER" + -var "rpcpass=$RPCPASS" + -input=false -auto-approve) + +# Tag with production_v.* to deploy testnet production (e.g. testnet_prod_v0.1.1) +deploy_production_testnet: + stage: deploy + only: + - /^testnet_prod_v.*/ + script: + - (cd terraform + && terraform init -input=false + && terraform workspace select testnet-prod + && terraform apply + -var "ionosphere_docker=blockstream/satellite-api:$CI_COMMIT_SHA" + -var "ionosphere_sse_docker=blockstream/satellite-api-sse:$CI_COMMIT_SHA" + -var "region=$REGION" + -var "zone=$ZONE" + -var "instance_type=$INSTANCE_TYPE" + -var "host=$HOST" + -var "ssl_cert=$SSL_CERT" + -var "timeout=$TIMEOUT" + -var "prom_service_acct=$PROM_SA" + -var "opsgenie_key=$OPSGENIE_KEY" + -var "rpcuser=$RPCUSER" + -var "rpcpass=$RPCPASS" + -input=false -auto-approve) + # Pushing to this branch destroys the staging infrastructure cleanup_staging: stage: deploy @@ -180,4 +229,8 @@ cleanup_staging: terraform destroy -target module.blc.google_compute_instance_group_manager.blc -auto-approve) - + - (cd terraform && terraform init -input=false && + terraform workspace select testnet-staging && + terraform destroy + -target module.blc.google_compute_instance_group_manager.blc + -auto-approve) diff --git a/terraform/data.tf b/terraform/data.tf index 6fc183a..89eba47 100644 --- a/terraform/data.tf +++ b/terraform/data.tf @@ -1,4 +1,4 @@ -data "terraform_remote_state" "blc-prod" { +data "terraform_remote_state" "blc-mainnet" { backend = "gcs" config { @@ -9,3 +9,15 @@ data "terraform_remote_state" "blc-prod" { workspace = "prod" } + +data "terraform_remote_state" "blc-testnet" { + backend = "gcs" + + config { + bucket = "tf-state-satellite-api" + prefix = "terraform/state" + project = "satellite-api" + } + + workspace = "testnet-prod" +} diff --git a/terraform/main.tf b/terraform/main.tf index 3176b81..1ccaf66 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -16,7 +16,38 @@ provider "google-beta" { project = "${var.project}" } -module "blc" { +module "blc-mainnet" { + source = "modules/blc" + + project = "${var.project}" + name = "satellite-api" + network = "default" + bitcoin_docker = "${var.bitcoin_docker}" + lightning_docker = "${var.lightning_docker}" + charge_docker = "${var.charge_docker}" + ionosphere_docker = "${var.ionosphere_docker}" + ionosphere_sse_docker = "${var.ionosphere_sse_docker}" + node_exporter_docker = "${var.node_exporter_docker}" + net = "mainnet" + env = "${local.env}" + + create_resources = "${local.create_mainnet}" + + # CI vars + region = "${var.region}" + zone = "${var.zone}" + instance_type = "${var.instance_type[0]}" + host = ["${var.host}"] + space_host = "${var.space_host}" + ssl_cert = ["${var.ssl_cert}"] + timeout = "${var.timeout}" + prom_service_acct = "${var.prom_service_acct}" + opsgenie_key = "${var.opsgenie_key}" + rpcuser = "${var.rpcuser}" + rpcpass = "${var.rpcpass}" +} + +module "blc-testnet" { source = "modules/blc" project = "${var.project}" @@ -31,7 +62,7 @@ module "blc" { net = "testnet" env = "${local.env}" - create_resources = "${local.create_satapi}" + create_resources = "${local.create_testnet}" # CI vars region = "${var.region}" diff --git a/terraform/modules/blc/cloud-init/blc.yaml b/terraform/modules/blc/cloud-init/blc.yaml index 667c812..7048b72 100644 --- a/terraform/modules/blc/cloud-init/blc.yaml +++ b/terraform/modules/blc/cloud-init/blc.yaml @@ -15,7 +15,6 @@ write_files: content: | rpcuser=${rpcuser} rpcpassword=${rpcpass} - rpcport=${rpcport} txindex=1 dbcache=4000 @@ -23,44 +22,43 @@ write_files: permissions: 0644 owner: root content: | - alias=ionosphere + alias=ionosphere-${net} bitcoin-rpcuser=${rpcuser} bitcoin-rpcpassword=${rpcpass} - bitcoin-rpcport=${rpcport} announce-addr=${announce_addr} bind-addr=0.0.0.0 - - path: /home/bs/default.conf + - path: /home/bs/bscom.conf permissions: 0644 owner: root content: | - log_format withtime '$http_x_forwarded_for - $remote_addr - $remote_user [$time_local] ' + log_format withtimebs '$http_x_forwarded_for - $remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; server { + access_log /var/log/nginx/access-bs.log withtimebs; + error_log /var/log/nginx/error-bs.log; + root /usr/share/nginx/html/; - access_log /var/log/nginx/access.log withtime; - error_log /var/log/nginx/error.log; - - server_name ${host} ${space_host}; - listen 80 default_server; + server_name ${host}; + listen 80; server_tokens off; set_real_ip_from 130.211.0.0/22; set_real_ip_from 35.191.0.0/16; + set_real_ip_from 10.0.0.0/8; real_ip_recursive on; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { - root /usr/share/nginx/html/; - index index.html; + rewrite ^ /index.html break; } - # Proxy to main ionosphere API - location /api { + # Proxy to Satellite API + location ${url_path}/api { add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE' always; add_header 'Access-Control-Allow-Headers' 'X-Auth-Token,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always; @@ -71,7 +69,7 @@ write_files: return 200; } - if ($request_uri ~* "^/api/?$") + if ($request_uri ~* "^${url_path}(/api)?/?$") { return 301 https://$host; } @@ -79,8 +77,8 @@ write_files: proxy_pass http://0.0.0.0:9292/; } - # Proxy SSE container - location /api/subscribe/ { + # Proxy to SSE container + location ${url_path}/api/subscribe/ { chunked_transfer_encoding off; proxy_buffering off; proxy_request_buffering off; @@ -91,6 +89,68 @@ write_files: } } + - path: /home/bs/space.conf + permissions: 0644 + owner: root + content: | + log_format withtime '$http_x_forwarded_for - $remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + 'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'; + + server { + access_log /var/log/nginx/access.log withtime; + error_log /var/log/nginx/error.log; + root /usr/share/nginx/html/; + + server_name ${space_host}; + listen 80 default_server; + server_tokens off; + + set_real_ip_from 130.211.0.0/22; + set_real_ip_from 35.191.0.0/16; + set_real_ip_from 10.0.0.0/8; + real_ip_recursive on; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # Proxy to Satellite API + location / { + rewrite ^ /index.html break; + } + + location ${url_path}/ { + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE' always; + add_header 'Access-Control-Allow-Headers' 'X-Auth-Token,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always; + add_header 'X-XSS-Protection' '1; mode=block' always; + + if ($request_uri ~* "^${url_path}/?$") + { + return 301 https://$host; + } + + if ($request_method = 'OPTIONS') + { + return 200; + } + + proxy_pass http://0.0.0.0:9292/; + } + + # Proxy to SSE container + location ${url_path}/subscribe/ { + chunked_transfer_encoding off; + proxy_buffering off; + proxy_request_buffering off; + proxy_cache off; + proxy_http_version 1.1; + + proxy_pass http://0.0.0.0:4500/stream?channels=; + } + } + + - path: /home/bs/index.html permissions: 0644 owner: root @@ -184,7 +244,8 @@ write_files: --network=host \ --pid=host \ --name=nginx \ - -v /home/bs/default.conf:/etc/nginx/conf.d/default.conf:ro \ + -v /home/bs/bscom.conf:/etc/nginx/conf.d/bscom.conf:ro \ + -v /home/bs/space.conf:/etc/nginx/conf.d/space.conf:ro \ -v /home/bs/index.html:/usr/share/nginx/html/index.html:ro \ "nginx:latest" ExecStop=/usr/bin/docker stop nginx @@ -239,12 +300,11 @@ write_files: --pid=host \ --name=bitcoin \ -v /home/bs/bitcoin.conf:/root/.bitcoin/bitcoin.conf:ro \ - -v /mnt/disks/data/testnet:/root/.bitcoin:rw \ + -v /mnt/disks/data/${net}:/root/.bitcoin:rw \ "${bitcoin_docker}" ${bitcoin_cmd} ExecStop=/usr/bin/docker exec bitcoin bitcoin-cli stop - ExecStop=/usr/bin/sleep 10 - ExecStop=/usr/bin/docker stop bitcoin - ExecStopPost=/usr/bin/docker rm bitcoin + ExecStopPost=/usr/bin/sleep 5 + ExecStopPost=/usr/bin/docker rm -f bitcoin - path: /etc/systemd/system/lightning.service permissions: 0644 @@ -269,9 +329,8 @@ write_files: -v /mnt/disks/data/lightning:/root/.lightning:rw \ "${lightning_docker}" ${lightning_cmd} ExecStop=/usr/bin/docker exec lightning lightning-cli stop - ExecStop=/usr/bin/sleep 10 - ExecStop=/usr/bin/docker stop lightning - ExecStopPost=/usr/bin/docker rm lightning + ExecStopPost=/usr/bin/sleep 5 + ExecStopPost=/usr/bin/docker rm -f bitcoin ExecStopPost=/sbin/iptables -D INPUT -p tcp --dport ${lightning_port} -j ACCEPT - path: /etc/systemd/system/redis.service diff --git a/terraform/modules/blc/data.tf b/terraform/modules/blc/data.tf index a9cc9e5..0b6788b 100644 --- a/terraform/modules/blc/data.tf +++ b/terraform/modules/blc/data.tf @@ -3,7 +3,7 @@ data "google_compute_network" "blc" { } data "google_compute_image" "blc" { - family = "satapi-data-${var.env}" + family = "satapi-data-${var.net}-${var.env}" project = "${var.project}" count = "${var.create_resources}" } @@ -15,7 +15,8 @@ data "template_file" "blc" { vars { rpcuser = "${var.rpcuser}" rpcpass = "${var.rpcpass}" - rpcport = "${var.net == "testnet" ? "18332" : "8332"}" + net = "${var.net}" + url_path = "${var.net == "testnet" ? "/testnet" : ""}" bitcoin_cmd = "bitcoind ${var.net == "testnet" ? "-testnet" : ""} -printtoconsole" lightning_cmd = "lightningd ${var.net == "testnet" ? "--testnet" : "--mainnet"} --conf=/root/.lightning/lightning.conf --plugin-dir=/usr/local/bin/plugins" charge_cmd = "charged -d /data/charge.db -l /root/.lightning" diff --git a/terraform/modules/blc/firewall.tf b/terraform/modules/blc/firewall.tf new file mode 100644 index 0000000..f1be0dc --- /dev/null +++ b/terraform/modules/blc/firewall.tf @@ -0,0 +1,33 @@ +resource "google_compute_firewall" "blc" { + name = "${var.name}-${var.net}-fw-rule-${var.env}" + network = "${data.google_compute_network.blc.self_link}" + count = "${var.create_resources}" + + allow { + protocol = "tcp" + ports = ["18333", "8333", "9735", "80"] + } + + target_service_accounts = [ + "${google_service_account.blc.email}", + ] +} + +resource "google_compute_firewall" "blc-prom" { + name = "${var.name}-${var.net}-prometheus-access-${var.env}" + network = "${data.google_compute_network.blc.self_link}" + count = "${var.create_resources}" + + allow { + protocol = "tcp" + ports = ["9100"] + } + + source_service_accounts = [ + "${var.prom_service_acct}", + ] + + target_service_accounts = [ + "${google_service_account.blc.email}", + ] +} diff --git a/terraform/modules/blc/iam.tf b/terraform/modules/blc/iam.tf index 0868330..bda2b49 100644 --- a/terraform/modules/blc/iam.tf +++ b/terraform/modules/blc/iam.tf @@ -1,6 +1,6 @@ resource "google_service_account" "blc" { - account_id = "${var.name}-${var.env}" - display_name = "${var.name}-${var.env}" + account_id = "${var.name}-${var.net}-${var.env}" + display_name = "${var.name}-${var.net}-${var.env}" count = "${var.create_resources}" } diff --git a/terraform/modules/blc/lb.tf b/terraform/modules/blc/lb.tf deleted file mode 100644 index 02423b3..0000000 --- a/terraform/modules/blc/lb.tf +++ /dev/null @@ -1,75 +0,0 @@ -# Forwarding rules -resource "google_compute_global_forwarding_rule" "rule-https" { - name = "${var.name}-https-forwarding-rule-${var.env}" - target = "${google_compute_target_https_proxy.https-proxy.self_link}" - port_range = "443" - ip_protocol = "TCP" - ip_address = "${google_compute_global_address.lb.address}" - count = "${var.create_resources}" -} - -resource "google_compute_global_forwarding_rule" "rule-http" { - name = "${var.name}-http-forwarding-rule-${var.env}" - target = "${google_compute_target_http_proxy.http-proxy.self_link}" - port_range = "80" - ip_protocol = "TCP" - ip_address = "${google_compute_global_address.lb.address}" - count = "${var.create_resources}" -} - -# Target proxies -resource "google_compute_target_http_proxy" "http-proxy" { - name = "${var.name}-http-proxy-${var.env}" - url_map = "${google_compute_url_map.http.self_link}" - count = "${var.create_resources}" -} - -resource "google_compute_target_https_proxy" "https-proxy" { - name = "${var.name}-https-proxy-${var.env}" - url_map = "${google_compute_url_map.https.self_link}" - ssl_certificates = ["${var.ssl_cert}"] - count = "${var.create_resources}" -} - -# URL maps -resource "google_compute_url_map" "http" { - name = "${var.name}-http-urlmap-${var.env}" - default_service = "${google_compute_backend_service.blc.self_link}" - count = "${var.create_resources}" - - host_rule { - hosts = ["${var.host}"] - path_matcher = "allpaths" - } - - path_matcher { - name = "allpaths" - default_service = "${google_compute_backend_service.blc.self_link}" - - path_rule { - paths = ["/*"] - service = "${google_compute_backend_service.blc.self_link}" - } - } -} - -resource "google_compute_url_map" "https" { - name = "${var.name}-https-urlmap-${var.env}" - default_service = "${google_compute_backend_service.blc.self_link}" - count = "${var.create_resources}" - - host_rule { - hosts = ["${var.host}"] - path_matcher = "allpaths" - } - - path_matcher { - name = "allpaths" - default_service = "${google_compute_backend_service.blc.self_link}" - - path_rule { - paths = ["/*"] - service = "${google_compute_backend_service.blc.self_link}" - } - } -} diff --git a/terraform/modules/blc/main.tf b/terraform/modules/blc/main.tf index f4001a3..bccee03 100644 --- a/terraform/modules/blc/main.tf +++ b/terraform/modules/blc/main.tf @@ -1,10 +1,10 @@ # Instance group resource "google_compute_instance_group_manager" "blc" { - name = "${var.name}-ig-${var.env}" + name = "${var.name}-ig-${var.net}-${var.env}" count = "${var.create_resources}" provider = "google-beta" - base_instance_name = "${var.name}-ig-${var.env}-${count.index}" + base_instance_name = "${var.name}-ig-${var.net}-${var.env}" zone = "${var.zone}" target_size = 1 @@ -23,7 +23,7 @@ resource "google_compute_instance_group_manager" "blc" { } resource "google_compute_disk" "blc" { - name = "${var.name}-data-${var.env}" + name = "${var.name}-data-${var.net}-${var.env}" type = "pd-standard" image = "${data.google_compute_image.blc.self_link}" zone = "${var.zone}" @@ -37,8 +37,8 @@ resource "google_compute_disk" "blc" { # Instance template resource "google_compute_instance_template" "blc" { - name_prefix = "${var.name}-${var.env}-template-" - description = "This template is used to create ${var.name} ${var.env} instances." + name_prefix = "${var.name}-${var.net}-${var.env}-tmpl-" + description = "This template is used to create ${var.name} ${var.net} ${var.env} instances." machine_type = "${var.instance_type}" region = "${var.region}" count = "${var.create_resources}" @@ -46,6 +46,7 @@ resource "google_compute_instance_template" "blc" { labels { type = "lightning-app" name = "${var.name}" + net = "${var.net}" } scheduling { diff --git a/terraform/modules/blc/network.tf b/terraform/modules/blc/network.tf index eeac6fa..d142cb3 100644 --- a/terraform/modules/blc/network.tf +++ b/terraform/modules/blc/network.tf @@ -1,55 +1,13 @@ -# IP addresses resource "google_compute_address" "blc" { - name = "${var.name}-external-ip-${var.env}-${count.index}" + name = "${var.name}-${var.net}-external-ip-${var.env}-${count.index}" project = "${var.project}" region = "${var.region}" count = "${var.create_resources}" } -resource "google_compute_global_address" "lb" { - name = "${var.name}-client-lb-${var.env}" - project = "${var.project}" - count = "${var.create_resources}" -} - -# FW rules -resource "google_compute_firewall" "blc" { - name = "${var.name}-fw-rule-${var.env}" - network = "${data.google_compute_network.blc.self_link}" - count = "${var.create_resources}" - - allow { - protocol = "tcp" - ports = ["18333", "9735", "80"] - } - - target_service_accounts = [ - "${google_service_account.blc.email}", - ] -} - -resource "google_compute_firewall" "blc-prom" { - name = "${var.name}-prometheus-access-${var.env}" - network = "${data.google_compute_network.blc.self_link}" - count = "${var.create_resources}" - - allow { - protocol = "tcp" - ports = ["9100"] - } - - source_service_accounts = [ - "${var.prom_service_acct}", - ] - - target_service_accounts = [ - "${google_service_account.blc.email}", - ] -} - # Backend service resource "google_compute_backend_service" "blc" { - name = "${var.name}-backend-service-${var.env}" + name = "${var.name}-${var.net}-backend-service-${var.env}" description = "Satellite API" protocol = "HTTP" port_name = "http" @@ -65,7 +23,7 @@ resource "google_compute_backend_service" "blc" { # Health checks resource "google_compute_health_check" "blc" { - name = "${var.name}-health-check-${var.env}" + name = "${var.name}-${var.net}-health-check-${var.env}" count = "${var.create_resources}" check_interval_sec = 5 diff --git a/terraform/modules/tor/cloud-init/tor.yaml b/terraform/modules/tor/cloud-init/tor.yaml index 1d3938d..4082b91 100644 --- a/terraform/modules/tor/cloud-init/tor.yaml +++ b/terraform/modules/tor/cloud-init/tor.yaml @@ -24,14 +24,13 @@ write_files: ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck ControlSocketsGroupWritable 1 - SocksPort unix:/var/run/tor/socks WorldWritable - SocksPort 9050 + SocksPort 0 CookieAuthentication 1 CookieAuthFileGroupReadable 1 CookieAuthFile /var/run/tor/control.authcookie - Log [handshake]debug [*]notice stderr + Log [*]notice stderr HiddenServiceDir /home/tor/tor/hidden_service_v3/ HiddenServiceVersion 3 diff --git a/terraform/network-tor.tf b/terraform/network-tor.tf index c2d4eb4..e114f2b 100644 --- a/terraform/network-tor.tf +++ b/terraform/network-tor.tf @@ -49,18 +49,23 @@ resource "google_compute_url_map" "tor-proxy" { path_matcher { name = "allpaths" - default_service = "${data.terraform_remote_state.blc-prod.blc_backend_service}" + default_service = "${data.terraform_remote_state.blc-mainnet.blc_backend_service_mainnet}" path_rule { - paths = ["/*"] - service = "${data.terraform_remote_state.blc-prod.blc_backend_service}" + paths = ["/"] + service = "${data.terraform_remote_state.blc-mainnet.blc_backend_service_mainnet}" + } + + path_rule { + paths = ["/testnet"] + service = "${data.terraform_remote_state.blc-testnet.blc_backend_service_testnet}" } } test { - service = "${data.terraform_remote_state.blc-prod.blc_backend_service}" + service = "${data.terraform_remote_state.blc-mainnet.blc_backend_service_mainnet}" host = "${var.onion_host}" - path = "/api/queue.html" + path = "/queue.html" } test { diff --git a/terraform/network.tf b/terraform/network.tf new file mode 100644 index 0000000..f540e5a --- /dev/null +++ b/terraform/network.tf @@ -0,0 +1,91 @@ +# IP address +resource "google_compute_global_address" "lb" { + name = "satellite-api-client-lb-${local.env}" + project = "${var.project}" + count = "${local.create_mainnet}" +} + +# Forwarding rules +resource "google_compute_global_forwarding_rule" "rule-https" { + name = "satellite-api-https-forwarding-rule-${local.env}" + target = "${google_compute_target_https_proxy.https-proxy.self_link}" + port_range = "443" + ip_protocol = "TCP" + ip_address = "${google_compute_global_address.lb.address}" + count = "${local.create_mainnet}" +} + +resource "google_compute_global_forwarding_rule" "rule-http" { + name = "satellite-api-http-forwarding-rule-${local.env}" + target = "${google_compute_target_http_proxy.http-proxy.self_link}" + port_range = "80" + ip_protocol = "TCP" + ip_address = "${google_compute_global_address.lb.address}" + count = "${local.create_mainnet}" +} + +# Target proxies +resource "google_compute_target_http_proxy" "http-proxy" { + name = "satellite-api-http-proxy-${local.env}" + url_map = "${google_compute_url_map.http.self_link}" + count = "${local.create_mainnet}" +} + +resource "google_compute_target_https_proxy" "https-proxy" { + name = "satellite-api-https-proxy-${local.env}" + url_map = "${google_compute_url_map.https.self_link}" + ssl_certificates = ["${var.ssl_cert}"] + count = "${local.create_mainnet}" +} + +# URL maps +resource "google_compute_url_map" "http" { + name = "satellite-api-http-urlmap-${local.env}" + default_service = "${data.terraform_remote_state.blc-mainnet.blc_backend_service_mainnet}" + count = "${local.create_mainnet}" + + host_rule { + hosts = ["${var.host}"] + path_matcher = "allpaths" + } + + path_matcher { + name = "allpaths" + default_service = "${data.terraform_remote_state.blc-mainnet.blc_backend_service_mainnet}" + + path_rule { + paths = ["/*"] + service = "${data.terraform_remote_state.blc-mainnet.blc_backend_service_mainnet}" + } + + path_rule { + paths = ["/testnet", "/testnet/*", "/api", "/api/*"] + service = "${data.terraform_remote_state.blc-testnet.blc_backend_service_testnet}" + } + } +} + +resource "google_compute_url_map" "https" { + name = "satellite-api-https-urlmap-${local.env}" + default_service = "${data.terraform_remote_state.blc-mainnet.blc_backend_service_mainnet}" + count = "${local.create_mainnet}" + + host_rule { + hosts = ["${var.host}"] + path_matcher = "allpaths" + } + path_matcher { + name = "allpaths" + default_service = "${data.terraform_remote_state.blc-mainnet.blc_backend_service_mainnet}" + + path_rule { + paths = ["/*"] + service = "${data.terraform_remote_state.blc-mainnet.blc_backend_service_mainnet}" + } + + path_rule { + paths = ["/testnet", "/testnet/*", "/api", "/api/*"] + service = "${data.terraform_remote_state.blc-testnet.blc_backend_service_testnet}" + } + } +} diff --git a/terraform/outputs.tf b/terraform/outputs.tf index effb241..3c49e5a 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -1,5 +1,10 @@ -output "blc_backend_service" { - value = "${module.blc.backend_service}" +# Production only (tor) +output "blc_backend_service_testnet" { + value = "${module.blc-testnet.backend_service}" +} + +output "blc_backend_service_mainnet" { + value = "${module.blc-mainnet.backend_service}" } output "prom_svc_acct" { diff --git a/terraform/variables.tf b/terraform/variables.tf index 94a0aa2..c96b0a9 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -1,38 +1,45 @@ locals { context_variables = { "staging" = { - env = "staging" - create_satapi = 1 - create_misc = 0 - create_builders = 0 + env = "staging" + create_mainnet = 1 + create_testnet = 0 + create_misc = 0 } "prod" = { - env = "prod" - create_satapi = 1 - create_misc = 0 - create_builders = 0 + env = "prod" + create_mainnet = 1 + create_testnet = 0 + create_misc = 0 + } + + "testnet-staging" = { + env = "staging" + create_mainnet = 0 + create_testnet = 1 + create_misc = 0 + } + + "testnet-prod" = { + env = "prod" + create_mainnet = 0 + create_testnet = 1 + create_misc = 0 } "misc" = { - env = "" - create_satapi = 0 - create_misc = 1 - create_builders = 0 - } - - "builders" = { - env = "" - create_satapi = 0 - create_misc = 0 - create_builders = 1 + env = "" + create_mainnet = 0 + create_testnet = 0 + create_misc = 1 } } - env = "${lookup(local.context_variables[terraform.workspace], "env")}" - create_satapi = "${lookup(local.context_variables[terraform.workspace], "create_satapi")}" - create_misc = "${lookup(local.context_variables[terraform.workspace], "create_misc")}" - create_builders = "${lookup(local.context_variables[terraform.workspace], "create_builders")}" + env = "${lookup(local.context_variables[terraform.workspace], "env")}" + create_mainnet = "${lookup(local.context_variables[terraform.workspace], "create_mainnet")}" + create_testnet = "${lookup(local.context_variables[terraform.workspace], "create_testnet")}" + create_misc = "${lookup(local.context_variables[terraform.workspace], "create_misc")}" } variable "project" {