update gcs and switch to TCP LB

.gitlab-ci.yml

@@ -77,7 +77,6 @@ plan_satapi:
          -var "zone=$ZONE"
          -var "instance_type=$INSTANCE_TYPE"
          -var "host=$HOST_STAGING"
-         -var "ssl_cert=$SSL_CERT_STAGING"
          -var "public_bucket_url=$PUBLIC_BUCKET_URL"
          -var "letsencrypt_email=$LE_EMAIL"
          -var "timeout=$TIMEOUT"
@@ -153,7 +152,6 @@ deploy_staging:
          -var "zone=$ZONE"
          -var "instance_type=$INSTANCE_TYPE"
          -var "host=$HOST_STAGING"
-         -var "ssl_cert=$SSL_CERT_STAGING"
          -var "public_bucket_url=$PUBLIC_BUCKET_URL"
          -var "letsencrypt_email=$LE_EMAIL"
          -var "timeout=$TIMEOUT"
@@ -179,7 +177,6 @@ deploy_production:
          -var "zone=$ZONE"
          -var "instance_type=$INSTANCE_TYPE"
          -var "host=$HOST"
-         -var "ssl_cert=$SSL_CERT"
          -var "public_bucket_url=$PUBLIC_BUCKET_URL"
          -var "letsencrypt_email=$LE_EMAIL"
          -var "timeout=$TIMEOUT"
@@ -205,7 +202,6 @@ deploy_staging_testnet:
          -var "zone=$ZONE"
          -var "instance_type=$INSTANCE_TYPE"
          -var "host=$HOST_STAGING"
-         -var "ssl_cert=$SSL_CERT_STAGING"
          -var "public_bucket_url=$PUBLIC_BUCKET_URL"
          -var "letsencrypt_email=$LE_EMAIL"
          -var "timeout=$TIMEOUT"
@@ -231,7 +227,6 @@ deploy_production_testnet:
          -var "zone=$ZONE"
          -var "instance_type=$INSTANCE_TYPE"
          -var "host=$HOST"
-         -var "ssl_cert=$SSL_CERT"
          -var "public_bucket_url=$PUBLIC_BUCKET_URL"
          -var "letsencrypt_email=$LE_EMAIL"
          -var "timeout=$TIMEOUT"

terraform/main.tf

@@ -30,6 +30,7 @@ module "blc-mainnet" {
   certbot_docker        = var.certbot_docker
   net                   = "mainnet"
   env                   = local.env
+  target_pool           = google_compute_target_pool.blc-pool[0].self_link
 
   create_resources = local.create_mainnet
 
@@ -38,7 +39,6 @@ module "blc-mainnet" {
   zone              = var.zone
   instance_type     = var.instance_type[0]
   host              = var.host
-  ssl_cert          = var.ssl_cert
   timeout           = var.timeout
   prom_service_acct = var.prom_service_acct
   opsgenie_key      = var.opsgenie_key
@@ -63,6 +63,7 @@ module "blc-testnet" {
   certbot_docker        = var.certbot_docker
   net                   = "testnet"
   env                   = local.env
+  target_pool           = google_compute_target_pool.blc-pool[0].self_link
 
   create_resources = local.create_testnet
 
@@ -71,7 +72,6 @@ module "blc-testnet" {
   zone              = var.zone
   instance_type     = var.instance_type[0]
   host              = var.host
-  ssl_cert          = var.ssl_cert
   timeout           = var.timeout
   prom_service_acct = var.prom_service_acct
   opsgenie_key      = var.opsgenie_key

terraform/modules/blc/cloud-init/blc.yaml

@@ -32,7 +32,7 @@ write_files:
     permissions: 0644
     owner: root
     content: |
-        log_format withtime '$remote_addr - $remote_user [$time_local] '
+        log_format withtime '$remote_user [$time_local] '
                             '"$request" $status $body_bytes_sent '
                             '"$http_referer" "$http_user_agent" '
                             'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
@@ -43,7 +43,7 @@ write_files:
             access_log /var/log/nginx/access-def.log withtime;
             error_log /var/log/nginx/error-def.log;
 
-            server_name _;
+            server_name ${host};
             listen 80;
             server_tokens off;
             proxy_set_header X-Forwarded-For 0.0.0.0;
@@ -51,7 +51,11 @@ write_files:
             location /.well-known {
                 auth_basic off;
                 allow all; # Allow all to see content
-                proxy_pass ${public_bucket_url}certs/.well-known;
+                proxy_pass ${public_bucket_url}/certs/.well-known;
+            }
+            
+            location /healthz {
+                return 200;
             }
 
             location / {
@@ -63,7 +67,7 @@ write_files:
     permissions: 0644
     owner: root
     content: |
-        log_format withtime '$remote_addr - $remote_user [$time_local] '
+        log_format withtime '$remote_user [$time_local] '
                             '"$request" $status $body_bytes_sent '
                             '"$http_referer" "$http_user_agent" '
                             'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
@@ -184,7 +188,7 @@ write_files:
             --name=nginx-tls \
             --log-opt max-size=200m \
             --log-opt max-file=3 \
-            -v /home/bs/space.conf:/etc/nginx/conf.d/space.conf:ro \
+            -v /home/bs/space.conf:/etc/nginx/conf.d/default.conf:ro \
             -v /home/bs/index.html:/usr/share/nginx/html/index.html:ro \
             -v /home/bs/certs:/etc/nginx/certs:ro \
             "nginx:latest"

terraform/modules/blc/firewall.tf

@@ -5,7 +5,7 @@ resource "google_compute_firewall" "blc" {
 
   allow {
     protocol = "tcp"
-    ports    = ["18333", "8333", "9735", "80"]
+    ports    = ["18333", "8333", "9735", "80", "443"]
   }
 
   target_service_accounts = [

terraform/modules/blc/gcs.tf

@@ -12,21 +12,11 @@ resource "google_storage_bucket" "blc-public" {
 }
 
 resource "google_storage_bucket_acl" "blc-public-acl" {
-  bucket         = replace(google_storage_bucket.blc-public[count.index].url, "gs://", "")
+  bucket         = google_storage_bucket.blc-public[count.index].name
   predefined_acl = "publicread"
   count          = var.create_resources
 }
 
-resource "google_storage_bucket_iam_binding" "blc-public-binding" {
-  bucket = replace(google_storage_bucket.blc-public[count.index].url, "gs://", "")
-  role   = "roles/storage.admin"
-  count  = var.create_resources
-
-  members = [
-    "serviceAccount:${google_service_account.blc[count.index].email}",
-  ]
-}
-
 # Private bucket (server certs)
 resource "google_storage_bucket" "blc-private" {
   name          = "${var.name}-certs-${var.env}"
@@ -40,12 +30,8 @@ resource "google_storage_bucket" "blc-private" {
   }
 }
 
-resource "google_storage_bucket_iam_binding" "blc-private-binding" {
-  bucket = replace(google_storage_bucket.blc-private[count.index].url, "gs://", "")
-  role   = "roles/storage.admin"
-  count  = var.create_resources
-
-  members = [
-    "serviceAccount:${google_service_account.blc[count.index].email}",
-  ]
+resource "google_storage_bucket_acl" "blc-private-acl" {
+  bucket         = google_storage_bucket.blc-private[count.index].name
+  predefined_acl = "projectprivate"
+  count          = var.create_resources
 }

terraform/modules/blc/main.tf

@@ -1,9 +1,10 @@
 # Instance group
 resource "google_compute_instance_group_manager" "blc" {
-  name     = "${var.name}-ig-${var.net}-${var.env}"
-  count    = var.create_resources
-  project  = var.project
-  provider = google-beta
+  name         = "${var.name}-ig-${var.net}-${var.env}"
+  target_pools = [var.target_pool]
+  project      = var.project
+  provider     = google-beta
+  count        = var.create_resources
 
   base_instance_name = "${var.name}-ig-${var.net}-${var.env}"
   zone               = var.zone

terraform/modules/blc/network.tf

@@ -21,7 +21,7 @@ resource "google_compute_backend_service" "blc" {
   protocol    = "HTTP"
   port_name   = "http"
   timeout_sec = var.timeout
-  project      = var.project
+  project     = var.project
   count       = var.create_resources
 
   backend {

terraform/modules/blc/variables.tf

@@ -48,7 +48,7 @@ variable "net" {
   type = string
 }
 
-variable "ssl_cert" {
+variable "target_pool" {
   type = string
 }
 

terraform/network.tf

@@ -1,99 +1,54 @@
 # IP address
-resource "google_compute_global_address" "lb" {
+resource "google_compute_address" "lb" {
   name    = "satellite-api-client-lb-${local.env}"
+  region  = var.region
   project = var.project
   count   = local.create_mainnet
 }
 
 # Forwarding rules
-resource "google_compute_global_forwarding_rule" "rule-https" {
+resource "google_compute_forwarding_rule" "rule-https" {
   name        = "satellite-api-https-forwarding-rule-${local.env}"
-  target      = google_compute_target_https_proxy.https-proxy[0].self_link
+  target      = google_compute_target_pool.blc-pool[0].self_link
   port_range  = "443"
   ip_protocol = "TCP"
-  ip_address  = google_compute_global_address.lb[0].address
+  ip_address  = google_compute_address.lb[0].address
+  region      = var.region
   project     = var.project
   count       = local.create_mainnet
 }
 
-resource "google_compute_global_forwarding_rule" "rule-http" {
+resource "google_compute_forwarding_rule" "rule-http" {
   name        = "satellite-api-http-forwarding-rule-${local.env}"
-  target      = google_compute_target_http_proxy.http-proxy[0].self_link
+  target      = google_compute_target_pool.blc-pool[0].self_link
   port_range  = "80"
   ip_protocol = "TCP"
-  ip_address  = google_compute_global_address.lb[0].address
+  ip_address  = google_compute_address.lb[0].address
+  region      = var.region
   project     = var.project
   count       = local.create_mainnet
 }
 
-# Target proxies
-resource "google_compute_target_http_proxy" "http-proxy" {
-  name    = "satellite-api-http-proxy-${local.env}"
-  url_map = google_compute_url_map.http[0].self_link
+resource "google_compute_target_pool" "blc-pool" {
+  name    = "satellite-api-target-pool-${local.env}"
+  region  = var.region
   project = var.project
   count   = local.create_mainnet
+
+  health_checks = [
+    google_compute_http_health_check.blc-health[0].self_link
+  ]
 }
 
-resource "google_compute_target_https_proxy" "https-proxy" {
-  name             = "satellite-api-https-proxy-${local.env}"
-  url_map          = google_compute_url_map.https[0].self_link
-  ssl_certificates = [var.ssl_cert]
-  project          = var.project
-  count            = local.create_mainnet
+resource "google_compute_http_health_check" "blc-health" {
+  name    = "satellite-api-http-health-${local.env}"
+  project = var.project
+  count   = local.create_mainnet
+
+  timeout_sec        = 5
+  check_interval_sec = 10
+
+  host         = "${local.env == "staging" ? "staging-" : ""}api.blockstream.space"
+  port         = "80"
+  request_path = "/healthz"
 }
-
-# URL maps
-resource "google_compute_url_map" "http" {
-  name            = "satellite-api-http-urlmap-${local.env}"
-  default_service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet
-  project         = var.project
-  count           = local.create_mainnet
-
-  host_rule {
-    hosts        = [var.host]
-    path_matcher = "allpaths"
-  }
-
-  path_matcher {
-    name            = "allpaths"
-    default_service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet
-
-    path_rule {
-      paths   = ["/*"]
-      service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet
-    }
-
-    path_rule {
-      paths   = ["/testnet", "/testnet/*", "/api", "/api/*"]
-      service = data.terraform_remote_state.blc-testnet.outputs.blc_backend_service_testnet
-    }
-  }
-}
-
-resource "google_compute_url_map" "https" {
-  name            = "satellite-api-https-urlmap-${local.env}"
-  default_service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet
-  project         = var.project
-  count           = local.create_mainnet
-
-  host_rule {
-    hosts        = [var.host]
-    path_matcher = "allpaths"
-  }
-
-  path_matcher {
-    name            = "allpaths"
-    default_service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet
-
-    path_rule {
-      paths   = ["/*"]
-      service = data.terraform_remote_state.blc-mainnet.outputs.blc_backend_service_mainnet
-    }
-
-    path_rule {
-      paths   = ["/testnet", "/testnet/*", "/api", "/api/*"]
-      service = data.terraform_remote_state.blc-testnet.outputs.blc_backend_service_testnet
-    }
-  }
-}
-

terraform/variables.tf

@@ -53,7 +53,7 @@ variable "create_resources" {
   default = ""
 }
 
-variable "ssl_cert" {
+variable "target_pool" {
   type    = string
   default = ""
 }